A HIPAA DVD may consist of HIPAA training materials for staff. A HIPAA DVD can also take the form of a “Do It Yourself” Kit. For example, one HIPAA DVD company sells a HIPAA DVD that contains a “step-by-step” HIPAA workbook, a “Forms” CD, templates for commonly used security policies and procedures, a “Full Risk Analysis,” and, quaintly, a three-ring binder “to build your HIPAA manual as you go.” The DIY HIPAA DVD bundle offers a CD and video recording of required Privacy Rule and Security Rule training.  

The Problem with HIPAA DVD

The first DVD players and discs became commercially available in the US in 1997, a year after passage of HIPAA. Discs contained a storage space of 4.7 GB. Today, a DVD still contains the same amount of storage space.

Developments in technology and in the HIPAA regulations have rendered the use of HIPAA DVD impractical, obsolete, and dangerous. 

For one thing, the sheer volume of documents, images, and other data that a covered entity must store can easily exceed 4.7 GB. In addition, covered entities frequently must access, transmit, or create protected health information (PHI) in “real time.”  A software-based HIPAA compliance system, allows for this; a DVD-based system does not.  Further, HIPAA laws and regulations change frequently. Each time a change is made, a DVD-bound organization seeking to update its staff on the updated law, must modify the DVD or create a new one. In other words, DVDs are lacking in both space and speed.

Use of HIPAA DVD presents other issues as well – issues that are associated with confidentiality, availability, and integrity of PHI. Under the HIPAA Privacy Rule, for example, individuals are entitled to receive copies of their medical records, pursuant to that rule’s right of access provision. Providers who copy protected health information onto CDs or DVDs, and then mail the disc to patients, as opposed to providers who allow patients to view their data through login to a portal, are putting the data at risk.

When PHI is copied onto disk format, the disc with the copied information may be unreadable. In addition, the “wrong PHI” may be copied – that is, PHI of another patient may be copied. The PHI that is copied may also be inaccurate.

Burning information onto DVDs also consumes time, and incurs expense, as multiple discs must be purchased, and information must then be burned onto them. The discs must also be protected and secured in an appropriate place that will not cause degradation. The mere mailing of a DVD to the wrong address, and having a DVD lost or stolen while in transit, also present problems. 

The requirements of the HIPAA Security Rule also impose enormous burdens on DVD-bound providers. For example, the HIPAA Security Rule requirement obligates covered entities to perform a security risk analysis. One step in the analysis process is gathering relevant data on ePHI. Covered entities must identify where ePHI is stored, received, maintained, or transmitted. The Security Risk Analysis also requires covered entities to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic Protected Health Information (ePHI) that they create, receives, maintains, or transmits. This includes ePHI in all forms of electronic media, including DVDs.

Satisfying these two risk analysis requirements alone consumes a significant amount of an organization’s time and manpower; discs must be reviewed to identify potential risks or vulnerabilities to the ePHI contained in them.

The HIPAA Security Rule also requires HIPAA covered entities and business associates to implement policies and procedures regarding the disposal and re-use of hardware and electronic media containing PHI in electronic form (ePHI). This means organizations must implement policies and procedures for the final disposition of DVDs containing PHI. The National Institute of Standards and Technology (NIST) recommends that DVD media be destroyed in the following order of recommendations: 

1. Incinerate optical disk media (reduce to ash) using a licensed facility. 

2. Use optical disk media shredders or disintegrator devices to reduce to particles that have a nominal edge dimensions of 0.5 mm and surface area of 0.25 mm2 or smaller. 

The first of these methods is costly and time-consuming, while the second is cumbersome, and particularly time-consuming for organizations that use hundreds or thousands of DVD discs. 

Finally, under the HIPAA Security Rule, covered entities must encrypt ePHI when it is reasonable and appropriate to do so. DVDs are not pre-encrypted. While Windows 10 allows for encryption, encryption must be performed for each disc individually, through multiple Windows prompts.  Discs may be decrypted as well. Again, each disc must be decrypted individually. Healthcare organizations that permit individuals to work remotely, using DVDs, face additional risks of having the DVD stolen from laptops. In addition, hackers may “break” the encryption on a DVD left in an unattended laptop, rendering the data unusable.