Whenever your practice scraps, trades in, donates, or sells electronic equipment, make sure the storage media is wiped clean of all data.
Using the device’s delete functions does not wipe the memory clean; it simply opens the space for new data. Anyone with novice computer abilities can retrieve the data quickly.
Note that almost all technology has storage media, including personal computers, laptops, tablets, and smartphones. In addition, items like fax machines, backup devices, and leased or owned copiers/printers have storage mechanisms that may hold patients’ protected health information (PHI) or private information about your practice.
Not only is it good sense to “sanitize” storage devices before replacing or disposing of this equipment but also it protects you under the HIPAA breach notification rule, which requires physicians to notify patients (and the government and in some cases, the media) following a breach of the patients’ unsecured protected health information.
The U.S. Health and Human Services secretary’s guidance on how to secure PHI includes rendering PHI on electronic media “unusable, unreadable, or indecipherable to unauthorized individuals,” i.e., the media must “have been cleared, purged, or destroyed consistent with NIST [National Institute of Technology and Standards] Special Publication 800-88, Guidelines for Media Sanitization such that the PHI cannot be retrieved.” If a practice follows this guidance, then the PHI is “secured” and any breach would not be reportable.
Absent sophisticated technological abilities, a practice’s safest bet is to remove the storage capabilities and destroy the hard drives or memory cards, says TMA’s Managing Your Medical Records. NIST suggests a variety of methods for physical destruction such as disintegration, incineration, pulverizing, shredding, and melting. TMA recommends you contact a local document shredding/security company to accomplish this. “Do-it-yourself” destruction attempts — even smashing a hard drive with a hammer — can leave data intact. Memory cards and flash drives can be crushed and trashed. CDs and DVDs can be shredded or snapped into pieces.
TMA Practice E-Tips main page