Does a Miley Cyrus video with over 750 million views offer any insights into what HIPAA says about data disposal? Well, consider this: The massive wrecking ball Ms. Cyrus sits on in the video swings between cinder-block walls. And before the hit song is over, they’re reduced to rubble, destroyed beyond recognition.
If it’s not too much of a stretch, let’s think of that image from the “Wrecking Ball” video as a metaphor for the Security Rule’s guidelines for the disposal of computers, laptops and other media that house Protected Health Information (PHI).
The best way to prevent unauthorized access of PHI from media you no longer use is to make sure it — the info and/or the media — gets destroyed beyond recognition.
Today let’s look at some of the best ways to do that. (But first, be sure to back up and transfer information you want to keep.)
When it comes to data disposal, the “Delete” command doesn’t do it.
When an office’s old workhorse of a computer is about to be put out to pasture, so to speak, it’s not enough to just “Delete” the files containing PHI. The “Delete” key doesn’t eradicate a file, it merely removes the references that say where those files are stored. The information’s still there, and it doesn’t take a whole lot of technical know-how to retrieve it.
The in-house software option
You can take a do-it-yourself approach and use software — widely available — that will fully delete data. Check out this link to reviews of and information about a few inexpensive options for secure file deletion software.
Or let a vendor — a “Business Associate” — handle the job
With the increase in regulatory compliance, there’s a growing industry of businesses offering services that include physical destruction (pulverizing, shredding, melting, disintegrating, incinerating) of computers, tablets, hard drives, thumb drives, and even cell phones, plus various methods of secure file deletion. These companies can come to your office and handle data eradication there and/or take your media away handle data disposal in an eco-friendly manner that also meets HIPAA compliance standards.
And since their work potentially puts them in contact with patients’ PHI, don’t forget to get from them a signed Business Associate Agreement indicating that they — like you — comply with HIPAA.
It’s the law
According to the Office of Civil Rights, the HIPAA Security Rule “requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.”
When electronic media in your office is no longer of use to your practice, take the steps needed to protect the PHI it holds. Don’t let a data breach take a wrecking ball to your practice.