The Department of Health and Human Services’ Office for Civil Rights took the opportunity to remind HIPAA covered entities, which includes healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities about the HIPAA Rules for disposing of electronic devices and media in last month’s Cybersecurity Newsletter.
HIPAA has strict rules regarding the disposal of any electronic equipment that once stored electronic healthcare information. While many covered entities (CEs) are aware of the technical and physical safeguards that must be in place on these devices while they are in use, few know of HIPAA’s requirements for the safe disposal of such devices. These rules apply to all electronic equipment being scrapped, decommissioned, returned to a leasing company or resold. Ignorance of HIPAA’s rules are not deemed an acceptable excuse if they are violated. Improper disposal of PHI is a serious security risk and may put people at risk of identity theft. As such, violations of this nature are punished accordingly.
Any electronic device that has once held PHI is covered by HIPAA’s Rules. This includes desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes.
Certain devices pose a particular risk, as they are not obviously thought of as being capable of storing PHI. Office equipment such as fax machines, photocopiers, and printers may have the capability to store data that has been sent to them on internal hard drives. Anyone with the adequate skillset can easily obtain the PHI off of these devices, as they are unlikely to be encrypted. Extra care must be taken to ensure that these devices are properly wiped of all of their data before being disposed of.
The Department of Health and Human Services’ Office for Civil Rights took considerable care to highlight the potential financial penalties, both in terms of fines from violating HIPAA and administrative costs to the organisation, that would be incurred if an electronic device containing sensitive information were to be improperly disposed of. Once the breach is discovered, patients must be notified within a reasonable timeframe, in accordance with HIPAA’s Breach Notification Rules. If there is a danger of the information being stolen and used for nefarious purposes, organisations may offer to pay for credit monitoring and identity theft protection services for the affected clients. They may also see it pertinent to pay for third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired.
If a breach were particularly severe, or happened due to extreme negligence, OCR and/or state attorneys generals may conduct investigations. If the findings are unfavourable for the organisation, substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information.
There are several notable examples in recent years of hefty financial costs being incurred by organisations for failure to properly dispose of devices containing sensitive information. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security found that average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million.
Organisations can take steps to mitigate the risk of a data breach occurring. Firstly, organisations should maintain a full inventory of all equipment that stores ePHI, and assign an employee to ensure that this database is kept updated.
It is recommended that a full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices when the organisation seeks to dispose of the device. Several options should be considered, and the organisation should choose that which is best for their mode of operation. Records showing that several options were considered and one was implemented will appear favourable for the organisation if a breach were to occur and they were to be investigated by OCR.
The requirements for a HIPAA-compliant data disposal plan are detailed in 45 C.F.R. §164.310(d)(2)(i)-(ii). HIPAA Rules state that paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”
Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. All asset tags and corporate identifying marks should be removed from the device before it is disposed of.
HIPAA allows organisations to hire third party contractors to manage the disposal of electronic devices. However, they would be considered business associates and a business associate agreement would need to be in place in order for the transaction to be HIPAA-compliant. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling.
Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.