Disposing of PHI: Why, What and How

August 27, 2020
Disposing of PHI - What, Why and How Blog

When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark.

It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly.

What data needs to be properly disposed of? 

Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes:

  • Paper records
  • USB drives
  • Office mobile or smartphones, as well as tablets
  • Printers with storage
  • Desktop or laptop computers
  • Medical imaging devices that create or transmit PHI 
  • Servers or external hard drives

Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network).   

RELATED: So You Have PHI to Dispose of – Now What? 

What is considered proper digital data disposal? 

Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly:

  • Data destruction: Otherwise referred to as disk shredding, these services physically destroy old hard drives and typically come with a certificate certifying their destruction. Having a record of your method of disposal helps provide proof you used the proper methods if investigated by the OCR. 
  • Disk wiping: Disk wiping software erases all the data on the computer’s hard disk, essentially makes all your sensitive data unreadable which is especially important if choosing to re-purpose the computer. Wiping must not allow information to be retrieved by data, disk, or file recovery utilities. (If using a third-party vendor for any service including data destruction, remember to have a proper Business Associate Agreement in place!) 
  • Physical device destruction: Exactly what it sounds like, physically destroying an entire device by burning, melting, or even pulverizing could be an effective method to permanently destroy data as long as the device is made completely unreadable and unrestorable. 

Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored. 

Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.