OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022

When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail.

In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation.

It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice,  the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly.

It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal?

Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI:

  • Data Destruction: These services physically destroy old hard drives and typically come with a certificate certifying their destruction. Having a record of your method of disposal helps provide proof you used the proper methods if investigated by the OCR. 
  • Disk Wiping: Disk wiping software erases all the data on the computer’s hard disk, essentially making all your sensitive data unreadable which is especially important if choosing to re-purpose the computer. Wiping must not allow information to be retrieved by data, disk, or file recovery utilities.
  • Physical Device Destruction: Physically destroying an entire device by burning, melting, or even pulverizing could be an effective method to permanently destroy data as long as the device is made completely unreadable and unrestorable. 

There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include:

  • Paper records
  • USB drives
  • Office mobile or smartphones, as well as tablets
  • Printers with storage
  • Desktop or laptop computers
  • Medical imaging devices that create or transmit PHI 
  • Servers or external hard drives

Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept.

At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.