In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Disposal is the first of four implementation specifications, and it is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
A covered entity must implement policies and procedures to address the final disposition of electronic protected health information and the hardware or electronic media on which it is stored.
How to Do It
A covered entity must ensure proper disposal of electronic protected health information and the hardware or electronic media on which it is stored. Failure to do so exposes the covered entity to civil liability should a security incident be reported. Enforcement provisions and fines were increased under ARRA.
A covered entity should consult its hardware and software vendors about appropriate and effective ways to achieve disposal and to verify that disposal of electronic protected health information has been attained. For additional information, use the term “data disposal” in a standard online search engine.
For disposal, consider the following, written by Carolyn Hartley, et.al., in Handbook of HIPAA Security Implementation (Chicago, IL: AMA Press, 2004, p.81):
“Render magnetic media such as hard drives, floppy disks, and backup tapes that are unusable or nonrepairable completely unusable prior to their disposal. Degaussing is a method whereby a strong magnetic filed is applied to magnetic media to fully erase the data. If you don’t have access to degaussing equipment, you can physically damage the media beyond repair, e.g., drill a hold through it or cut it up with wire cutters or scissors. Optical disks must be physically damaged. Reformatting media is not sufficient to render the data totally inaccessible to people who know how to retrieve it.”
The covered entity’s Security Offical should verify, and document in writing, that electronic protected health information is deleted from hardware or electronic media.