HIPAA Compliant Computer Disposal
The requirement for HIPAA compliant computer disposal applies to any electronic device that is used to create, receive, maintain, transmit or access electronic Protected Health Information (ePHI), and any electronic media on which ePHI has been stored. However, although the HIPAA Security Rule states what the requirement is, guidance to support compliance with the requirement is long out of date.
When the HIPAA Security Rule was published, it was deliberately technology neutral. Consequently, many of the standards and implementation specifications are just as applicable now as they were then. This has the advantage of supporting consistency in HIPAA compliance, but also has the disadvantage of creating compliance issues when guidance published to support compliance is out of date.
The requirement for HIPAA compliant computer disposal – and the guidance provided to support the requirement – are an example of when taking a twenty year old implementation specification out of context can create a compliance issue. This is because the only implementation specification relating to HIPAA complaint computer disposal (§164.310(d)(2) states:
“Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
However, when putting the implementation specification back into the context of the Security Rule as a whole, covered entities and business associates are required to “Protect against any reasonably anticipated threats or hazards to the security or integrity [of ePHI]” (§164.306(a)). The risk of a compliance issue comes from guidance to support HIPAA compliant computer disposal being long out of date and inadequate to protect the security of ePHI.
The Guidance to Support Compliance is Long Out of Date
To support compliance with the HIPAA Security Rule in general, HHS published a series of security guides in 2005. The guide intended to support compliance with the HIPAA computer disposal requirement mainly focuses on having policies and procedures in place to comply with §164.310, but it also suggests applying a strong magnetic field to hardware to erase data stored on it (degaussing) or physically damaging hardware beyond repair to make ePHI inaccessible.
A subsequent FAQ published by HHS in 2009 refers to this guide and also advises readers to consult NIST SP 800-88 Guidelines for Media Sanitization. NIST SP 800-88 was last updated in 2014 (Rev 1) and advocates that hardware that has been used to create, receive, store, transmit, or access “High Security” data (which ePHI would qualify as) is destroyed. The recommended techniques for destroying hardware include disintegration, pulverization, and incineration.
However, this advice is now ten years out of date and, since its publication, computer hard drives have become more advanced and more resilient. Concerns have been raised by vendors in the data destruction industry that disintegration techniques can leave fragments of recoverable data – one source arguing that a “modern hard drive can store 600,000 pages of data on a 2 millimeter-wide shred particle. That’s a particle smaller than a grain of rice!”
Unfortunately there is little consensus in the data destruction industry about the most effective method of HIPAA compliant computer disposal. Most vendors agree that overwriting will not guarantee the security of ePHI because overwriting does not work on partially damaged storage volumes, while degaussing has a low efficacy on data destruction and is limited in scope. Where consensus exists, it is that hard drives are degaussed before being disintegrated, pulverized, or incinerated.
HIPAA Compliant Computer Disposal in 2024
To best comply with the HIPAA computer disposal requirement, covered entities and business associates are advised to discuss their disposal requirements with data destruction vendors and seek assurances that ePHI will be rendered completely inaccessible by their destruction service. This should also be written into a Business Associate Agreement before hardware is handed over to vendors for destruction.
In addition, it is necessary to not only consider servers and workstations as hardware, but also “an[y] computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” This means – for example – tablets, mobile phones, and smartwatches with local data storage capabilities may also be subject to the requirement for HIPAA compliant computer disposal.
Covered entities and business associates concerned that their current computer disposal arrangement do not “protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI”, or who have further questions about HIPAA compliant computer disposal, are advised to seek independent compliance advice.
