HHS offers guidance on disposing of devices or media with PHI
The HHS Office for Civil Rights is providing suggestions for getting rid of technology that contains financial or protected health information.
The OCR is targeting the guidance to providers, insurers and other stakeholders on proper secure disposal of IT that may contain the sensitive information.
This equipment covers desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.
Improper disposal of devices can lead to a data breach that can be costly to an organization, HHS warns. Costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients.
Consequently, HHS offers 10 areas to address when data stored on devices are scheduled for final disposition:
What data is maintained by the organization and where is it stored?
Is the organization’s data disposal plan up to date?
Are all asset tags and corporate identifying marks removed?
Have all asset recovery-controlled equipment and devices been identified and isolated?
Is data destruction of the organization’s assets handled by a certified provider?
Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
Is onsite hard drive destruction required?
What is the chain of custody?
How is equipment staged or stored prior to transfer to external sources for disposal or destruction?
What are the logistics and security controls in moving the equipment?
The HHS guidance also includes comprehensive examination of the processes of decommissioning and disposing of devices and media no longer needed; destruction and disposal of protected health information; and disposal of paper, film and other hard copy media.
More information is available here.