Keeping Old Patient Data from Causing HIPAA Headache

The electronic health records meaningful use program substantially increased the number of providers adopting the technology, and fostered an explosion in the past half-decade of buying additional ancillary systems to augment EHRs.

Just think about how many providers bought a new practice management system and health information management system when they got the new EHR. More recently, mobile devices, often bought by the organization, are everywhere in a care setting.

But, what happened to the old servers, personal digital devices, pagers, copiers, fax machines, printers, floppies and disks, tape reels and other technologies that held protected health information and are no longer used?

Has your organization destroyed these devices internally or via a contractor? Do you have documentation in-house or from the contractor showing a chain of custody and proof that the PHI on these devices no longer exists? Is there proof that destruction followed best practice guidelines from the National Institute of Standards and Technology?

Remember, the HHS Office for Civil Rights and HHS Office of Inspector General both have random HIPAA security audit programs and the Joint Commission covers physical security as part of its own audit program.

Also See: How to Prepare for Increased HIPAA Audits

NIST, a part of the U.S. Department of Commerce, offers detailed guidance on ways to permanently destroy protected health information for more than 30 types of electronic storage (, search for Special Publication 800-88r1.pdf). These include flash-memory-based storage devices, solid state drives, memory cards, RAM and ROM storage devices, motherboards and peripheral cards. And there remain plenty of CDs, DVDs, Blu-ray disks and USB devices lying around. Do you know where they are?

In the guidance, NIST warns of the dangers of not knowing where unused electronic media is, or improper disposal, including paper records:

“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of medical sanitized in a manner not commensurate with the confidentiality of its information.

“Media flows in and out of organizational control through recycle bins in paper form, out to vendors for equipment repairs, and hot-swapped into other systems in response to hardware or software failures. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is, and how to protect it.”

In-house or outsource?

Using magnets, pulverizers or shredders, depending on the type of media, many larger hospitals destroy their own obsolete electronic media holding PHI, and adherence rates are fairly high, as the Joint Commission audits include physical security, says Gerry Hinkley, a partner in the Pillsbury Winthrop Shaw Pittman law firm in San Francisco. Smaller hospitals, particularly 50 beds or fewer, don’t have the resources and may not be as in tune with their obligations as larger facilities, he adds, with a caveat: “HIPAA compliance is expensive and organizations do the best they can.”

Many other providers contract out the work, which for hospitals under 200 beds may be more cost effective, says Keith Fricke, principle consultant at tw-Security in Overland Park, Kan. He previously worked as information security officer at Mercy Health in Cincinnati and was supervisor of information security for Cleveland Clinics’ community hospitals.

Both large organizations outsourced electronic media destruction because the vendors provided a certification of destruction that included the date, time and method of destruction, Fricke says. “We thought having a third party added authenticity to the process.”

Be cautious

In many cases, a simple way to wipe PHI off servers, printers, copiers or other devices is to reset the device to factory settings, restoring it to the original configuration. But there is no guarantee that simple trick will work and completely wipe everything, Fricke warns, particularly with more modern servers, which don’t just have internal storage but a set of storage disks that can connect to storage area networks.

There is a legal step that providers often overlook when destroying media, cautions Tom Walsh, president and CEO at tw-Security. The information technology department or other departments should validate with the compliance and legal departments that there is not a legal hold order on protected health information prior to destruction of any media.

Documenting where PHI is collected, stored, transmitted and disposed of should be part of a HIPAA risk assessment, says Adam Greene, a former HHS Office for Civil Rights official and now a partner in the Davis Wright Tremaine law firm. And that’s not a small task as Greene acknowledges there certainly are challenges to locating all the PHI in departments across a facility.

Picking a Vendor

An organization selecting a vendor to destroy electronic media might believe such companies don’t need as close scrutiny as other business associates because they are steeped in the security business. But they’re just another business associate and prone to problems like everyone else, says Cameron Camp, security researcher at cyber security software vendor ESET. “You’re just a client to them and they deal with data day in and day out.”

Stuff happens. You never know if an employee of the contractor will take off in a truck full of your PHI destined for the crusher and head to Las Vegas. So find out if the company has had any breaches and if they hire outside security specialists to attack their information systems and assess their security, Camp says.

You’ll also want to know if they have environmentally sound disposal processes as that may be required in certain regions. Destruction methods should have UL (Underwriters Laboratories) certification and erasure of a hard drive should meet National Security Agency standards. And, Camp adds, be very concerned if the contractor loses documentation on devices they are to destroy.

Greene also suggests asking if a company has had breaches. If the answer is no, then the company is either very good or doesn’t know it has been breached. “If all their information security is documented on one page, it is not a mature program and they are not looking for breaches.”

When Data Goes Offsite

Many providers contract with a disaster recovery company to host copies of their information systems at disparate locations. These providers should send a team to participate in the vendor’s disaster recovery exercises, says Keith Fricke of tw-Security.

When finished, the provider typically will wipe its data off the vendor test system and the vendor will wipe its data off the test. But it is important for the provider team to go further and talk with the vendor to understand what processes it does when getting the test system ready for the next client to ensure no chance of any of the provider’s PHI still being on the system.

For reprint and licensing requests for this article, click here.