August 10, 2018
On August 7, 2018, the HHS Office of Civil Rights (OCR) issued guidance on disposing of electronic devices and media1. This guidance is important for all healthcare providers as it applies to any covered entities or business associates that store ePHI on desktops, laptops, copiers, cell phones, USB devices and other electronic storage devices. In addition, OCR’s guidance also reminds covered entities and business associates that it is critical to properly dispose of paper records that contain PHI.
The guidance issued by OCR focuses on the following four tasks that covered entities and business associates can undertake to ensure that their PHI as well as electronic devices are disposed of properly: (1) undertaking a thorough risk analysis; (2) properly decommissioning and disposing of devices and media; (3) having HIPAA policies and procedures that address the disposal of devices and PHI; and, (4) properly destroying or disposing of PHI.
HHS highlights that one of the first things that a covered entity should ensure is that their risk analysis addresses the PHI stored on electronic devices and media. A few of the questions that covered entities may want to consider when conducting a risk analysis as it relates to the disposal of PHI are as follows:
Decommissioning of Devices
OCR also focuses on the importance of properly decommissioning devices. Decommissioning is the process of taking hardware or media out of service prior to the final disposal of such hardware or media. HHS highlights the following three steps that covered entities and business associates should take when decommissioning devices:
HIPAA Policies and Procedures
The third topic that OCR focuses on is the proper destruction and disposal of ePHI. OCR reminds covered entities and business associates that their HIPAA policies and procedures must address the disposal of ePHI. OCR provides examples of what such policies must contain, such as ensuring that the policies determine and document the appropriate method to dispose of hardware, software and the data itself. In addition, covered entities should also ensure that workforce members who dispose of PHI or supervise others that dispose of PHI receive training on such disposal2.
Destruction and Disposal of ePHI
Last, OCR focuses on how PHI should be destroyed to ensure that it is not considered unsecured PHI. OCR highlights the following methods:
Although OCR just issued this Guidance, OCR has actively addressed the issue of failing to properly dispose of PHI in settlements with covered entities as well as multiple other publications. For example, in 2015 OCR entered into a Resolution Agreement with a pharmacy due to the pharmacy’s alleged disposing of patient records in a dumpster that was accessible to the public3. OCR found that among other things, this pharmacy failed to: (1) reasonably safeguard PHI; (2) implement proper written policies and procedures in compliance with HIPAA’s privacy rule; and (3) provide HIPAA training to members of its workforce. This Resolution Agreement as well as other guidance issued by OCR on this topic demonstrate that all covered entities and business associates need to ensure that the proper disposal and destruction of PHI as well as devices containing PHI is a top priority.
 July 2018 OCR Cybersecurity Newsletter, Guidance on Disposing of Electronic Devices and Media, https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-july-2018-Disposal.pdf.
 See HHS, FAQ for Professionals, What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?, https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html.
 Resolution Agreement, United States Department of Health and Human Services, Office for Civil Rights and Cornell Pharmacy, 2015, https://www.hhs.gov/sites/default/files/cornell-cap.pdf; HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/cornell/cornell-press-release/index.html.