In its July newsletter on cybersecurity, the Office for Civil Rights (OCR) released “Guidance on Disposing of Electronic Devices and Media,” which outlines the requirements health care providers and business associates have regarding the security of electronic data and media under the HIPAA Security Rule.
The newsletter reminds health care providers and business associates that they are required to have policies and procedures in place addressing the disposal and re-use of hardware and electronic media, and in that process consider the following guidelines:
- “Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
- Ensure that ePHI is properly destroyed and cannot be recreated.
- Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
- Identify removable media and their use (tapes, CDs/DVDs, and USB thumb drives).
- Ensure that ePHI is removed from reusable media before they are used to record new information.”
OCR refers to its “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” which sets forth permissible methods of disposal, and which are important to protect an organization from a data breach.