OCR Provides Guidance on Disposal of Electronic Devices and Media

The July 2018 OCR Cybersecurity Newsletter focused on how covered entities and business associates should dispose of electronic devices and media.

• 164.310(d)(2)(i) of the HIPAA standard specifically states that health care organizations must implement policies and procedures that address the disposal of electronic protected health information (ePHI) and/or the hardware that the ePHI is stored on.

The Office for Civil Rights (OCR) started the newsletter off by reminding health care organizations that they should evaluate their current policies and procedures for disposing of electronic media and devices.  These might include “desktops, laptops, tablets, copiers, servers, smart phones, hard drives, USB drives, or any electronic storage device.”

The OCR then provided information on what is at risk.  If an organization uses improper disposal methods, sensitive information and PHI may be discovered by people who should not be able to view it, thus causing a breach.  No one wants to hear the “breach” word, ever, so this should be a big reminder that proper disposal is important.

The OCR also provided information on how costs can be incurred when there is a breach.  These can include the costs of notifying patients and possibly the media, responding to government investigations, handling lawsuits and hiring lawyers, hiring other consultants to help with breach responses or public relations and communications, among others.

There are some things that organizations may want to consider to help reduce the risk of a breach:

1. Where is the data stored?
2. Do you have an up-to-date inventory?
3. Do you have an up-to-date data disposal plan and media/device disposal plan?
4. Do you have certified employees or contractors who handle the destruction of data and/or devices?
5. Where and how are devices and media stored before disposal?

Additionally, there should be a proper procedure for decommissioning devices before disposal.  This can include ensuring information on the devices or media is erased before disposal and updating your inventory to reflect that the device is no longer in service.

To find out more about the OCR’s disposal guidance, you can read their newsletter directly.  If you need to create your disposal policy and would like to learn about other ways to protect your organization from breaches, join HIPAAgps today.