HHS Issues Guidance on Disposing of Electronic Devices and Media with Personal Data
Written by: Anthony E. Stewart, Esq.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance for disposing of technology that contains sensitive information, such as financial or protected health information. While the OCR’s intended audience is limited to covered entities and business associates subject to HIPAA, all organizations that store or process personal data should review and consider OCR’s recommendations.
The improper disposal of electronic devices and media that contain personal data may be classified as a breach under HIPAA as well as other federal, state and international laws. A data breach can be very costly to an organization. According to a recent study by IBM, the average total cost of a data breach in the United States is $7.91 million. Therefore, it is vital that an organization conducts a risk analysis to determine the best approach to protect personal data stored on electronic devices that have reached the end of their respective lifecycle.
When developing policies and procedures for the final disposition of hardware and electronic media containing personal data, OCR recommends that organizations should:
- Determine and document the appropriate methods to dispose of hardware, software, and the personal data itself;
- Ensure that personal data is properly destroyed and cannot be recreated;
- Ensure that personal data previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused; and
- Ensure that personal data is removed from reusable media (flash drives, CDs/DVDs, tapes, etc.) before they are used to record new information.
For additional materials regarding secure disposal practices, OCR recommends the following resources:
- https://www.us-cert.gov/sites/default/files/publications/DisposeDevicesSafely.pdf
- https://www.nsa.gov/resources/everyone/media-destruction/
- https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-coveredentities-when-they-dispose-information/index.html
- https://www.hhs.gov/hipaa/for-professionals/faq/576/may-a-covered-entity-dispose-ofinformation-in-dumpsters/index.html
- https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafeguar ds.pdf
Leave a comment
You must be logged in to post a comment.