How should we dispose of ePHI?
HIPAA Weekly Advisor, April 10, 2006
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
According to the security rule you must establish policies and procedures that address the final disposal of ePHI and the hardware or electronic media on which it is stored. Unauthorized users can easily recover ePHI off of hard drives, CD-ROMs, and other media storage devices if you do not properly erase or destroy them. Take steps to ensure the digital bits and bytes are inaccessible before destroying, selling, or throwing them out.
Many people believe that simply deleting files or formatting drives is sufficient to keep ePHI out of the hands of criminals-this is simply not the case. You must properly sanitize any type of storage media. There are just a handful of ways to do this, including the following:
- Overwrite the disk media with multiple passes as specified in the Department of Defense 5220.22-M standard for hard drive sanitization
- Perform a hardware reinitialization of the storage space (if possible)
- Physically break, burn, or destroy the storage device
Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- What does case-mix index mean to you?
- Identify potential Medicaid RAC target areas
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched