Mobile devices are commonplace in modern offices. As a covered entity (CE) or a business associate (BA), you will undoubtedly have mobile devices and media to manage. Electronic protected health information (ePHI) is not only on your desktop computer but may be on many devices, from laptops to thumb drives and from smartphones to external hard drives.
However, these smaller devices can easily leave the building, sometimes by accident. This puts your organization at risk of a privacy breach. As a CE or BA, you are responsible for maintaining the confidentiality, integrity, and availability of ePHI. Therefore, you must be able to account for any mobile device containing ePHI, safely reuse it, and properly dispose of it.
How to Account for Your Mobile Media
Imagine a hard drive containing thousands of private records suddenly goes missing. Did an employee take it home? Is it lost? If a mobile device leaves the building without your knowledge, anything can happen to it.
Accountability means you must know where all media containing ePHI moves inside and outside of your organization. To establish an accountability plan, you will need to:
- Take a compete inventory of your mobile devices (ex. tablets, memory cards, backup disks).
- Create a check-out/check-in log.
Anyone who wants to remove a device from the organization must be able to justify the need and then log the removal. A person approved to regularly use mobile media outside the facility should sign the media out as a long-term checkout, so the device’s location is on record.
How to Reuse Your Mobile Media
Mobile devices and media are sometimes reused in an organization or donated to charity. In either event, you need to remove all ePHI from these devices before they can be safely reused.
There are many software cleaning solutions (sometimes called “disk wipe” software) on the market. They may require you to run the software through the memory drive a few times to eliminate all the data. Always follow the instructions provided, keeping record of the item being sanitized and who it is signed out to.
How to Dispose of Your Mobile Media
Organizations will often dispose of mobile devices and media at the end of their lifecycle. However, disposal requires you to remove all ePHI and permanently destroy the device. The most reliable way to do this on a hard drive is to use a degausser. If you don’t have one, you can wipe the device clean with disk wipe software and then physically destroy it. Page 8 of the NIST “Guidelines for Media Sanitization” describes ways to destroy a device.
After you dispose of an inventory item, document the following:
- Name of the media destroyed
- Method of destruction
- Date of destruction
- Person or organization destroying the media
To protect your ePHI from unauthorized access and a potential breach, create an accountability plan, clean devices before reusing them, and safely dispose of unwanted devices. Staff members may also have questions about their own personal devices, so be sure you know the HIPAA security rule about device and media control.
Need More Guidance? Grab Our PHI Decision Tree!
This simple cheat sheet makes it easy to recognize every time you’re interacting with protected health information.