HIPAA requires you to keep unauthorized people from viewing protected health information (PHI). Even when you’re disposing of unneeded PHI, you must still keep the data secure. According to the Department of Health and Human Services (HHS), “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” Instead, you must destroy hard copy PHI, such as prescription slips, and use media sanitization on devices/media containing electronic PHI (ePHI).
What is Media Sanitization?
Media sanitization is when you remove all ePHI from a device and/or destroy the device. The goal is to make the ePHI unusable, unreadable, or indecipherable so that no one can reconstruct the information after you destroy it. The secretary of the HHS Office for Civil Rights requires you to use the media sanitization methods found in the National Institute of Standards and Technology (NIST) Special Publication 800-88r1: Guidelines for Media Sanitization.
Let’s look at NIST’s three methods for removing ePHI from media and how these methods work on various media types.
Three Media Sanitization Methods to Remove or Destroy ePHI
If you are dealing with an electronic device, you must either completely remove the ePHI so the device is safe for re-use or destroy the device. (Of course, you can’t first remove PHI before destroying paper documents.) NIST provides three methods for removing ePHI from media:
- Clear. You use clearing if you plan to reuse or repurpose a device. Clearing sanitizes software or hardware by overwriting the storage space and replacing sensitive data with non-sensitive data. Overwriting doesn’t work well with flash memory or damaged media.
- Purge. You also use purging to clear ePHI from devices you want to reuse or repurpose. Depending on the media type, purging may involve overwriting, block erasing, cryptographic erasing, or degaussing. Degaussing exposes the media to a strong magnetic field to disrupt the recorded magnetic domains, leaving the media unusable.
- Destroy. When you don’t plan to reuse or repurpose media, you must destroy it. There are several methods designed to completely destroy media, such as disintegrating, pulverizing, melting, and incinerating. You can also use strong degaussing to destroy the media.
How to Clear, Purge, or Destroy Various Devices/Media
The type of media determines the sanitization method you’ll use. See a summary of different media types below:
Hard Copies/Paper Records
Use cross-cut shredders to destroy paper PHI. NIST recommends that particles be 1mm by 5mm or smaller. Don’t use strip-cut shredding because it’s easier for someone to reconstruct the strips. You can also pulverize, pulp, or disintegrate paper documents.
Mobile Devices (Cellphones, Tablets, Etc.)
Clear the device with a factory reset (see how to do this on Android and Apple). You can also clear mobile devices remotely, but it’s more difficult to verify the results this way. After clearing the data, you can destroy the mobile device by shredding, disintegrating, pulverizing, or burning the device in a licensed incinerator or with an incineration service.
Copy, Print, or Fax Machines
Never turn a copy, print, or fax machine in for manufacturer repair without removing the storage device first or clearing it of ePHI. To clear the device, perform a full manufacturer reset. You don’t have to destroy copy, print, or fax machines.
Magnetic Media (Cassette Tapes, Reels, Etc.)
Overwrite magnetic media by using approved data sanitization software. The software will use several passes to overwrite sensitive data. You can also use sanitization software on hard drives. To destroy magnetic media, burn the disks and diskettes in a licensed incinerator or shred them.
Hard Disk Drives
To destroy hard drives, remove the platter and use an electric degausser or degaussing wand to clear the data. You can also shred, disintegrate, pulverize, or burn the hard drive in a licensed incinerator.
Universal Serial Bus (USB) and Secure Digital (SD) Cards
You should destroy USBs and SD cards by shredding or pulverization.
When you no longer need your paper documents or devices, you must dispose of them properly to protect the PHI. You should sanitize and/or destroy media to make sure no one can retrieve sensitive data.
Keep in mind that HIPAA requires you to have media re-use and disposal policies and procedures in place. According to HHS, “covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.”
The HIPAAtrek platform makes it easy to update your policies and procedures and share them with your entire team. HIPAAtrek is a cloud-based HIPAA management solution designed to streamline your HIPAA compliance. Contact us today to learn how HIPAAtrek can simplify your HIPAA program.
Need More Guidance? Grab Our PHI Decision Tree!
This simple cheat sheet makes it easy to recognize every time you’re interacting with protected health information.