Before we can discuss how to dispose of electronic PHI properly, we must understand what it is and why it must be disposed of.
PHI stands for protected health information. This type of information is what an individual gives to their doctor, healthcare provider and health plans when they are accepting care.
The HIPAA Privacy Rule provides protections for PHI held by covered entities (doctor’s offices, hospitals, health plans and health care clearinghouses) and gives individuals the right to access their information.
See more: What is the HIPAA Privacy Rule
Under HIPAA regulations, PHI must be handled with extreme care. Whether the information is digital, oral or on paper, it is important it is protected and only shared as needed to provide quality care.
Identifiers that are commonly gathered with your doctors or healthcare providers that contain medical information include:
PHI does not have to be just health and medical information. It can be anything that can identify a patient during their care.
Some common identifiable information includes:
See more: What is protected health information (PHI)?
If PHI is not disposed of properly, it can result in major HIPAA violations and significant fines.
HHS states that “The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”
They also state that “The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.”
Along with these requirements, covered entities are also responsible for training their employees on the procedures regarding disposal.
Both the Privacy and Security Rules do not require a specific way to dispose of PHI. Each covered entity must survey its organization to determine what steps it will take in order to safeguard and dispose of PHI appropriately.
There are certain factors in PHI that determine how it should be disposed. Some information, if exposed, may not result in much harm to the individual, while other information could result in identity theft or fraud.
Related: Understanding and implementing HIPAA rules
The proper way to dispose of PHI under HIPAA is media sanitization. Media sanitization refers to removing data stored on media devices so they are no longer able to be accessed or reconstructed. Media sanitation is a key player when maintaining confidentiality.
There are three ways HHS recommends disposing of PHI.
Organizations should follow the NIST Special Publication 800-88, Guidelines for Media Sanitization. This guide outlines how organizations identify information categories, confidentiality impact levels and location of information.
In this guideline, the NIST insists that “In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media. An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information…. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is, and how to protect it.”
Paubox is the all-in-one HIPAA compliant email protection for healthcare. Keep your patients’ data secure with automatic email encryption and protect your organization with state-of-the-art email security.
Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.