Reusing or disposing of computers containing protected health information

A covered entity may reuse or dispose of computers that store electronic protected health information (ePHI), but this must be done in accordance with the HIPAA Security Rule and specific policies and procedures. 

Covered entities may also engage business associates to assist in these processes, ensuring that all information, including those housed in HIPAA compliant email, is disposed of. 

HIPAA Security Rule and disposing of devices containing ePHI

Covered entities must develop and implement policies and procedures that govern the disposal of hardware and electronic media containing ePHI. These policies should cover the entire lifecycle of the devices, including their receipt, removal, storage, reuse, and disposal. The Security Rule emphasizes the need for policies and procedures that address the final disposition of ePHI and the hardware or electronic media on which it is stored. 

This includes ensuring that ePHI is properly removed or destroyed before the device is reused or disposed of. Accountability is a necessary aspect of the Security Rule. Therefore, Covered entities are encouraged to develop procedures for tracking the movement of hardware and electronic media containing ePHI. This helps in preventing unauthorized access and maintaining control over these items.

Steps to reusing computer containing ePHI

1. Identify computers for reuse: Determine which computers will be reused and ensure they meet necessary security and privacy standards.
2. Data removal: Implement procedures for the secure removal of ePHI from the computer. Use methods such as clearing, purging, or physical destruction to make the ePHI data irretrievable.
3. Data sanitization: Ensure all ePHI data is thoroughly sanitized from the computer's storage devices.
4. Record keeping: Maintain records that document the steps taken to remove or destroy ePHI from the computer.
5. Testing and verification: After data removal, perform testing to confirm that ePHI has been completely erased, and the computer is now safe for reuse.
6. Reformat or repurpose: Reformat the computer's hard drive or storage devices to ensure that no files are accessible, or repurpose the computer for its intended use.
7. Reuse safely: Once the computer is sanitized and verified, it can be safely reused for its intended purpose while ensuring ongoing compliance with HIPAA regulations.

Steps to dispose of computers containing ePHI

1. Data sanitization: Ensure all ePHI data is thoroughly sanitized from the computer's storage devices.
2. Select disposal method: Choose an appropriate disposal method based on the type of electronic media and sensitivity of the information. Common methods include degaussing, shredding, incineration, or other physical destruction methods.
3. Secure transport: Ensure that the computer is securely transported to a disposal facility or service provider that can properly dispose of the hardware and electronic media per HIPAA requirements.
4. Disposal verification: Verify that the computer and its ePHI have been successfully disposed of as intended, ensuring the data is no longer accessible.
5. Certification of disposal: Consider obtaining a certification of disposal from the service provider or facility, confirming that the computer and ePHI have been disposed of securely and in compliance with HIPAA.
6. Finalize disposal: Once all necessary steps are completed, consider the computer safely disposed of and ensure it is no longer accessible.

See also: How to properly dispose of electronic PHI under HIPAA

Approved methods of disposing of devices

1. Clearing: This method involves overwriting the electronic media with non-sensitive data, effectively erasing the ePHI. Clearing can be done using software or hardware products designed for this purpose.
2. Purging: Purging involves degaussing or exposing the electronic media to a strong magnetic field to disrupt the recorded magnetic domains, rendering the ePHI data unreadable.
3. Physical destruction: Physical destruction methods include disintegrating, pulverizing, melting, incinerating, or shredding the electronic media. These methods make the data on the media irretrievable and inaccessible.
4. Degaussing: Degaussing is a method whereby a strong magnetic field is applied to magnetic media to fully erase the data. It is particularly effective for magnetic tapes or disks.
5. Shredding: Shredding is a physical destruction method where the electronic media is mechanically reduced to small, irrecoverable pieces, ensuring that the ePHI is no longer accessible.

See also: How to safely dispose of ePHI