Media Reuse and Disposal – The Burning Question...
A typical healthcare organization allocates between 1 to 3% of the total budget for IT. The IT staff is responsible for delivering technology that meets the expectations of savvy physicians, employees, and trendy patients. IT departments are always looking for ways to save money and work to balance risk vs. cost wherever possible. In this blog, I am bringing to light the one of the burning questions that many IT departments still face - the reuse and disposal of electronic media.
Under the physical safeguards section of HIPAA § 164.310, it is mandated that any protected health information (PHI) must be removed prior to media reuse and disposal. Electronic media can be disks, drives, backup tapes, etc. HIPAA requires covered entities to develop formal policies and procedures regarding disposal and reuse of media containing PHI. It also expects covered entities to know who has control of the media, the person accountable for the actions of the entity in control of the media, procedures for data backup, data storage, media reuse and disposal. So what doesn’t HIPAA tell us? HOW to do it.
So should IT departments or IT companies purchase additional services from their hardware service providers to retain hard drives when the old ones are replaced for an extra fee? Damaged and non-working disks and drives also need to be addressed. What will IT do with hard drives they retain? Physically destroy them? What safeguards do IT departments need to put in place to ensure that drives that are bad or broken do NOT have data that is recoverable on them before these drives leave their premises/possession? Some alternatives that can be put in place prior to media reuse or disposal include:
- Onsite hard drive degaussing.
- Contracting with a company that provides degaussing services. These companies can also provide chain of custody documentation when picking up drives, etc. Media is tracked and labeled, and a certificate is provided with the pertinent details. Service providers become a Business Associate under HIPAA and can be held liable in the event of a breach.
- Asking hardware providers who take media offsite if they have means of cleaning it and providing certificates prior to reuse or providing a certificate of destruction.
- Using data wipe software. The effectiveness can depend on the type of media the software is usable on, the length of time programs take depending on volume/amount of data, and unreachable volumes on bad drives.
- Instituting a policy of not reusing media.
There may be other approaches that an IT shop may decide to take. However, these decisions need to factor in risk vs. cost. Is the covered entity willing to take the risk? Are there cheaper alternatives they are willing to spend their time and resources on? There isn’t a black or white answer for every IT organization, only a burning grey one. Such is the world of regulations and compliance…
Ashini Surati is the Security and Compliance Manager at Park Place International. She has been working in the healthcare security and compliance realm for the past decade. Her passion is to ensure customers understand and comply with regulations and maintain a secure, compliant environment.