2016 HIPAA Audits Part 5: Where's Your PHI Data?
HIPAA Only Knows....
by Donna Koger, 1.8.16
Have you ever thought about data remnants and what are they anyway? Your electronic data files hide in places you may not have thought about when disposing of PHI (personal health information), which could cause serious problems with HIPAA rules and audits. This “hidden” data is called data remnants.
Where Does the PHI Hide?
Media devices such as multifunction printers, scanners, network printers, thumb/flash drives, etc., can store PHI on their internal hard drives. And the data doesn’t just “go away” when you delete a file, it only removes the memory address for the file but not the actual file on that drive.
This also applies to hard drives on computers or laptops that permanently leave your possession in some manner. Folks have actually been known to purchase a used device that still has as much as ten years information residing internally. Passing on PHI is a pretty large offense with HIPAA. Let’s not do it.
How do you properly dispose of hardware that might contain PHI?
So what should you do before donating, selling, trashing, etc., a device that may contain years of PHI data?
When you delete a file on a device it is not completely erased from the drive, which leads us to media sanitation. Media sanitization is a process by which data is irreversibly removed from media or the media is permanently destroyed. The data can be physically or otherwise removed from a device in a few different ways.
> Degausse: an electromagnetic pulse is applied to the hardware (drives), which permanently removes all traces of files.
> Shredding: physically destroys the hardware. This is typically done via a shredding service that has the capability for shredding equipment such as hard drives.
> Cryptography: the computerized encoding and decoding of information. In this method, a “key” is placed on the drive that protects all data from unauthorized access. To implement this method for data destruction, you simply need to remove those keys to clean the data.
For example, iPhone software versions before 4+ took 45 minutes to erase without cryptography, whereas the iPhone after 4+ which utilizes crypto takes about 3 seconds to clean a drive. However, unless cryptography is applied to a device before used, it is not an effective way to remove or destroy data.
> Media Sanitation Software: software programs, such as DBan, can wipe a drive completely clean so that it can safely be used again.
There are many services out there that can help you completely destroy unwanted PHI data by one method or another. These services can also provide a Certificate of Destruction that demonstrates you have properly and permanently destroyed any PHI that has left your possession. HIPAA will be happy.
For more information about data disposal, consult the NIST (National Institute of Standards and Technology) Guidelines for Media Sanitization.
Ugh! What if I don’t want to deal with any of that?
Using software that complies with HIPAA protocols may protect your hardware. For example, with PIMSY, none of your patient or practice PHI is stored locally; therefore, none of it is at rest. All of the protected data is stored in the Microsoft Azure Cloud, which adheres to HIPAA protocols and is backed up multiple times daily.
Using PIMSY for Practice Management not only supports your staff by helping to prevent data breaches; it may also protect you down the road by potentially reducing the need for the data disposal methods described above. It helps keep your data secure and HIPAA protected both now and ongoing – and helps ensure that none of it lingers on your devices.
Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.