Overview:
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Action Items:
1) Obtain and review policies and procedures related to disposal of any electronic media that stores EPHI. Evaluate the content in relation to the specified performance criteria for the disposal of hardware, software, and EPHI. Elements to review may include but are not limited to: How the disposal of ePHI and or the hardware or electronic media that stores ePHI is managed and documented; Identification of how the sanitization process of information system media is managed and documented; Workforce members’ roles and responsibilities in the device and media disposal process; Identification of how the disposition of previous stored ePHI and/or the hardware or electronic media is verified; Identify the types of devices and media that store ePHI
2) Obtain and review documentation demonstrating how the disposal of hardware, software, and EPHI data is completed, managed, and documented. Evaluate and determine if process is being followed appropriately and is in accordance with related policies and procedures.
3) Obtain and review documentation demonstrating how the sanitization of electronic media is completed, managed, and documented. Evaluate and determine if process is being followed appropriately and is in accordance with related policies and procedures.
Related Documents:
1) Policies and procedures related to disposal of any electronic media that stores ePHI.
2) Documentation demonstrating how the disposal of hardware, software, and ePHI data is completed, managed, and documented.
3) Documentation demonstrating how the sanitization of electronic media is completed, managed, and documented.
Additional Guidance:
When covered entities dispose of any electronic media that contains EPHI they should make sure it is unusable and/or inaccessible. One way to dispose of electronic media is by degaussing. Degaussing is a method whereby a strong magnetic field is applied to magnetic media to fully erase the data. If a covered entity does not have access to degaussing equipment, another way to dispose of the electronic media is to physically damage it beyond repair, making the data inaccessible.
Sample questions for covered entities to consider:
- Are policies and procedures developed and implemented that address disposal of EPHI, and/or the hardware or electronic media on which it is stored?
- Do the policies and procedures specify the process for making EPHI, and/or the hardware or electronic media, unusable and inaccessible?
- Do the policies and procedures specify the use of a technology, such as, software or a specialized piece of hardware, to make EPHI, and/or the hardware or electronic media, unusable and inaccessible?
- Are the procedures used by personnel authorized to dispose of EPHI, and/or the hardware or electronic media?
Article ID: 471
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-disposal-164-310-d-2-i-471.html