FAQ about HIPAA Requirements and IT Recycling
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule restricts the use and disclosure of an individual’s protected health information (PHI). Healthcare organizations and medical facilities (referred to as “the covered entity,” or CE) and any vendors or business associates of that CE are responsible for adhering to the HIPAA HITECH requirements.
What does the HIPAA Privacy Rule require regarding the disposal of E-PHI (electronic protected health information)?
HIPAA requires policies and procedures that address the disposition of protected health information (PHI) and the hardware that it’s stored on. All PHI must be removed from media before items are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii).
HIPAA does not specify a disposal method. Data must be destroyed by clearing (data completely overwritten), purging (degaussing), or destroying through shredding, incinerating, etc.).
Are healthcare organizations and medical facilities required to keep patient medical records for a specific amount of time?
No. Individual state laws dictate how long patient medical records must be retained. HIPAA does require safeguards are in place to protect the privacy of protected health information (PHI) for the amount of time that the information is maintained. See 45 CFR 164.530(c).
What devices are at risk in hospitals, medical facilities, and healthcare organizations?
- X-ray machines, both preventing usage and hacking into the system to generate image backups on a hacker’s network
- Pacemakers and other devices inside people
- Computers used to create electronic medical records (EMRs)
- Servers that store E-PHI, EMRs, and payment information
- Defibrillators (including those implanted in people) that are Bluetooth enabled
- Temperature settings for connected coolers and refrigerators that contain blood, organs, medicine, and other elements — hacking piggybacks controls used to monitor temperature and make adjustments if the device becomes too hot or cold
- CT scan machines, where radiation exposure limits could be adjusted
- MRI and other machines that rely on operators located in separate rooms or facilities for controls, settings, results recordings, and maintenance.
The list of hackable devices even includes those in-room screens and devices designed specifically to track who you are and what your medical needs are. A simple hack can reset these back to square one, or create changes in your chart that would cause the wrong medicine to be administered.
Essentially, almost any connected device in your local hospital, medical facility, and healthcare organization is vulnerable.
Are healthcare organizations and medical facilities able to reuse computers and other media that store E-PHI?
Yes, once steps have been taken to remove the protected health information from the media prior to reuse. See 45 CFR 164.310(d)(2)(i) and (ii).
Are healthcare organizations and medical facilities able to dispose of computers and other media that store E-PHI?
Yes, once the protected health information has been destroyed prior to disposal. See 45 CFR 164.310(d)(2)(i) and (ii).
How can healthcare facilities and hospitals protect against risk?
The FDA has taken some steps to limit risks. Part of the FDA’s work includes guidelines to ensure devices are patchable when a vulnerability is found.
The FDA also notes that devices can be updated with cybersecurity information and protections without having to go through recertification, making devices easier to secure for manufacturers and hospitals.
Just like in recent ransomware attacks, another way to minimize risks is to always update systems as soon as an update is available. Hundreds of thousands, if not millions, of dollars could be protected each year in the U.S. alone if system administrators at hospitals, corporations, and small businesses would apply patches as soon as they were made available.
Can a business such as Securis be hired to dispose of protected health information?
Yes. Healthcare organizations and medical facilities are allowed to hire third-party vendors to dispose of protected health information. There must be an agreement or contract that requires the vendor to safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e).
What, exactly, can Securis do to protect patient records, billing information, and other risks left on computers and other medical equipment?
At Securis, we focus on protecting patient information, passwords, and other sensitive data left in older devices.
We tout the thorough shredding and destruction of these devices because it is a simple and effective way to prevent information from getting into the wrong hands. And, in the cases of healthcare facilities and hospitals, it helps you adhere to local and federal regulatory requirements protecting patient information and E-PHI.
It’s how we do our part, and we welcome a conversation with you about how you can do your part to protect your organization, customers, and even the environment.