Is your organization required to comply with HIPAA privacy standards? If so, you've probably heard the term PHI - which is short for Protected Health Information. In the past we've written about how Protected Health Information must be rendered "Unusable, Unreadable, or Indecipherable to Unauthorized Individuals" -- and that leads HIPAA covered entities and business associates to be especially careful about encryption at rest, encryption in-transit, and authentication. But the disposal of protected health information goes far beyond that; we'll cover that topic today.
The day a hard drive fails is a day that no one enjoys but everyone experiences at some point. What happens when a hard drive containing Protected Health Information fails? That situation calls for a brief tour of NIST Special Publication 800-88 followed by some practical advice about disposal of protected health information.
NIST Special Publication 800-88 is a 64-page document about "media sanitization" -- see pages 26-41 if you'd love to learn more about something called minimum sanitization requirements. On the suspicion that you might prefer to hear the highlights in more approachable terms, here's an excerpt that is central to your obligations:
Destructive techniques also render the device Purged when effectively applied to the appropriate media type, including incineration, shredding, disintegrating, degaussing, and pulverizing.
Although all of these techniques sound interesting to watch, few sound convenient or readily accessible to businesses that operate in a conventional office; however, one of the techniques stands out as viable for that type of environment: shredding.
Hard drive shredding is one of the most convenient and effective techniques that satisfy the media sanitization requirements we just described. For your viewing enjoyment, here are some sample images of the output of some of the most effective shredding devices we know of. These particular ones are from Ameri-Shred:
As far as disposal of protected health information goes, we find the shredding technique -- as evidenced by the pictures above -- very compelling in terms of how thoroughly it destroys media.
Whichever technique you use, please beware that simply dragging files into the "trash" on a workstation or laptop is far from the level of media sanitization that is required of HIPAA covered entities and business associates. The types of physical destruction described here are the best path to ensuring that you comply with HIPAA in a way that maintains the privacy of all stakeholders.
Have additional HIPAA concerns that you'd like to discuss? We're standing by to be your sounding board.