Your patients entrust you with securing their most sensitive health information from the moment they walk into your practice to long after their visit ends. This not only includes you keeping your patients’ personal information secured but also (Health Insurance Portability and Accountability Act) HIPAA compliant data destruction.
HIPAA is more than just a long set of rules and standards related to protected health information (PHI). If you fail to comply with these rules, you can face hefty penalties ranging from $100 to $50,000 per violation. The severity of HIPAA penalties is based on the degree of negligence, the size of the breach, and the potential risk to patients following the data breach. Violations can even lead to criminal charges if a data breach is intentional or for financial gain. And these certainly include your process for HIPAA compliant data destruction of patient personal information as well.
To avoid hefty fines and cumbersome administrative actions from HIPAA violations, it’s imperative that your practice’s security policies take into account HIPAA compliant data destruction of sensitive data. No matter how large or small your practice is, you still face the risk of HIPAA violations and enforcement actions, all because of what you toss in your trashcan.
Be on the lookout out for these common errors when disposing of PHI:
1. Dumping Paperwork with Legible PHI. The most common and avoidable violations from disposing of PHI are due to tossing out medical documentation that still contains legible patient data. HIPAA requires that you make patient data indecipherable before you throw it away. You can satisfy this requirement by shredding, burning, or pulverizing documents before you discard them.
You can avoid HIPAA compliant data destruction violations significant fines by establishing a clear policy to shred, burn or pulverize all documents from your practice before disposal. And if you opt for a third-party disposal service, ensure that their disposal practices comply with HIPAA standards.
2. Disposing of Electronic Records Before Clearing PHI: As with hard copies, electronic records should be cleared of PHI before they are “thrown out.” You may store electronic data on media like flash drives, hard drives, mobile phones, tablets, and computers. It is vital to identify ALL locations that data may occur. Erasing data from just one of many places can lead to severe consequences. Although it takes more time to discard all locations, it is well worth it when you consider the possible consequences of failing to comply with HIPAA compliant data destruction
When disposing of electronic records, just moving the items you want to delete into your trash and emptying the trash is not enough. HIPAA requires providers do one of the following:
- Clear data: If you wish to reuse a device, you should clear it of all PHI. This is usually done by overwriting the data so that it is no longer readable.
- Purge data: Purging data is more severe than just clearing it. You can permanently erase PHI from a device before repurposing or disposing of the device
- Destroy data: Destroying information is the most complete and invasive method of all. If you have no plans to reuse a device, you should completely destroy it. This can be done by pulverizing, incinerating, or demagnetizing the device to render it useless in the future.
(1) It is best not to perform any of the above functions on your own, there are various software programs and companies available that specialize in these tasks.
(2) When you finish any of the above processes, go back and confirm that the information is gone. Then, document the process you used to remove the data, the date it was removed, who double-checked that it was gone, and how they confirmed it.
(3) HHS posted Guidelines for Sanitation (NIST Special Publication 800-88) with more detailed information on disposing of electronic records.
3. Disposing of Copy and Fax Machines without Clearing Data: Computers, flash drives, and mobile devices are not the only items that contain stored PHI. Copiers, fax machines, and even scanners may store sensitive data on internal hard drives that you must clear before disposing or repurposing the device.
In 2013, HHS settled with Affinity Health Plan for $1.2 million. The plan failed to remove over 300,000 patients’ records from copy machines it had been leasing. The leasing company discovered the patient information after they received the devices back. HHS found that Affinity had not included copy machine hard drives in its security policies, and therefore had no measures in place to clear the data stored on the machines.
To avoid similar violations for not having HIPAA compliant data destruction policies in place, be sure to examine your copy machines, scanners, and other devices used to create paper or electronic copies of patient data and create a practice to clear that data periodically to avoid an unwanted breach of PHI.
Beyond your patients´ expectation of privacy, the government places a duty on you to protect your patients’ information from unwanted disclosure under the Health Insurance Portability and Accountability Act (HIPAA). To access a variety of HIPAA online trainings, check out Healthcare Training Leader HIPAA training page.
|Subscribe to Healthcare Practice Advisor|
|Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.