HHS Issues Guidance On Disposing Of Electronic Devices And Media

The U.S. Department of Health and Human Services (HHS) recently issued a newsletter providing guidance on the proper decommission and disposal of electronic devices and media containing sensitive information, such as electronic protected health information (ePHI). 

The protection of ePHI is required of covered entities which includes health plans. Accordingly, this responsibility falls on employers that sponsor self-insured health plans (which include health flexible spending accounts).

Such information can be stored on desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, and USB drives. Among other things, HHS suggests considering the following when developing policies regarding disposal of hardware or electronic media containing ePHI:

• Determine and document the appropriate methods to dispose of the device or media;
• Ensure that ePHI is properly destroyed and cannot be recreated;
• Ensure that ePHI previously stored on a device or media is securely removed so that it cannot be accessed;
• Identify all removable media and their use; and
• Ensure that ePHI is removed from any reusable media before it is reused. 

Data breaches and violations of HIPAA can be costly. HHS’ advice in this regard not only can protect health plans from a breach, but it also provides a glimpse into what HHS might expect of an employer if it were to audit for HIPAA security compliance.