Health Information Compliance Alert

Published on Sat Nov 28, 2009 PDF

You can donate outdated medical devices without handing out e-PHI -- here's how.

You don't have to demolish your outdated medical devices to keep them from spilling patients' PHI to unauthorized users.

Tell your employees to follow this four-point plan to prepare your devices for use outside your organization.

"You must remove all data from the device's memory before you allow it to be used outside of your facility," says Patricia Markus, an attorney with Smith Moore in Raleigh, NC.

Action plan: Your tech team must first determine what confidential information -- if any -- is stored on the device. Though the security rule limits your concerns to electronic PHI, you should educate your staffers on how to root out any confidential data, including your facility's business information.

Good news: Not all data stored on your devices identifies which patient it came from -- and not all data is "readable" without a ton of technology, points out Rick Ensenbach, senior security consultant with Shavlik Technologies in Roseville, MN. Before you spend a ton of time completely wiping each bit of information on your devices, make sure the information poses a security threat.

Some devices hold a "residual memory," Ensenbach notes. That means that no matter how strenuously you attempt to delete all information from the device, some portion of the data will remain.

The problem? If you repurpose that device, the remaining data could intermingle with any new data. And that could severely disrupt your patients' treatment. Therefore, you should not repurpose any device that could hold residual memory, Ensenbach stresses.

"Most medical devices use an embedded operating system like Linux or Windows," says Fred Langston, senior product manager with VeriSign Global Security Consulting in Seattle. That means you can use the same equipment to erase patient data from your medical devices and computers, he says.

If your medical devices are leased from a vendor, you must ask the vendor to sign the business associate agreement as outlined in the security rule, Ensenbach points out. This is especially important if you decide the devices contain residual memory, or if you are unsure how to remove patients' data.

Heads up: Most vendors don't want to be tied to you as a business associate, Ensenbach warns. For those who balk at signing the contract, create a confidentiality agreement that accomplishes the same purpose, he advises.

The bottom line: Make the most of your medical device purchases by repurposing them in other areas of your facility -- or by passing them on to other providers. And, you can recoup some of the cost in the form of a tax write-off if you're able to donate them to outside charities.

Use this plan, along with any other procedures you develop, to ensure that PHI never leaves your organization with your devices.