Health Information Compliance Alert

Published on Tue May 25, 2010 PDF

Don't scrap old computers before performing vital safety checks.

Covered entities, be forewarned: If state organizations or others are hungry for your donated computers, you'll need to take several bytes out of your hard drive before you hand them over.

It's happening more and more often these days.

Healthcare organizations with outdated or obsolete personal computers are giving them away to other facilities without properly sanitizing their machines. Confidential healthcare data winds up in full view of those who shouldn't have access to protected health information -- and thousands of patient files are one click away from public exposure.

Remember, CEs: You're responsible for the integrity and security of the PHI you maintain under HIPAA's security reg. If you're considering donating your computers to anyone, you need to ensure that PHI is no longer contained in any of those hard drives.

While the 1998 proposed security rule didn't clearly address how to dispose appropriately of media or systems that might have electronic PHI on them, the final rule explains what your responsibilities are, notes Cynthia Smith, at PricewaterhouseCoopers. CEs must review their risk assessments regarding how they're disposing of media -- from floppy disks to CDs to hard drives -- and how they're disposing of information that's no longer useful.

Option 1: Secure Delete. While many CEs believe deleting files will quickly and efficiently erase all PHI, "Just simply deleting data is not sufficient protection," Smith said, adding that one should perform an overwrite to properly dispose of confidential information. "There needs to be some thought on this issue to ensure that [PHI is not turned over] to a voluntary organization like a school andcan be reused," she urges.

Others say that computers just don't understand that deleting files means we humans want something completely erased. "Instead, when you tell your computer to delete a file, it thinks that it should merely hide that file from you," says Rick Edvalson, business manager for IntegriNet Solutions Inc. in Boise, Idaho. Edvalson tells Eli that when a computer "deletes" a file, the name of the file is merely altered in a way that removes the file from the directory of files. CEs want to ensure that "deleted" files cannot be recovered, they can obtain software that complies with the Department of Defense standard, says Edvalson.

"Such 'secure delete' programs will be able to completely erase one file at a time," he says, adding that some "secure delete" programs can be found at places like East Technologies, software sites tucows and ZDNet Downloads, and many others.

Option 2: Hard Drive Destruction. But for those who don't want to take the chance that some of their stored PHI could get loose in public, they may want to consider physically destroying the disk. That's what Fred Langston, principal consultant with Guardent in Seattle, advices Langston is aware that sounds a bit overzealous, but stresses that it truly is the best way to ensure PHI doesn't get out on the street. "Literally taking a hammer to it until it's in little, tiny pieces -- that's probably the best way."

Warning: Reformatting is no solution. If destroying your hard drives outright doesn't appeal to you, you can always go with byte-for-byte overwites, says Langston, or what are known as "triple wipes" of the disk. He says there are many "secure delete" programs out there that will perform these tasks. Whatever you decide, Langston advises CEs to refrain from performing a simple reformatting. "A lot of people think they'll just reformat the disks and that'll fix it. Well, that makes it so that you can't recover your operating system, but the data potentially can still be called off there; it's not as good as doing a secure byte-for-byte overwrite or a triple wipe."

Langston says many people feel that erasing PHI from their disks will solve all of their problems, when that's just not entirely accurate. That's not a complete solution, he claims, because when you open a Microsoft Word document that may contain PHI, it creates temp files. For example, when you open a Word document, potentially there are eight individual temp copies of that document when it's opened. So, in most cases, it's best to wipe that disk completely from end to end, because there can be multiple copies of data on a system.