Practice Management Alert

Question: My office’s clinician is upgrading to a new phone and has me wondering: What’s the best way to dispose of a mobile device?

Michigan Subscriber

Answer: The U.S. Department of Health and Human Services Office of Civil Rights (OCR) points to mobile device disposal as a key point for risk analysis for anyone whose devices — mobile or otherwise— access protected health information. In their July Cybersecurity newsletter, the OCR recommends performing a full risk analysis and points out how much time and money such a step could save by preventing a breach. Your practice may have already anticipated the costs of services like legal counsel or even a public relations firm, and if you haven’t, now is a good time to really think about the afterlife of your devices.

“Devices or media that need to be replaced should be decommissioned and disposed of securely to ensure that either the devices or media are destroyed or any confidential or sensitive information stored on such devices or media has been removed,” the OCR says.

The OCR continues: “Decommissioning is the process of taking hardware or media out of service prior to the final disposition of such hardware or media. Steps organizations can consider as part of its decommissioning process include:

• “Ensuring devices and media are securely erased and then either securely destroyed or recycled;
• “Ensuring that inventories are accurately updated to reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned; and
• “Ensuring that data privacy is protected via proper migration to another system or total destruction of the data.”