Healthcare providers of any size or type are required to comply with a variety of HIPAA regulations, including the safeguarding and destruction of the Electronic Protected Health Information (ePHI) that resides on older equipment that is being upgraded or taken out of service.
As a covered entity you must comply with:
§164.310 (d)(2)(i) – DisposalRequired: Policies & procedures to address the final disposition of ePHI
This disposal implementation specification states that covered entities must:
“…Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
As covered entities replace and update hardware and various equipment, ePHI can remain on a wide variety of equipment and devices including PCs, copy machines, printers, cell phones, tablets and imaging equipment. Unless properly sanitized, hard drives and other storage media can retain ePHI — which makes the data vulnerable to a costly data breach.
That’s why the implementation specification requires healthcare professionals to initiate policies and procedures for preventing medical records and other ePHI from being disclosed while disposing of equipment and devices. Finding a company to perform data sanitization or electronics recycling that will “do it for free” in an effort to save money, or allowing a company to delay a pick up to save money could be a de facto violation of HIPAA.