Paubox blog: HIPAA compliant email made easy

How to properly dispose of electronic PHI under HIPAA

Written by Anna Flairty | January 18, 2023

Before we can discuss how to dispose of electronic PHI properly, we must understand what it is and why it must be disposed of.

 

What is PHI?

 

PHI stands for protected health information. This type of information is what an individual gives to their doctor, healthcare provider and health plans when they are accepting care.

The HIPAA Privacy Rule provides protections for PHI held by covered entities (doctor’s offices, hospitals, health plans and health care clearinghouses) and gives individuals the right to access their information.

See more: What is the HIPAA Privacy Rule

Under HIPAA regulations, PHI must be handled with extreme care. Whether the information is digital, oral or on paper, it is important it is protected and only shared as needed to provide quality care.

Identifiers that are commonly gathered with your doctors or healthcare providers that contain medical information include:

  • Medical record number
  • Unique identifying number
  • An invoice with billing information
  • An appointment reminder
  • Blood test results
  • Prescription information
  • Beneficiary numbers
  • Health insurance
  • Mental health
  • Health records
  • Health status
  • Oral communications
  • Payment history
  • Account number
  • Family members
  • Discharge date
  • Admission date
  • Biometric identifiers
  • Device identifiers

 

PHI does not have to be just health and medical information. It can be anything that can identify a patient during their care. 

Some common identifiable information includes:

  • Name
  • Phone number
  • Email address
  • Street address
  • Address number
  • Zip code
  • Birthdate
  • Social security number
  • Fax numbers
  • License numbers
  • Vehicle identifiers, such as license plate numbers
  • Serial numbers
  • Demographic information
  • Education records
  • Employment records
  • Full face photographic images

See more: What is protected health information (PHI)?

 

Why does PHI need to be disposed of?

 

If PHI is not disposed of properly, it can result in major HIPAA violations and significant fines. 

HHS states that “The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information.”

They also state that “The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.”

Along with these requirements, covered entities are also responsible for training their employees on the procedures regarding disposal.

Both the Privacy and Security Rules do not require a specific way to dispose of PHI. Each covered entity must survey its organization to determine what steps it will take in order to safeguard and dispose of PHI appropriately.

There are certain factors in PHI that determine how it should be disposed. Some information, if exposed, may not result in much harm to the individual, while other information could result in identity theft or fraud.

Related: Understanding and implementing HIPAA rules

 

How to properly dispose of electronic PHI under HIPAA

 

The proper way to dispose of PHI under HIPAA is media sanitization. Media sanitization refers to removing data stored on media devices so they are no longer able to be accessed or reconstructed. Media sanitation is a key player when maintaining confidentiality.

There are three ways HHS recommends disposing of PHI. 

  • Clearing (using software or hardware products to overwrite media with non-sensitive data)
  • Purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains)
  • Destroying the media (disintegration, pulverization, melting, incinerating, or shredding)

 

Organizations should follow the NIST Special Publication 800-88, Guidelines for Media Sanitization. This guide outlines how organizations identify information categories, confidentiality impact levels and location of information. 

In this guideline, the NIST insists that “In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media. An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information…. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is, and how to protect it.”

 

Add a layer of security

 

Paubox is the all-in-one HIPAA compliant email protection for healthcare. Keep your patients’ data secure with automatic email encryption and protect your organization with state-of-the-art email security.

Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.

Start for free