The proper destruction of electronic Protected Health Information (“ePHI”) is often overlooked and, if done improperly, can lead to impermissible access to the ePHI. We must think about properly destroying the PHI when considering repurposing or decommissioning any devices which could potentially have ePHI. Even if you forbid saving ePHI in certain locations (i.e. desktop or email) it is still necessary to treat all devices as if they contain ePHI when destroying the devices.ePHI may not simply be abandoned or disposed of in dumpsters. Instead, ePHI must be rendered completely unreadable and unusable. This is more than just deleting the files and then cleaning those deleted files. In reality, those files are not truly deleted and can be restored by someone with only minimal technical skills.
Effective Methods for Diposal
There are many different methods of effective destruction of ePHI. If you are intending to repurpose the device or media and need to render the ePHI unreadable and unusable you might consider using a software that will overwrite the ePHI with non-sensitive media. Other methods include degaussing or exposing the device to a strong magnet field. These methods will totally remove any ePHI and make it impossible for it to be restored.
Alternatively, if you have no intention of reusing the device then the simplest method may be to physically destroy the device or media. This can be done by disintegration, pulverization, melting, incinerating or shredding. Assuming the media is not repairable, the method is sufficient.
Finally, while not ePHI, any PHI in paper form must also be disposed of properly. The most effective method is through shredding any paper which contains PHI.
As new devices and media are brought into your organization, it is necessary to ensure the old equipment is handled appropriately. This includes ensuring any PHI on such equipment is completely destroyed and cannot be restored.