When Handling Health Info, Destroy That Data Securely
Is your business about to upgrade and dispose of computers, smartphones or tablets?
Or is it time to follow your company's data retention and destruction schedule and dispose of business records? Does your company actually have a retention and disposal schedule?
If your company maintains health or certain other personal information about people, then federal and state laws prescribe not only a schedule for record retention and destruction, but require a secure means of disposing of records containing such information.
In Washington, organizations must take "all reasonable steps" to destroy personal, financial or health information when disposing of records. This includes information that "is identifiable to an individual and that is commonly used for financial or health care purposes," including passwords and account numbers.
The federal Health Insurance Portability and Accountability Act (HIPAA) sets a floor for state requirements for handling health information, and regulates providers, insurers and third parties — so-called "business associates" — who handle personal health information for them.
HIPAA requires the secure disposal of identifiable health information in paper or electronic form. "Secure" means rendering it indecipherable to unauthorized individuals.
Further, workforce members must receive training on disposal policies and procedures. If a vendor is hired to dispose of health information, then a HIPAA-covered entity must enter into a business associate agreement that includes the vendor's promise, among other things, to appropriately safeguard the information through disposal.
HIPAA requires policies and procedures for the disposition of electronic data and the hardware or electronic media on which it is stored.
So, how should one destroy records that contain health information? Washington requires "shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means."
Examples of proper disposal methods cited by enforcement agencies include:
R For paper records, shredding, burning, pulping, or pulverizing so that information is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
R Labeled prescription bottles should be disposed of in opaque bags in a secure area before they are picked up and destroyed.
R For electronic information, different techniques will be necessary for different storage media. Seek technical advice on proper data disposal methods if you wish to reuse electronic media. Otherwise, completely destroy the media on which information resides.
Interestingly, both Oregon and Washington laws provide a "safe harbor" for persons or organizations that are subject to HIPAA and comply with its requirements. That includes HIPAA standards for disposal.
So before disposing of records or devices that did or still do contain sensitive data, it can be important to identify and understand the laws that might apply.
Of course, other legal obligations might require a company to preserve and not destroy certain records for a period of time.
Colin Folawn is a trial and appellate lawyer, and Kelly Hagan practices health care law, both at Schwabe, Williamson & Wyatt PC.
As published, Portland Business Journal, April 10, 2015
- Colin FolawnShareholder
- Kelly HaganShareholder