A doctor and her employer, Grand Rapids, Mich.-based Spectrum Health System, learned the hard way the kinds of problems that are possible if use a vendor to dispose of equipment. Spectrum decommissioned a combined printer and fax machine and gave it to a vendor to delete data and resell or junk the machine.
The vendor resold it. When the new owner tried to print confirmation of a sent fax, the new owner discovered the PHI of more than 20 patients in the machine’s memory. It included diagnoses, lab results, home addresses, insurance information, and dependents’ names and dates of birth.
To make matters worse, the owner alerted a local news station, which in turn contacted patients whose PHI was exposed.
The story ran in October 2017 on the local news and because the station posted it on its website, anyone who searches Spectrum Health System may find the story. Spectrum and the physician already have suffered from negative publicity, with one patient whose data was exposed stating she won’t return.
This isn’t the first time a health care provider has had challenges with proper disposal of technology containing PHI.
In 2013, New York-based Affinity Health Plan reached a $1.2 million settlement with HHS. An HHS Office for Civil Rights (OCR) investigation determined “Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives,” HHS’ website states.
“It’s your PHI,” warns attorney Michael Kline of Fox Rothchild in Princeton, N.J. “There are risks that don’t necessarily end and problems you still have to be accountable for when the equipment is taken away.”
Vendor disposal is a known risk
Spectrum says that it followed its protocol for equipment disposal and even received certification from the vendor that the PHI had been removed.
However, OCR still could investigate the breach. OCR has flagged improper handling and disposal of PHI as one of the most common HIPAA violations. It is a frequent subject of enforcement. State officials also have authority to enforce HIPAA and state privacy law.
HIPAA requires that providers take “reasonable safeguards” when disposing of equipment containing PHI.
The law doesn’t dictate a particular method, but data cannot be retrievable and needs to be unusable, unreadable or indecipherable. OCR suggests that PHI on electronic media be cleared, overwritten, purged or destroyed in accordance with standards from the National Institute of Standards and Technology (NIST).
“I would imagine that most home health agencies don’t have the resources onsite to be able to handle the destruction in a way that is sufficient to qualify for the standards,” Melnik says.
Following OCR’s recommendations lowers the risk of HIPAA noncompliance for improper disposal. It also enables providers to avoid reporting a breach should the PHI be improperly disposed since the PHI is then considered secure. Only unsecured PHI that has been exposed or compromised needs to be reported to OCR.
Faulty record disposal often exposes agencies to liability even when the breach was the vendor’s fault.
Find HIPAA-compliant disposal vendors
When seeking a vendor, it’s important to ask for references from other health care providers and to probe the company about its HIPAA compliance, warn Melnik, Kline and attorney Elizabeth Litten of Fox Rothschild in Princeton, N.J.
Here are questions to ask a prospective vendor before you hand over your agency’s equipment:
- What experience does your company have with disposal of PHI? Determine if the vendor is member of the National Association for Information Destruction, Melnik recommends.
- What steps does your company take to secure and delete data? Identify what the company’s process is for removing hard drives and eliminating data, Melnik says.
- Does your company follow NIST’s requirements for deleting data?
- Will your company certify compliance when it disposes of PHI and provide evidence of the data purging? You should receive a certification of destruction that attests that the technology identified has been destroyed, Melnik says. (See certificate)
- Does your company have data breach insurance?
- Will your company sign a business associate agreement? The agreement should state the company will comply with HIPAA requirements and use up-to-date standards and technology in the disposal of PHI. Don’t hire a technology disposal vendor that won’t sign such an agreement, Melnik says.
— Marla Durben Hirsch (firstname.lastname@example.org) and Josh Poltilove (email@example.com)