HIPAA Q & A

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation, if you have questions, please send them to Sheryl Jackson, Hospital Home Health, Thomson American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com]

Question: If a covered entity is purchasing new computers to replace hardware that has been used to store and create electronic protected health information (EPHI), what actions must the organization take before disposing of the old computers?

Answer: "The security rule requires home health agencies to implement procedures for handling EPHI on old computer hardware and other electronic media that the entity will no longer be using," says Robert W. Markette Jr., an Indianapolis attorney. "Because of the flexibility of the rule, home health agencies are not told specifically what they need to do. An agency’s disposal procedures need to reflect reasonably anticipated threats to information on computers and other storage media that the entity is removing or replacing," he adds.

The risk comes from the way computers handle information that is deleted, Markette explains.

"When you drag a file to the trash or recycle bin and empty it, the information is not removed from the computer’s hard drive," he points out. "Instead, the computer simply removes the file’s address from its address book. Essentially, the computer still contains the information, but does not know where it keeps the information," he says. Someone else can use an "unerase" utility to simply scan the hard drive and determine the location of files, he explains.

The only way to truly erase a file is to write new information over the same location on the hard drive, Markette notes. If a home health agency staff member uses a wipe utility, the program will go to the location of the file to be deleted and write random information over it, he adds.

This means an entity needs to decide if placing information in the trash is sufficient or if more thorough efforts need to be taken, points out Markette.

"This decision depends upon what the agency perceives the threat to be," he explains. If the only threat is that somebody will turn on the computer and simply find files that contain EPHI, the trash may be a reasonable precaution, he says.

"If, however, you are concerned that somebody will actually attempt to recover deleted files, then a wipe utility may be appropriate," Markette suggests. "A point to remember in all of this is that no precaution is perfect," he adds.

"Even with a wipe utility, a dedicated hacker may still be able to recover something. One information technology professional tells me that the only way to ensure that no data are recovered from a discarded hard drive was to physically destroy the hard drive," he says.

"With that in mind, I would recommend that any home health agency be reasonable when implementing security rule precautions and be aware of the information that may be contained on hardware that is scheduled for replacement," Markette adds.

[For more information on the HIPAA security rule, contact:

Robert W. Markette Jr., Attorney at Law, Gilliland & Caudill, LLP, 3905 Vincennes Road, Suite 204, Indianapolis, IN 46268. Phone: (317) 704-2400 or (800) 894-1243. Fax: (317) 704-2410. E-mail: rwm@gilliland.com]