How should you handle discarded computers?

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Same-Day Surgery, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: If a covered entity is purchasing new computers to replace hardware that has been used to store and create electronic protected health information (EPHI), what actions must the organization take before disposing of the old computers?

Answer: The security rule requires same-day surgery programs to implement procedures for handling EPHI on old computer hardware and other electronic media that the entity will no longer be using, says Robert W. Markette, Jr., an Indianapolis attorney.

"Because of the flexibility of the rule, the covered entities are not told specifically what they need to do," he says. "A surgery program’s disposal procedures need to reflect reasonably anticipated threats to information on computers and other storage media that the entity is removing or replacing."

The risk comes from the way computers handle information that is deleted, explains Markette. When you drag a file to the trash or recycle bin and empty it, the information is not removed from the computer’s hard drive, he points out. "Instead, the computer simply removes the file’s address from its address book,’" he says. "Essentially, the computer still contains the information, but does not know where it keeps the information."

Someone else can use "unerase" software to simply scan the hard drive and determine the location of files, he explains.

The only way to truly erase a file is to write new information over the same location on the hard drive, explains Markette. If a same-day surgery staff member uses a wipe utility, the program will go to the location of the file to be deleted and write random information over it, he adds.

This means a provider needs to decide if placing information in the trash is sufficient or if more thorough efforts need to be made, points out Markette. "This decision depends upon what the [provider] perceives the threat to be," he explains. If the only threat is that somebody will simply turn on the computer and find files that contain EPHI, the trash bin may be a reasonable precaution, he says.

"If, however, you are concerned that somebody will actually attempt to recover deleted files, then wipe’ software may be appropriate," suggests Markette.

Although software that can wipe a hard drive is available from any software vendor or retailer, you also can have the vendor who is providing the new equipment agree to wipe the old hard drives as part of your purchase contract, he says.

"If you do ask a vendor to wipe the hard drive, be sure you have a business associate agreement with the vendor, because the vendor and the vendor’s employees will have access to EPHI," Markette adds.

A point to remember in all of this is that no precaution is perfect, he says. "Even with wipe software, a dedicated hacker still may be able to recover something," Markette says.

One information technology professional told Markette that the only way to ensure no data are recovered from a discarded hard drive is to physically destroy the hard drive, he says. "With that in mind, I would recommend that any same-day surgery program be reasonable when implementing security rule precautions and be aware of the information that may be contained on hardware scheduled for replacement," Markette adds.