HIPAA Hard Drive Wipe Requirements – What Are They?

      Comments Off on HIPAA Hard Drive Wipe Requirements – What Are They?

Computers are contently improving. As new software is released, the resources it requires from a computer also increases. This leads to computers being replaced from time to time. Each computer has a hard drive in it. The hard drive is where the data is stored on a computer. When a computer is replaced, removed, or dies, the data on the drive must be handled carefully. The drives must be wiped or destroyed so that the data they contain won’t lead to a breach. HIPAA hard drive wipe requirements give guidelines on how this should be done to prevent the accidental releases of patient records.

Quick hard drive lesson

For most practices, there are two types of hard drives. These are magnetic and solid state. Magnetic drives store data in platters, essentially round plates that spin at high rates. Solid state drives to store data on memory chips very similar to those found in USB flash drives. Each handles data in a very different way. Because of that, the data on these drives must be destroyed in different ways.

There are two basic ways of ensuring that data on a hard drive isn’t readable or recoverable. These are:

  • Drive Wiping
  • Drive destruction

What is drive wiping?

Drive wiping is when a special program is used to overwrite the data on a drive over and over so that the original data is no longer viewable. Think of it as taking a document and writing over every character or space with the number 1. Then you repeat the process with a number 0. This process is repeated over and over again. Once you do this enough times, the original information on your document is unreadable.

There are many programs available that can do this for both types of drives. Here are some common ones:

DBAN

Eraser

Blanco Drive Eraser

Wait, can’t I just delete or format the drives?

No, you can’t. When you delete a file in Windows, this simply tells Windows that the space the file was using is now usable for something else. Until data is written there, that file is still recoverable. If you are no longer going to use a drive, deleting all the files won’t actually do anything. A file recovery program could undelete most of them without issue.

A format works in a similar way. It does remove the file table and the partition on the drive. However, until something is written on top of the data, it is still recoverable.

You would have to write something over the entire drive to make sure that all deleted or formatted data was destroyed.

HIPAA Hard drive wipe requirements

Here is the tricky part. HIPAA doesn’t specify that drives must be wiped or destroyed. It is not specifically mentioned in any part of the law. However, the HITECH portion of the law added that improperly disposing of paper and electronic equipment that contained PHI would be viewed as a breach of security.

This means that, while data destruction isn’t specifically stated, measures should be implemented to ensure that hard drives that are being removed no longer contain any PHI.

Just as paper charts should be shredded, hard drives need to be sanitized.

How can your small practice deal with the HIPAA Hard drive wipe requirements?

The first step is to decide what you want to do with the old hard drives. If you want to reuse them in some way, such as allowing staff to have old computers, then the drives need to be wiped. If the computer is no longer needed in any way, then using a third party disposal service is a good way to go.

Once you have decided, update your HIPAA documentation to show what you are doing to do with each hard drive. If you wipe the drives, document the software and method of wiping that was used.

If you use a service, they will provide you with a certificate stating what was done that you can use.

Documentation is critical so that you can definitively prove you made the effort to destroy any PHI that was contained on hard drives.

One more point to be aware of for your practice are the hard drives contained in copiers. If you rent a copier, make sure the company wipes the hard drive when you return the unit. If you own yours, make sure that you remove the drives before deposing of old units.

How bad can it be?

A survey from Blancco found that nearly 67% of all used drives purchased on eBay contained personal information. 11% contained corporate information such as email and customer information. This means that it is very common for data not to be wiped properly when the hard drives are no longer needed.

Be sure to properly wipe or destroy any old hard drives that your practice has. It’s very easy to forget the amount of data that can be contained on these devices when we go to throw them away.