American Academy of Ophthalmology Web Site:
Original URL:

February 2006

Practice Perfect: Compliance and Risk Management
Make Sure Your HIPAA Security Plan Coves the Disposal of Your Old Computers
By David Haskin, Correspondent

It used to be that when a computer got old, you gave it away, sold it or put it out on the curb to be picked up with the trash. But nowadays, HIPAA rules, not to mention environmental concerns, mean  getting rid of old computing equipment isn’t so simple. Here’s what you need to do to protect your practice’s sensitive data.

Stay HIPAA Compliant
HIPAA requires you to have plans in place to safeguard the privacy of your practice’s individually identifiable patient information.

The standard “delete” command won’t get the job done. “People think that if they just erase everything, they can send [the computer] to the dump,” said Carol Quinsey, professional practice manager for the American Health Information Management Association. “In many areas, you can’t even put electronics in the landfills anymore, but health care providers also have some different issues to deal with.”

What happens when you select the “delete”  command? When you apply the “delete” command to a computer file, the file isn’t really eradicated. Rather, it merely removes the references that state where on the hard drive that information is located. In practical terms, even relatively nontechnical users can easily recover and view that information. Consequently, if you give away or sell a computer on which such incompletely deleted records are stored and an unauthorized person sees those records, you will have run afoul of HIPAA.

That’s why ophthalmic practices must take this problem seriously when they replace old computer hardware. In these days of regulatory compliance, that means having a plan.

You Need a Written Plan
If data disposal isn’t already part of your HIPAA security plan (which needed to be in place by last April), it is time that it was, Ms. Quinsey said. “The security rule requires a plan for [computer] media use and re-use and destruction,” she said. “So if you’re a covered entity, you need to make sure that’s in your written plan.”

Data security is an ongoing process. Like so many security issues, making sure data are fully deleted is an ongoing process, said Jon Karl, a manager with the health care team of technology retailer CDW.

“It’s not a one-time event where you replace some gear and try to figure out what you should do,” he said.

“If you haven’t already established a process, the next time you make a change should be the beginning of that process.”

Identify all devices that hold sensitive data. Ideally, the policy will be much more than simply how to delete information, Mr. Karl said.

“The beginning is to establish an asset management policy,” he said. “That could be as simple as having [whoever helps with IT issues] maintain some sort of asset management report. You then need to flag which items can actually store patient information.”

Think beyond the desktop computer. Many people forget that it’s not just desktop computers that store patient information, Mr. Karl said. Servers also have such HIPAA-regulated information as well as laptops and even so-called key drives or thumb drives, which people use to carry information from place to place. “Most people forget about mobile media like disc or thumb drives, for example,” Mr. Karl said. It’s particularly important for your practice to keep track of mobile storage devices because they are more prone to being lost or stolen. This is  because, by definition, those mobile devices are used when doctors or other employees are out of the office, Mr. Karl said.

Put someone in charge of the process. After an asset tracking system is in place, the next step is to determine who is accountable for tracking the assets and, eventually, ensuring data are destroyed. Typically, that would be an office manager, even if that person is working with an outsourced vendor who provides your office with IT support, Mr. Karl said.

“From there, it is a matter of defining a basic set of rules for destruction and disposal,” Mr. Karl said.

There are a couple of broad options for actually destroying patient and business data. The first, and perhaps most obvious step, though, is to make sure the data are both backed up and transferred to another computer before it is destroyed.

Option #1: Do It Yourself
The easiest and cheapest method to fully delete data is to use software that performs that task.

Such software is widely available from a number of vendors and some versions are even downloadable for free from the Internet.

Both Mr. Karl and Ms. Quinsey warned, however, against using software just because it is cheap or free. Ms. Quinsey suggested getting a recommendation about which brand works best.

“You might even call the technical support folks from your computer’s manufacturer and ask them if they have utilities that are available for you,” she said. 

Option #2: Use a Vendor
In these days of regulatory compliance, an increasing number of vendors offer data destruction services, both Mr. Karl and Ms. Quinsey noted.

“One reason people are paranoid is liability—it’s not something you take lightly. If you work with a disposal partner, they offer liability indemnification, whether it’s a HIPAA complaint or even an EPA [Environmental Protection Agency] complaint. A business partner will assume some of that liability,” said Mr. Karl.

Mr. Karl said his company doesn’t perform data destruction but it does work regularly with business partners that offer such services to their mutual customers.

Such companies typically will come to your office and handle data eradication tasks.

And, if the computer is to be destroyed, they will take it away and dispose of
it in an environmentally responsible manner that meets any governmental requirements, Mr. Karl said.

The process need not be expensive—it can cost as little as $35 per computer, depending on what needs to be done, Mr. Karl said.

Prices can be lowered even more by pooling the service with other practices, he added.

Be Thorough
Mr. Karl was cautious about using software products to eliminate data yourself.

He warned that software vendors that produce such products don’t typically talk in terms of regulatory compliance. And given the civil and criminal penalties that would result from violating HIPAA regulations, you want to make absolutely certain the job gets done right, he said.

“Using software is a step in the right direction, but unless the software is extremely thorough, you may only accomplish part of what you set out to do,” he said.

In any case, though, proper disposal takes a lot of attention, both Ms. Quinsey and Mr. Karl agreed. 

“There’s no easy way out,” Mr. Karl said. “You always hear stories about organizations that made a slip.”

Two More Reasons for Responsible Destruction

Besides HIPAA, there are two additional reasons to take a systematic approach to fully eradicating data.

The first, as previously mentioned, is environmental. “You want to think about a zero-landfill approach,” said Mr. Karl. In fact, he added, some local and state governments now have rules about properly disposing of technology assets like computers, he said.

The other reason, according to Ms. Quinsey, is that proper disposal makes business sense.

“A few years ago, I got a trickle-down computer [from another department],” said Ms. Quinsey. “I looked and saw [the previous user] had deleted everything just by dragging it to the trash can.” She opened the trash can and saw the names of the files that had been deleted.

“I didn’t read it, but I could tell from the titles that there was sensitive information,” Ms. Quinsey said. “I could have read salary scales and similar information. So it’s not just HIPAA—it is just good business sense to make sure everything is truly erased.”