Secure Disposal of Medical Practice Records

Missouri medical offices have a wide variety of protected data in electronic and paper formats, such as patient medical records, patient payment account information, and employee personnel data. In today’s dangerous world of information “insecurity,”, this data must be safeguarded throughout its lifecycle, from creation or receipt through ultimate disposition.

Perhaps surprisingly, one of the most crucial data security controls for any organization is a properly implemented records retention schedule. The retention schedule helps ensure that the organization keeps its records as long as required for legal compliance and business needs. But a well-implemented retention schedule is equally valuable in making sure that the organization is reliably disposing of information that is no longer valuable or legally required. Compromised computer systems frequently contain information for twice or more times the number of individuals than was necessary for any business or legal recordkeeping need. The employee or patient information simply accumulates over time in the breached system, well past any prudent retention periods. The results of this unfortunate practice are expensive, with more individuals affected by the breach, higher response costs, and elevated exposures for the organization. With a well-implemented retention schedule, beyond other benefits, an organization improves its data security profile. It is not possible to have a security breach for information that no longer exists, after being compliantly disposed of under the organization’s retention schedule.

An organization’s retention schedule and information management policy will establish when records are to be disposed of in the ordinary course of business. But if such electronic or paper information are pertinent to pending or impending litigation or governmental proceedings, they must nevertheless be preserved under a legal hold until the matter concludes. Litigation counsel can assist in determining when and how that should be done.

When medical offices timely dispose of information under a retention schedule and after any applicable legal holds are released, the actual disposal must be done in a compliant, secure manner. Here is guidance on the What, How, and Who of secure disposal.

What Records Must Be Securely Disposed?

Various legal requirements mandate secure destruction of different types of information common to Missouri medical offices. Three of the most pertinent are the following:

• HIPAA Security & Privacy Standards: The HIPAA Security Standards apply to electronic Protected Health Information (“ePHI”) of HIPAA covered entities and business associates. Under the Security Standards, covered entities and their business associates must “implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.” ¹ And PHI in paper records must also be disposed of securely to ensure compliance with the HIPAA Privacy Standards. For example, in April 2015 the Department of Health & Human Services settled a HIPAA investigation of a small compounding pharmacy, with a $125,000 payment and resolution agreement.² The investigation was triggered by reports from a local Denver, Colorado news outlet that unshredded documents containing the PHI of 1,610 patients were found in an unlocked, open disposal container on the pharmacy’s premises.

• Section 5 of the FTC Act: The federal FTC Act prohibits unfair and deceptive trade practices generally, and for over a decade the FTC has pursued companies across a wide range of industries for allegedly deceptive or unfair data security practices. On at least two occasions the FTC has brought enforcement actions against health care entities, primarily commercial pharmacies, for disposing of unshredded paper documents containing customers’ health information and employee information in dumpsters accessible to the public.³

• State Breach Notification Statutes: Under statutes in most states, including Missouri, organizations that suffer a breach of electronic Protected Information of state residents must make required notifications to the affected individuals and, depending on the state’s thresholds, to responsible government agencies. Protected Information is defined differently in the various states’ laws, but it generally includes the individual’s name combined with another identifier useful for identity theft, such as the individual’s Social Security number, driver’s license or other governmental identification number, or financial account number with access information – in other words, the type of information commonly kept regarding employees. Missouri’s statute adds as additional combination elements such individual’s medical information or health insurance information.⁴

How Are Records Securely Disposed?

Neither HIPAA nor the Missouri breach notification statute contains explicit requirements on particular means for securely disposing of paper or electronic records containing protected information, such as patient and employee records. Guidance can be found in the Guidelines for Media Sanitization of the National Institute of Standards and Technology (NIST),⁵ which addresses secure means of disposal for hardcopy documents (paper and microfilm) and also for electronic data and storage devices (such as hard drives, disks, flash media, mobile computing devices, networking devices, and office equipment):

• Hard copy paper and microfilm: Destroy paper using cross cut shredders which produce particles that are 1 mm × 5 mm (0.04 in. × 0.2 in.) in size (or smaller), or pulverize/disintegrate paper materials using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen. Destroy microforms (microfilm, microfiche, or other reduced image photo negatives) by burning.

• Mobile devices generally: Manually delete all information, and then perform a full manufacturer’s reset to reset the mobile device to factory state. Alternatively, shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. For guidance regarding specific devices, see NIST SP 800-88, Appendix A.

• Hard disk drives: Overwrite media by using organizationally approved and validated overwriting technologies/methods/tools. At least a single write pass should be used with a fixed data value, such as all zeros. Multiple write passes or more complex values may optionally be used. Alternatively, shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. For guidance regarding specific devices, see NIST SP 800-88, Appendix A.

• CDs, DVDs: Destroy in order of recommendations:

  1. Removing the information-bearing layers of CD media using a commercial optical disk grinding device—note that this applies only to CD and not to DVD or BD media,

  2. incinerate optical disk media (reduce to ash) using a licensed facility,

  3. use optical disk media shredders or disintegrator devices to reduce to particles that have a nominal edge dimensions of 0.5 mm and surface area of 0.25 mm2 or smaller.

Regardless of the specifics of the media and the method of destruction, careful attention should be paid to the overall process of disposal, and also to properly documenting the disposal. Security safeguards should remain in place for records prior to their actual disposal, and documentation of the actual disposal should be made and kept, including the date and method of destruction, a description (and if pertinent, date range) of the disposed-of records, a statement or certification that the records were destroyed in the normal course of business, and the signature of the persons supervising or witnessing the destruction.

Who Handles Secure Disposal?

Though HIPAA and other information security laws generally do not mandate use of a disposal provider, many organizations opt to contract with a disposal vendor to handle the secure destruction of records in paper and electronic media. HIPAA treats such disposal service providers as business associates, and so the medical office must have a business associate agreement in place with the disposal vendor.

It is also prudent to do appropriate due diligence in selecting a disposal vendor, including such steps as obtaining information about the vendor from several references or other reliable sources, reviewing an independent audit of the vendor’s operations and security practices, confirming that the vendor has been certified by a recognized association or similar third party, or other appropriate measures to determine the integrity and competency of the disposal vendor.

The selected disposal vendor should confirm the methods that will be used for secure destruction of the various media, and should also provide certifications of destruction. All such matters should be addressed in the medical office’s contract with the disposal vendor. And if bargaining power permits, the medical office is well served by a contract that includes terms addressing the specific responsibilities of the disposal vendor in case of a security breach, and also whether the vendor will have cyber or errors and omissions insurance coverage that provides effective coverage in the event of a security breach, with the medical office as an additional insured under the vendor’s policies.

Biography

This article was written by Peter Sloan, JD, a partner in the Kansas City office of Husch Blackwell, LLP, and Deborah H. Juhnke, JD, Director of Information Governance Consulting for Husch Blackwell. Husch Blackwell is the Association’s outside general counsel. The information contained in this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and readers are urged to consult their own attorney concerning their own situation and any specific legal questions.

Contact: psloan@infogovgroup.com