HIPAA PHI Lifecycle: Creation to Destruction
HIPAA PHI data spans electronic and printed PHI data at rest (storage), data in use (processing) and data in transit (send/receive) during the entire data lifecyle. Data lifecyle includes 1) data creation, 2) data maintenance/storage, 3) data retention, and 4) data disposal. There are a number of different connected devices where electronic PHI can reside:
- Office desktops, laptops, tablets, servers
- Office printers, copiers, scanners
- Smarphones, cameras, recording devices
- MRI, CT, X-ray, ultrasound, and other scan machines
- In-room diagnostic/monitoring equipment
- Implantable devices (defibrillators, pacemakers) that are Bluetooth enabled
- Medical wearables and in-home telemedicine equipment
- Any other medical device that can collect, store, or transmit ePHI
HIPAA Data Lifetime Encryption
HIPAA data during its lifespan should be encrypted. All computer hard drives should be NIST-certified and use AES hardware encryption with two-key access to read/write data on the hard drive. Even if data is breached, it is unusable, thus bypassing the need for a costly breach notification to be sent.
HIPAA Data Disposal/Destruction
Some healthcare entities choose to do their PHI data disposal in-house while others will outsource this to various data destruction companies that also handle other governmental agencies. For printed PHI, this means either paper burning or paper shredding. For electronic PHI (ePHI), this means data cleaning, media degaussing, and media destruction as detailed below.
Note: To state that HIPAA explicitly requires data destruction is not accurate. Rather, HIPAA requires the prevention of unauthorized access to PHI, which, in turn, necessitates destruction of media, both printed and electronic.
High-Security Paper Shredding
To meet HIPAA regulations, all HIPPA-compliant paper shredders must be designated High Security, which means they are NSA and DoD approved to produce "unreconstructible" paper segments.
Hard Disk and Electronic Media Destruction
To meet HIPAA regulations, all hard drives, solid-state drives, and removable media that will be decommissioned must first be purged, degaussed, or "destroyed" as per NSA/DoD certification for sensitive/classified information. Removable media (USB sticks, SD cards, CD/DVDs, magnetic tape, etc) are easy to destroy. Hard drive destruction involves the physical bending, mangling, and breaking of the drive units so that the disks inside cannot possibly be spun up or read from. This also applies to laptops, tablets, copiers, smartphones and other devices that have non-removable storage media.
There are hard disk "Destroyer" products available on the market that meet HIPPA regulations for data destruction compliance.