There are few industries with more oversight and control applied than the healthcare industry. Across the world, the protection of healthcare records is of paramount importance, and thus, record keeping and destruction has been heavily regulated and legislated.
As a matter of law, any organization that handles, stores, transmits, or destroys medical documentation (specifically referred to as PHI, or Personal Health Information), is required to comply with healthcare regulations for their jurisdiction.
Generally speaking, medical records are handled in a jurisdictional way. This means that, depending on where the records were generated, there are specific legal requirements that they must adhere to by nature of having been generated at that jurisdiction. Records generated in the United States are under different, sometimes more stringent requirements than those generated in South Korea.
Complicating the issue even more is the fact that most data destruction is not done on-site, but is instead often done as part of outsourcing. Hospitals very often outsource data destruction to third parties, who handle the destruction with their own specific and custom solutions and programs.
For clarity, we’re going to focus on US health information security for this piece, though generally the same regulations and laws apply almost everywhere medical information protection has been legislated.
HIPAA - the Health Insurance Portability and Accountability Act of 1996
The largest piece of legislation concerning medical information was passed in 1996 as HIPAA, or the Health Insurance Portability and Accountability Act. HIPAA mandates several standards-based regulations and security controls on private health information, and applies these regulations to any and all organizations that handled PHI.
HIPAA covers several concepts regarding data protection:
- Personal data privacy must be maintained during the generation, storage, transmission, and destruction of medical records;
- Medical records in storage must be properly encrypted and physically protected from unauthorized interaction;
- Data devices must be auditable and secured;
- Facilities storing data must only give data to authorized members.
HITECH - Health Information Technology for Economic and Clinical Health Act
HITECH, or the Health Information Technology for Economic and Clinical Health Act, is a piece of legislation adopted to augment and compliment HIPAA. HITEC added new compliance standards and requirements, and specifically added a requirement to apply “meaningful use” to data and the systems that generated, retain, and destroy it.
Healthcare Data Destruction is specifically controlled by both HIPAA and HITECH, and as such, any data destruction that has anything even tangentially to do with medical data has to comply with these standards.
While much of this data destruction regulation is based on paper documentation (and specifically covers methods of burning, shredding, pulping, and pulverizing), the act also covers data destruction for electronic Personal Health Information.
The following regulations have been put in place for digital media:
- Data can be “cleared”, or overwritten, through utilization of software or hardware that overwrites private, sensitive media in a complete, meaningful way. This means that data must be erased in patterns and in passes - simply deleting data is not HIPAA compliant, and only proper data erasure is allowed;
- Data can be “purged”, with media exposed to strong magnetic fields as a method for deleting magnetically stored data - this method is ineffective against flash based media and solid state drives;
- Data may be physically destroyed, with the medium physically pulverized, burned, or incinerated.
The problem with applying traditional medical record destruction regulations is that “destruction” cannot be done in the same way across physical and digital media. While “destroying” hard disks certainly falls under HIPAA compliance, the cost is astronomical, and you can’t very well destroy a “part” of a hard drive without destroying the rest of it.
As such, data destruction in the “clearing” format is the primary methodology for data destruction in the healthcare space.
As a matter of policy, a few specific requirements for data destruction record keeping are specifically laid out in the HIPAA regulations:
- The date of data destruction must be retained and recorded;
- The specific method of destruction must be noted;
- The records or other PHI must have a description retained;
- A statement must be made that the data was collected, retained, and destroyed in accordance with HIPAA regulations and the normal course of business;
- All individuals who authorized, supervised, and witnessed the data destruction must be signatories to a document regarding their role.
Additionally, there are specific requirements for data destruction when this destruction is outsourced as a matter of business:
- Business associates must document and disclose the method of disposal;
- The time between data acquisition and destruction must be noted and maintained;
- The data must be safeguarded under HIPAA compliant methods from breaches;
- The outsourced company must supply indemnification for the organization or provide for losses due to unauthorized disclosures;
- The outsourcing company must maintain liability insurance.
As part of this, there is the caveat that not all data is eligible for destruction - there are stringent data retention requirements within HIPAA:
- Medical records must not be destroyed if they are needed for continued patient care, legal requirements, research, education, or other such legitimate and justified use or as authorized by the patient;
- Data must be retained compliant with organizational and legal requirements and policies;
- When marked for deletion, data use must be reviewed to ensure it is eligible for destruction before destruction is ordered.
Once all of these requirements are satisfied, data can be destroyed.
What can a medical company or healthcare provider do to ensure compliance with HIPAA? The best thing they can do is to find out the most stringent, specific application - and then exceed it.
DoD 5220.22-M is a software based sanitation method that is accepted under HIPAA guidelines for data destruction. The method is a 3 pass system:
- Pass 1 - writes zeroes and verifies the file has been replaced as such (file verification);
- Pass 2 - writes ones and verifies the file has been replaced as such (file verification);
- Pass 3 - Writes a random character and verifies the file has been replaced as such (file verification complete).
This methodology, as well as its variations, 5220.22-M (E) and DoD 5220.22-M (ECE), was originally defined by the NISP, or National Industrial Security Program, as a sanitation method for secure data destruction. While it is HIPAA compliant, HIPAA allows for many solutions to be used as long as they’re as effective or more effective than the minimum compliance specification.
Because DoD 5220.22-M is considered a “gold standard”, any destruction standard that matches or exceeds this solution can be used. This is the case of “exceeding to ensure”, where going past the bare basic solution is the best possible solution to ensure immediate, long-term, and consistent compliance.
ClaraWipe is an excellent solution for medical usecases. Because it offers data destruction compliant under 5220.22-M and other major national and international regulatory and technical standards, ClaraWipe can be used as a solution for data destruction.
The idea here is not to meet the bare minimum, but to exceed it. While other solutions might provide basic destruction systems and methodologies, if they don’t meet the HIPAA guidelines, they’re technically illegal and non-compliant for health care providers.
While this opens up companies to legislation, the other, potentially bigger issue is the one of patient care and privacy - incorrect data handling can lead to huge breaches, issues of trust, and fundamental insecurity.