Please upgrade your browser

Even using a vendor to dispose of equipment can expose PHI, create HIPAA breach

December 14th, 2017 | Posted in Business Development, Professional Skills

If you have a computer, printer, fax or copier you use in working with clients, make sure that you have thoroughly removed all patient protected health information (PHI) before you sell, give away or otherwise dispose of that machine.

The Health Insurance Portability and Accountability Act of 1996 — more commonly known as HIPAA — requires that providers and others working with PHI take “reasonable safeguards” when disposing of equipment containing patient information.

The law doesn’t dictate a particular method, but data cannot be retrievable and needs to be unusable, unreadable or indecipherable.

The Department of Health and Human Services (HHS) Office of Civil Rights, which enforces and investigates HIPAA violations, suggests that PHI on electronic media be cleared, overwritten, purged or destroyed in accordance with standards from the National Institute of Standards and Technology (NIST).

There are third-party vendors you can hire to dispose of equipment but tread carefully. When you rely on a third-party vendor to dispose of equipment that may contain PHI you may still suffer breach-related headaches even if the vendor assured you that it deleted the information.

“It’s your PHI. There are risks that don’t necessarily end and problems you still have to be accountable for when the equipment is taken away,” attorney Michael Kline, Fox Rothchild, Princeton, N.J., warns providers.

Don’t learn the hard way

A doctor and her employer, Grand Rapids, Mich.-based Spectrum Health System, learned that lesson the hard way. Spectrum decommissioned a combined printer and fax machine and gave it to a vendor to delete the data and then resell or junk the machine. The vendor resold it. When the new owner tried to print confirmation of a sent fax, the new owner discovered the PHI of more than 20 patients in the fax machine’s memory.

To make matters worse, the owner contacted a local news station, which in turn contacted some of the patients whose PHI was exposed.

Spectrum says that it followed its protocol for equipment disposal and even received certification from the vendor that the PHI had been removed.

However, the OCR could still investigate the breach. OCR has flagged improper handling and disposal of PHI as one of the most common HIPAA violations and it is a frequent subject of enforcement. State officials also have authority to enforce HIPAA and state privacy law.

Many providers rely on an outside vendor — considered a business associate under HIPAA regulations — to cart away equipment, and once it’s in the vendor’s hands, it’s much harder to determine whether the vendor has disposed of the PHI pursuant to HIPAA, according to attorney Elizabeth Litten, also with Fox Rothschild in Princeton, N.J.

Five questions to ask

When looking for a vendor, it’s important to ask for references from other health care providers and to probe the company about its HIPAA compliance, warn both Litten and Kline.

Here are five questions you should ask a prospective vendor before you hand over your equipment:

  • What experience does your company have with the disposal of PHI?
  • What steps does the company take to secure and delete the data?
  • Does the company follow the National Institute of Standards and Technology’s requirements for deleting data?
  • Will the company sign a business associate agreement that it will comply with HIPAA requirements and use up-to-date standards and technology in the disposal of PHI?
  • Will the company certify compliance when it disposes of PHI and provide evidence of the data purging? — Marla Durben Hirsch



Report on the Spectrum Health System incident:

 National Institute of Standards and Technology guidance on sanitation of media: