Health Information Compliance Alert

Question: Can we reuse or dispose of a mobile device that has stored health information on it?

Answer: Yes, but first you must remove the electronic protected health information (ePHI) stored on the mobile device, according to the HHS Office of the National Coordinator for Health Information Technology’s (ONC). Or, you need to destroy the mobile device itself before disposing of it.

You must destroy all PHI in electronic form to make the information unusable, unreadable, or indecipherable to unauthorized persons, ONC stresses. Proper destruction methods may include, but are not limited to:

• Clearing (using software or hardware products to overwrite media with non-sensitive data);
• Purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains); and
• Destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

For more specific guidance on how to destroy ePHI contained on a mobile device, read “HHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html. Also check out guidance on the proper disposal of ePHI at www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.