Electronic Records: What to do when you’re finished with old files and devices

office spaceMost therapists use an electronic device to create, store, or transmit electronic PHI somewhere in their practice.  It might be a desktop computer in your office where you write & store client files.  It might be the laptop that you use to access your online practice management system.  It might be the printer on which you scan or print files, or it might be your smartphone where you email or text with clients.  All of these devices and actions have the potential to leave an electronic trail of HIPAA-protected PHI, long after you have stopped using the device.

Three important things to know:

  1. Most electronic devices have a brain inside them (their hard drive.)  This brain remembers things, and when you are finished with a device and are transferring it out of your personal supervision, you have to make sure the hard drive brain doesn’t have any remaining PHI on it.  Otherwise, you’ve violated HIPAA.
  2. “Deleting” a file doesn’t actually get rid of that file, it simply marks the space as available.  Files have to be “sanitized” (sometimes also called “wiped”) to actually remove the data/file.
  3. An improperly sanitized device could end up in the hands of someone who knows how to access the ‘deleted’ data, and could sell it, use it to harm clients, or simply report you to OCR.  OCR has already levied millions of dollars in penalties for improper electronic disposal/retirement. 

Recognizing the risk that a retired device presents, and taking steps to mitigate that risk, is an important part of HIPAA compliance.

Different devices require different steps to sanitize.  Some are easy—iphones for example.  Here’s a google link with instructions about sanitizing iphones.   

Computers are harder.  If you are computer savvy, you could do it yourself with a program like “Eraser” as an example. 

And for those of us whose eyes glaze over when reading computer software instructions, check out electronic records destruction services.  Iron Mountain is a large, nation-wide company that provides both paper and electronic record destruction services.  (They have a handy article about record destruction here that you might like to read, too.) 

There are many good ways to solve the problem of device disposal.  But no matter which solution you will use, make sure that device sanitization & disposal is on your risk assessment. 

* Just for fun: My favorite electronic device ‘solution’ is the picture above—the printer scene from Office Space.  My second favorite solution came from a medical social worker attending a HIPAA for Therapists training—she told us that at her hospital, they would run old laptops through the MRI to wipe their memories clean.  (!!!!)  …an effective, albeit expensive, solution.