The Health Insurance Portability and Accountability Act was first instituted in 1996 as a way to federally mandate and monitor the health care industry’s use of data. That said, technology has advanced considerably since 1996. In the late 2000s, HIPAA was altered to reflect the digital age. The term “protected health information,” otherwise known as PHI, was introduced and a set of strict rules was established to ensure its confidentiality.
Data destruction is an important consideration in any sector, but health care has some of the highest stakes. Permanent identifying data is stored in almost every health care office, from small local practices to large medical insurance companies. Preserving this data is crucial and HIPAA sets forward a very specific mandate. Data needs to be properly sanitized. However, health care is different in that its information is valuable, not just to hackers but to scientists.
This makes health care a unique industry with its own special conditions. Data must either be de-identified for academic use or properly and completely destroyed.
“PHI data has 18 specific identifiers.”
The rules regarding PHI
PHI data fully identifies an individual and his or her relationship to a health care organization (insurance, hospital or related business). The HIPAA Journal identifies PHI as possessing 18 specific identifiers. These factors range from general identifiers such as name, telephone number and email address to more permanent identifying data like a social security number.
The rule for determining what data is PHI is simple. If the data can be attained on its own from a public source i.e. – a telephone book holding a name and number, that data by itself is not PHI. It is only when the data is combined with private information that it becomes PHI. Obviously, information such as social security numbers are always confidential and protected by HIPAA and common law, whether fully defined as PHI or not.
When HIPAA was altered to incorporate PHI, the government established a set of laws governing its disposal. All PHI data must be disposed of properly from any decommissioned device with data storage. ProperPHIDisposal reports that incorrectly destroyed data will be punishable by fines ranging from $25,000 to over $1 million. In addition to these fines, a mandatory investigation will be held into the health care company responsible for the initial data mishandling. Patients and authorities will have to be informed and it will be up to the state’s Attorney General to decide whether or not further discipline/legal action is needed.
In short, improperly handling PHI causes a wealth of problems for the offending company.
The justification for de-identification
Health care data is not like normal data. While there is marketing leverage to be obtained from gathering car buying data, for instance, it is strictly a private sector benefit. It is no exaggeration to say that patient data can save lives by helping doctors and other medical staff properly understand the diseases that they are fighting. Health care is a unique industry in this way, with data that is life-destroying and live-saving at the same time.
The government understands this and so HIPAA’s guidelines created the potential for de-identifying PHI data for academic use. According to the U.S. Department of Health and Human Services, de-identification is accomplished in two ways: through either expert determination or safe harbor methods. Each must ensure that the identifying nature of the PHI is obscured beyond the doubt of recovery.
Expert determination mandates that a highly trained individual in a field – mathematical, statistical, scientific or otherwise related – be placed in charge of the data. This individual will in turn use it in such a way that thoroughly obscures any identifying factors. For instance, an expert using patient data may try to find the average age when patients begin to experience muscle loss. This expert will start out with PHI data, but what is presented will simply be an average number. It is highly unlikely that an outside force looking at this information will be able to trace the information back to identify a particular patient.
The safe harbor method operates by directly removing the 18 identifying factors of PHI data. Once this is done, the data can be used by an academic party without fear of an individual’s privacy being exposed.
The dangers of de-identification
Of course, neither method is flawless. The PHI data is still there and, in some cases, re-identification practices can be ordered to return the data to PHI status. This data is typically retrieved through a code, meaning that the de-identification is only as secure as this code is.
De-identification should only be done when it is necessary to increase medical knowledge. It should never be done for the process of archiving data for private records or corporate archives. Regardless of its usage, all devices that use PHI or other confidential data must be properly sanitized before being decommissioned.
Properly destroying PHI data
In order to maintain HIPAA compliance and make sure all data is properly sanitized, health care operators need to follow a comprehensive three-step method. The first two steps of this method apply only to devices with data storage media, but all devices that use flash memory and have been exposed to confidential data should undergo step three before decommission is complete.
1.Deleting and overwriting data
All hard drives should be fully wiped with all confidential information being deleted. Once this is done, new, benign programs should be written to the hard drive. This helps make sure that the confidential data has been overwritten. Preferably, this step is repeated several times to make sure the original confidential data has been completely removed from the hard drive.
2.Degaussing traditional hard drives
Any and all traditional hard drives should be degaussed. Traditional hard drives work through magnetic fields, and degaussing alters these fields in a way that makes the data completely unreadable. Once a traditional hard drive is degaussed, it can never be read again. Solid state drives do not work by using magnetic fields, so this process does little to affect their data.
3.Shredding the physical data storage
Once the data has been overwritten (and degaussed when possible) it should be fed into a specialized hard drive/ SSD shredder. This final step is enough to remove all reasonable doubt of data recovery. It is important that IoT-enabled smart devices with flash storage also be destroyed to guarantee the safeguarding to PHI and other classified data.
Health care is a targeted industry for cybercrime, and all operators within the space need to be very conscious of their responsibilities to data security. The life-saving potential of its information provides positive avenues for improving humanity while opening up new potential windows for cyber attacks. HIPAA enforces strong guidelines for preserving confidentiality, and health care providers must make sure they are not on the wrong end of those repercussions.