Michael B. O’Hara’s narrative, part 1:
Recently, my company, KB Computing, LLC, lost a managed services client. The reason, as it so often is, was cost. The medical practice, which is a small physical therapy facility, felt that $300.00 per month was too expensive to provide 99.999% uptime and availability for their systems, to ensure 100% antivirus coverage, and (as a BAA) to safeguard their IT systems from breaches and technical loss of PHI. The facility thought that it was unimportant for their IT provider to be insured against loss, and as it goes sometimes, we mutually decided to terminate our managed services agreement. My staff initiated our agreement termination policy, which includes the following: informing the client of services that will no longer be covered, informing the client of actions that the client must now assume responsibility for, the termination of our BAA (for those not familiar with HIPAA, BAA stands for Business Associate Agreement), and finally arranging to have the client return any and all equipment that belonged to KBC back to KBC. This final piece is critical to the rest of this article.
Jon Tomes’s comment:
This business decision is unwise (I’d use a far harsher term, but not on my professional blog) for two reasons. First, the cost is extremely reasonable, considering that the services provided can prevent catastrophic harm, such as a destructive virus, a hacker that could commit identity theft or actually render the computer useless, such as I experienced when a very sophisticated virus locked up my data unless I paid big bucks. If I didn’t pay, the ransomware would destroy the data. Fortunately, with the help of my IT gurus, I recovered almost all of the data when I refused to pay. That hacker even takes PayPal! No, $300 per month for 99.999% uptime for their systems is worth that sum without the other valuable services provided. It is way past cheap at twice the price! Second, the cost is extremely reasonable, considering the costs of investigating potential breaches, mitigating the harm if the breach could harm patients/clients, including possible notification by First Class mail, and a possible civil money penalty (“CMP”), among other sanctions. The largest CMP to date was assessed against New York and Presbyterian Hospital and Columbia University: $4.8 million for failure to secure thousands of patients’ EPHI on their joint network. The breach resulted when a physician tried to deactivate a personally-owned computer connected to the network. Because of a lack of technical safeguards and no risk analysis, deactivation of the computer resulted in the EPHI being accessible on internet search engines. Would avoiding that fine have been worth $300 a month? And note that not all six- and seven-figure CMPs are against large providers like that one. A small physician practice was recently fined $100,000 for a breach. That smaller amount might have been just as harmful to a small practice as a seven-figure one was to the Hospital and Columbia University. No, the decision not to continue the KB Computing, LLC, contract was penny-wise and pound-foolish.
Michael B. O’Hara’s narrative, part 2:
Within a week, the client very cordially acknowledged, in writing, the termination of services and the BAA. The client further informed KBC that their new “IT Guy” would be contacting our office to arrange for the return of two computers that were being used as spares for the practice that belonged to KBC. Within a few days, my cell phone rang with a number that I did not recognize, so, of course, being the glutton for punishment that I am, I answered. The gentleman on the other end identified himself as, let’s call him Bill. Bill said that he was the practice’s new “IT Guy” and that his company, let’s say the company name is Basement IT, would be managing the IT for the practice. Bill then asked me whether I was a HIPAA expert. Now, I don’t want to blow my own horn here, but I am a CISSP with more than twenty years of servicing the medical community and an avid Tweeter on HIPAA related items (follow me @HIPAAMike), so, of course, I told him, “No, not really” (yes, at this point, I must admit that I was toying with him). Bill then went on to tell me all about his expertise in HIPAA related matters for a full five minutes (although when I asked him if he planned on conducting an SRA for the new EMR for the practice he had to ask me what an SRA was) and that, under “HIPAA Law” (he said this so forcefully I think a book fell off my shelf), he would have to “wipe” the hard drives of the computers before he returned them. I completely agreed that he should “wipe” the drives and let him know that it was fine with myself and KBC if he did so. You should take note at this point that I did not advise nor inform him as to how to properly “wipe” the drives. To be fair to Bill (and under the premise of a broken clock being right twice a day), he was correct that it is good practice to sanitize hard drives before surrendering computers (although nowhere in any HIPAA legal document does it prescribe that this must be done or how to do so).
Jon Tomes’s comment:
Mike is correct that HIPAA, specifically the Security Rule, does not, in terms, prescribe wiping a hard drive when surrendering it or how to do so. And, as an initial thought, I am far from certain that it had to be wiped at all because it was being returned to the provider whose PHI was on it though its new business associate. The portion of the Security Rule that addresses that scenario that is relevant requires covered entities and their business associates to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 C.F.R. § 164.310(d)(2)(i) and (ii). Here, it is not being made available for re-use by a third party, so this rule appears inapplicable. To view the rule otherwise would result in the absurd requirement to wipe a laptop that one clinician used before transferring it to another.
As to whether HIPAA requires one to wipe hard drives or other media, its destruction requirement is in the C.F.R. section cited above. This Rule also requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. The only definitive guidance that the Security Rule gives other than the preceding language is § 164.310(d)(1), which requires policies and procedures for the disposal of PHI.
Rather than requiring “wiping,” the Department of Health and Human Services (“DHHS”) gives the following guidance:
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
U.S. Department of Health and Human Services Office for Civil Rights (“OCR”), The HIPAA Privacy and Security Rules, Frequently Asked Questions About the Disposal of Protected Health Information at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.
Thus, your disposal policy should specify which of the methods quoted above you will employ and who is responsible therefor.
However, if you destroy the PHI consistent with the NIST (National Institute of Standards and Technology) standards, see NIST Special Publication 800-88 Revision 1 Title: Guidelines for Media Sanitization Publication Date: December 2014 at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf and what otherwise would be a breach occurs, it is not reportable to DHHS or to the individual and is, for all practical purposes, not a breach. Federal Register (FR). (24 August, 2009). Rules and Regulations. II.A. Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (Vol. 74, No. 162). Paragraph 3, pp. 42741-42.
Michael B. O’Hara’s narrative, part 3:
Two weeks after this phone conversation with Bill from Basement IT, my office received the two computers. At first glance, upon checking the equipment in, the hard drives appeared to be wiped, and by appeared to be wiped, I mean that there was no data apparent. My team then ran a simple data retrieval program called “Get Data Back” by Runtime Software to make sure that no PHI was left on the devices and within one hour and with minimal work effort, my technician reported to me that the hard drives had not been sanitized and that she was able to recover, from both computers, copies of the EMR database that the client had backed up to these machines as a failsafe. You might notice that I have now used the word wipe (meaning to remove data) and the word sanitized (meaning to ensure that the data is removed and un-retrievable) to describe the act of removing PHI from a hard drive. I want to be clear here that wiping a hard drive is a nebulous term that does not mean what it implies and that sanitizing means exactly what it implies, the removal of all data rendering the PHI un-retrievable within an acceptable work effort. In this case, it was evident that Bill from Basement IT thought that a simple format of the hard drive was wiping the drive and meeting the HIPAA standard to protect PHI, an assumption that is wrong, dangerous, and flat out amateurish.
Jon Tomes’s comment:
If another party, such as, say, an identity thief had received the two computers from Basement IT and they had not been sanitized, it could have resulted in a seven-figure fine as a number of covered entities have learned the hard way. Yes, effective data destruction is crucial.
Michael B. O’Hara’s narrative, part 4:
Being a CISSP (Certified Information Systems Security Professional) meant that I was ethically bound to notify the practice that we had received the computers and that, upon our check-in process, we had discovered that the PHI had not been protected as Bill had stated that he would do. This discovery made me curious, so I did a search of companies in the state, and I found out that, although Basement IT had, at one time, been a registered LLC, it had failed to file as a business for the past three years. I then dug a tad bit further and found out, through our local chamber of commerce, that Bill and Basement IT had several complaints pertaining to the execution of service. The practice owner called me personally to discuss what we had found on the hard drives and asked me what could be done to secure the data and whether I was ethically bound to report this security incident to DHHS (Jon Tomes can weigh in on this ethical question). I told him that, as long as we properly sanitized the drives and documented the sanitation, I did not feel that this incident would constitute a breach worthy of reporting (again, perhaps Jon can weigh in). The owner then contracted with my company to sanitize the drives.
Jon Tomes’s comment:
Although I would not render a legal opinion on the duty to report without more information, it does not appear that the matter is a breach by KB Computing or its client because KBC fixed what otherwise may have been reportable and because no third party got access to the protected health information (“PHI”). You may find my book helpful, How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, 2nd edition, available at http://www.veteranspress.com/product/handling-hipaa-hitech-act-breaches-complaints-and-investigations-everything-that-you-need-to-know.
Michael B. O’Hara’s narrative, part 5:
Now for the good stuff, when you sanitize a hard drive, there are various levels of sanitation or obliteration of the data. Along with these levels are various methods of sanitation, and I will now describe them to you in an effort to help you protect future PHI.
The first method of hard drive sanitation is a technical control, which means that you use software (KBC and I prefer using Active@KillDisk Pro by Lsoft Technologies) to write a series of alternating ones and zeros over every sector of the hard drive. There are several levels of this activity, but the first recommendation is US DoD 5220.22-m (commonly called DoD 3), a three-time pass over every sector of the hard drive. The first pass writes all zeros, the second pass writes all ones, and the third pass is a random pass, meaning that it writes ones and zeros randomly. This system renders the data un-retrievable without a ton of work, and then, even after the ton of work the data will, in all likelihood, remain un-retrievable. My second recommendation is, surprise, US DoD 5220.22-M (ECE) (commonly called DoD 7), which is a seven-time pass over every sector of the hard drive. The first pass writes all zeros, the second pass writes all ones, the third pass writes all random, the fourth pass writes 0x96, and then the first three passes are repeated. The work effort involved in retrieving data is almost impossible. There are of course several other methods, and if you are a nerd like me, you may enjoy reading the NIST special publication 800-88r1, which is a guideline for media sanitization.
The second method is a physical control, which means physical action is taken to the hard drive to destroy the data. There are, as with the technical control, several methods. The first that I will mention is degaussing, the process of decreasing or eliminating a remnant magnetic field. This method cannot guarantee that all the data is destroyed and needs special degaussing equipment. The next, and perhaps my favorite, is the Drill Press. Yup you read me right, simply take your hard drive and randomly drill several holes into the platters on the drive until it looks like Swiss cheese. Last is the sledge hammer approach (real old school and represented well in the film Office Space. In the movie they destroyed a printer, but you catch my drift) where you literally take a sledge hammer to the hard drive and smash it into tiny pieces. Now, I admit, the physical controls are a lot more fun than the technical, but they are no more effective and a lot messier.
The last thing that you must consider when destroying any PHI is documentation. I have a strict rule for documenting the sanitation of media in which all media is sanitized using US DoD 5220.22-m (commonly called DoD 3), and at the end of the process, I deliver to the client a certificate signed and sealed by myself and the technician that reflects the method used, the date of sanitation, and the serial number of the hard drive. The software that we use to sanitize further creates logs showing the destruction particulars and is kept by my company for seven years. This certificate is then delivered to the client for the client’s records, and a copy is kept in our files. This level of documentation will come in handy if the OCR ever audits your practice. In the physical methods for destruction, there will be no system logs, so I highly recommend that if you choose one of these methods you use your smart phone or any other recording device to create a video document of the process. Make sure that you get a tight close up of the serial number and video the entire activity (it might be fun to watch at the office holiday party). You must then secure the video evidence in a tamper proof method to maintain CIA (Confidentiality, Integrity and Availability).
Jon Tomes’s comment:
The documentation is crucial. I always say that, for HIPAA, if it is not written, it’s not. The seven years that Mike’s company keeps the destruction data more than satisfies HIPAA’s six-year retention requirement for all evidence of HIPAA compliance.
Michael O’Hara’s narrative, part 6:
Before I let you go, one last note about Bill and Basement IT: there are no laws or licensing required by most, if not all states, to open an IT services company. We, as a nation, require more verification of competence from plumbers than we do from those who work on your most valuable IT assets. If I seem like I was picking on Bill, I was. Navigating HIPAA is difficult enough without unqualified, inexperienced amateurs muddying up the water. The best advice that I can give any medical professional looking to engage IT services is to do your homework and check references, education, and experience. Make your IT vendor prove that the company has the skills, procedures, and policies to support your practice. If the OCR comes knocking on your door because a hard drive was found full of PHI, you may not be able to pass the responsibility on to your IT company, especially if there is a breach.
Jon Tomes’s comment:
With the HITECH Act’s expansion of business associate liability to subcontractors, the covered entity (or “upstream” business associate) may be liable for the IT services company’s breaches. So make sure that you get a good one! I would enjoy participating in a quiz show on HIPAA for big bucks against that alleged expert.
Michael O’Hara is a HIPAA compliance and technology expert. Michael is the owner, CCO, and CTO of KB Computing, LLC, and is dedicated to assisting the medical vertical with being compliant and guiding his customers on policy, practice, and procedures.