We start 2012 by addressing something you may have already done — replaced or updated computers and other electronic equipment in your practices – and the liability it creates.
Like many other businesses, medical practices often replace or order new computer and electronic equipment at year end to generate additional expenses and deductions and to maximize efficiency going into the new year. You doubtless put a lot of thought and research into what you bought, or at least picked an expert to make those choices for you but how you dispose of the old equipment is just as vital a choice for your practice.
Unless you are part of a hospital or very large practice with dedicated IT officers you likely now need to safely and securely dispose of a variety of computers and related electronic devices including:
• Networked printers, faxes, scanners, etc.
• Computer servers and arrays
• Devices that combines hardware and software for a specific function, medical or administrative
• Networking equipment
• Electronic data storage devices and backups
• Desktop and laptop computers and smartphones that have been used to access or relay protected data
You’ve likely noticed that “computers” themselves were listed last, primarily because they pose the most obvious threat to the sensitive and legally onerous financial and HIPAA-protected information that virtually every medical office in the United States stores and is legally responsible for. However, the admittedly partial list of other devices that can store and transfer this data shows how much wider the exposure is and why all practices must deal with this exposure of patient data in a systematic way. As an example of just how serious the exposure can be, a simple printer can have tens of thousands of patient social security numbers and intake forms stored in its memory.
You may be asking, “Can’t we just give them or throw them away?”
No, not in most cases. You can certainly donate (and in some cases take a tax deduction for) certain peripherals after determining if they pose a storage risk or not, (things like mice, keyboards, and monitors are the most basic examples), but the computers themselves and most other devices that transfer, copy, or store data present a serious exposure to your business. Whether your computers are going to be destroyed, donated, or recycled, it’s vital that all data on the computer is wiped out as a minimal first step.
Downloadable software programs or those available at most office stores can be a first step and may already be present in your operating system or anti-virus programs. Remember that data on personal computers is not actually “erased” unless the hard drive itself is destroyed. In many cases a professional ID thief (or an average 12-year-old) will be able to retrieve the info from a wiped computer.
Here’s a simple five step outline to get you started. These steps will help mitigate your practice’s legal and financial exposures for the data, potentially facilitate the use of the equipment by a worthy charity or individual and help your practice be more green.
1. Take action now. It’s too easy to put the old equipment into a storage area that no one pays attention to or takes inventory on until something goes missing.
2. Have a plan and make someone specific responsible. Create a written chain of custody and educate the person in charge about the risks and gravity of the task at hand.
3. Keep records of how many devices you have and are destroying or donating (make a copy for the CPA including depreciated value and replacement cost) and where they went or how they were disposed of.
4. Disconnect old machines, sign all users out of them and disconnect them from your network where they are often not maintained or updated and where they may actually create a security risk.
5. Keep the equipment secured until it’s ready to be recycled or destroyed. Keep records of where it goes.
Happy New Year! Thank you for your continued readership, feedback and support.
Smartphones Partly to Blame for HIPAA Compliance Issues
As always, the information presented here is general and educational and can never replace the advice of experienced counsel specific to your assets or situation. This article originally appeared at www.PhysiciansPractice.Com where Ike Devji is a regular contributor, and is reprinted here with permission.