This is a question that many doctors, chiropractors, dentists and other covered entities ask. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires all covered entities to comply with the Security and Privacy Rules. The Security Rule specifically addresses Electronic Protected Health Information (ePHI), while the Privacy Rule covers all forms of PHI.
Being that most covered entities use computers, tablets, smartphones and other electronic devices to store patient data, many wonder if it's okay to reuse such devices. Perhaps a patient has transferred to a different physician, in which case you no longer need to store his or her information. So, can you delete the patient's ePHI and reuse the electronic media for a different patient?
The Department of Health and Human Services (HHS) addressed this question on its website, saying yes – it's okay to reuse electronic media on which ePHI is stored, assuming certain steps have been taken to reduce the risk of unauthorized access and disclosure of the ePHI.
Before reusing or disposing of electronic media, covered entities must first remove all ePHI from the respective device. Attempting to reuse a media device simply by adding new ePHI isn't compliant with HIPAA. The old ePHI must be removed before the electronic media device is disposed of or reused. Failure to do so could be considered a HIPAA violation, and with the Office for Civil Rights (OCR) increasing its enforcement efforts this is one mistake that you don't want to make.
Furthermore, the HIPAA Security Rule requires all covered entities to implement policies and procedures that address the disposition of ePHI and the electronic media on which it is stored. These policies and procedures should also cover the removal and disposal of EPH.
Keep in mind that covered entities can outsource the deletion/removal of ePHI from electronic media devices to a third party. There are dozens of companies that specialize in the deletion of sensitive data. When using one of these services, though, you must treat the service provider as a business associate. This means, among other things, that a Business Associates Agreement (BAA) must be used. So before handing over electronic media to a third party, make sure you've created and signed the necessary BAA so you aren't violating any HIPAA specifications.
To recap, you can reuse electronic media on which ePHI is stored as long as you delete the old ePHI first.