Secure Data Destruction Methods for the Healthcare Industry

Monday, October 16, 2023 2:18 pm, Posted by Absolute Destruction

If we were to ask the public what forms of personal information they’d least like shared freely, they’d likely point toward information relevant to their finances or information about their current health and their health history.

It makes sense. In addition to personal, sometimes sensitive, information about our mental and physical well-being, our records also hold other pieces of personal data — like our full names, addresses, phone numbers, and more.

Fortunately, healthcare professionals have an ethical, legal and professional responsibility to protect patient records from unauthorized access. In Canada, there are several legislative streams that are pertinent to keeping patients’ personal health information secure from unlawful access. These laws apply to every health provider, every team member who uses and encounters patient records in their role, and anyone on staff with access to them.

Legislation and Patient Records

In Canada, health professionals — doctors, surgeons, dentists, chiropractors, and therapists, to name just a few — may face legal ramifications if they fail to keep their patients’ information safe.

Personal Information Protection and Electronic Documents Act — PIPEDA

PIPEDA applies to organizations in the private sector that are not federally regulated. It mandates how these organizations can collect, use, and disclose personal information.

Personal Health Information Protection Act — PHIPA

This law applies to those in the healthcare field in Ontario. It sets guidelines for the collection, usage, and disclosure of a patient’s personal health information. Under PHIPA, guardians of health records must take the appropriate measures to keep data safe from unauthorized access and use, loss and theft.

At one time, laws like this would have applied exclusively to tangible paper records. Today, digital technology is becoming ever more ubiquitous, and keeping data safe — both while it’s in use and once it’s surplus to requirement — is of equal importance.

What Role Does Data Play in the Healthcare Industry?

The world is embracing technologies that help with automation, streamline processes, and simplify procedures. These same benefits apply to the often overburdened and understaffed healthcare industry, where technology is significantly improving both the user and patient experience.

Patient Portals

To schedule a doctor's appointment or to ask for a repeat prescription, patients are no longer required to call the doctor’s office. Instead, they can now log on to their patient portal with their GP’s office. By doing so, they can process requests, like those mentioned above, themselves.

Electronic Health Records

Our health records are now primarily electronic, which means that nurses and family physicians receive automatic real-time updates and reminders for each patient.

Telemedicine

During the pandemic, the notion of virtual consultations truly took off, and it continues to play a key role in the healthcare industry. Virtual consultations and meetings have sped up wait times, making health care more accessible. Video calls can help doctors who need to schedule follow-up appointments with bed-bound patients or pass along test results in an expedient manner.

Apps

In some forward-thinking medical facilities, patients now wear devices that send data straight to a nurse’s or doctor’s cell phone. These apps can help with health tracking and patient monitoring and may log heart rate or insulin levels, for example.

As you can see, data is becoming an increasingly more prevalent aspect of the healthcare industry. With that comes serious questions, including how data — which has been used to house, log, or process patient information — should be handled once it is defunct, outdated, or obsolete and why secure data destruction is vital.

How Long Should Records Be Stored For?

The answer here will vary based on location and on the scope of the profession. For example, in Ontario, according to the College of Physicians and Surgeons of Ontario:

  • Adult records must be retained for at least 10 years from the last recorded visit.
  • For children, records must be retained for 10 years after the day the patient turned 18.

Why Does Data Need to Be Securely Destroyed?

While it's likely that documents and data are kept secure with the proper safeguards in place while they're in use, of equal importance is the destruction of data once it's no longer needed or once its hold time has elapsed.

Should you deploy ineffective data destruction methods, an old company laptop or cell phone — one that’s been used to host video calls, log app information or access patient records —  could fall into the wrong hands. It can then be exploited or held for ransom, or components of it can be sold for health identity theft.

This isn't a shot-in-the-dark scenario. These things do happen. In 2019, the United States saw a peak in healthcare data breaches. In that year, the protected health information of almost three million individuals was likely stolen. Broken down, nine out of ten of these breaches were at the hands of hackers and a result of tech incidents; the top six were due to issues with networks; three were due to breaches of email accounts; and one was as the result of an ‘improper disposal incident.’

Secure destruction is a legal requirement, too. Per law, personal health information should be destroyed before leaving any medical facility.

What’s the Most Secure Destruction Method?

There are multiple ways to wipe data of its information, including factory resets, degaussing, overwriting, and shredding.

Nevertheless, how data is destroyed is overseen by professional bodies, and the legalities of what is considered safe destruction will vary based on your location. In Ontario, per the College of Physicians and Surgeons of Ontario, while operating under PHIPA, physicians must “permanently delete electronic records by physically destroying the storage media or overwriting the information stored on the media.”

With that, there are two options for data destruction.

  • Overwriting is precisely as it sounds. Data is written over using 1s and 0s, which replace the original content. The downside to overwriting is that it takes a long time and may require different licenses for each piece of data — which can be costly. Overwriting may not reach expertly protected areas, either. Without the tech know-how, it can be challenging to ascertain whether sensitive information has been overwritten.
  • Having your tech and data shredded by partnering with a professional commercial data destruction company — like us — guarantees the complete destruction of your data. This is the best option for technology that’s dated, broken, and no longer required. Using industrial shredders, data can be destroyed on-site, meaning it's wholly eradicated before leaving the clinic, office, facility or otherwise.

Safeguard Your Data

In addition to keeping on the right side of legislation, keeping patient records and their client's personal health information safe is paramount. It maintains that all-important patient-doctor trust alive, eliminating any possibility that your reputation as a healthcare provider could be tarnished.

To learn more about our secure document and data destruction services, connect with us. We can help you safely get rid of old computers, tablets, hard drives and other data that have been used to store sensitive patient files, giving your patients some peace of mind and keeping you on the right side of the law.

© 2021 Absolute Destruction. All Rights Reserved.