A recent conversation with a colleague raised a very relevant point that I had previously not thought much about. What policies are in place relative to protecting PHI for used equipment? I have been in conversation with a few sources to identify if there are any industry guidelines on this, but conventional wisdom right now says, no!
The problem is not with equipment turned in to established vendors, but with potential 3rd party refurbishing companies, or with equipment disposed of in some other fashion. I have contacted several vendors and I have verified that they have established policies for dealing with equipment taken in by them for refurbishment.
In the case of Siemens Healthcare, equipment refurbished by Siemens has all the hard drives wiped of data to remove all PHI. In addition all Siemens Healthcare employees have signed a legal compliance agreement never to disclose PHI. (http://www.healthcare.siemens.com/siemens_hwem-hwem_ssxa_websites-context-root/wcm/idc/siemens_hwem-hwem_ssxa_websites-context-root/wcm/idc/groups/public/@global/@refurb/@imaging/documents/download/mdaw/mdy0/~edisp/refurbish_med_sol_dec_10-00064845.pdf)
In the case of Agfa, Agfa has a process to govern the de-installation of equipment that includes the removal of all identifiable patient healthcare information (PHI) data. If requested in writing, Agfa will provide the customer with documented confirmation of the PHI removal.
Other equipment providers did not return my calls. Worse yet was the response (or lack thereof) from 3rd party equipment refurbishing companies! I reached out to several and I did not receive much response. The one response I did get from a Florida-based company was that PHI concerns were all “bulls**t!” It seems, at least from this one encounter, that 3rd party companies expect the hospital to remove all PHI.
The results of these inquiries have led me to conclude the following with respect to used equipment and PHI:
1. It seems the onus is on the hospital/equipment owner’s back to make sure PHI is removed. Unfortunately, just deleting the patient studies does not insure that PHI is gone! Anyone familiar with hard disk drive technology knows that the disk must be overwritten to insure the data is truly gone. This is particularly important if the equipment is going into the hands of a 3rd party refurbishing company.
2. There do not appear to be any industry guidelines/policies for PHI removal from old imaging equipment. This is something the industry needs to address as more and more equipment goes digital, including smaller devices such as portable Ultrasound. Perhaps such groups as NEMA (National Electrical Manufacturer’s Association), or the ACR (American College of Radiology) could produce some guidelines with respect to disposal of old equipment.
3. One of the more important factors is how imaging equipment vendors handle software licenses. Many commercial PC’s come with a “recovery” disk that allows the user to restore the device to its original software installation. Perhaps the vendors need to assure that devices have a “recovery” disk that would wipe the hard disk drive and restore the system to its original state, as opposed to merely providing a copy of the application software.
4. Another unrelated concern is the impact of computer operating system obsolescence. If an older piece of equipment ran on Windows XP, and this is what it gets restored to, doesn’t that perpetuate security risks? Is the onus on the equipment vendors to perform updates on the equipment when it is reinstalled at another location? This would seem reasonable for equipment sold through the vendors, but what about equipment sold by 3rd parties?
I could go on, but I think the point has been made. Given HIPAA and a regulation-conscious healthcare environment, how will PHI be secured relative to the disposition of older equipment? I think it is high time someone comes up with some policies and procedures for insuring the integrity of PHI.