• Health reform
• EMRs
• Medicare
• Liability
• AMA House
• » More

• Contract Language
• Ethics Forum
• In the Courts
• Practice Management
• Technically Speaking
• » More

• Issue dates
• Regions
• Health plans
• Sections
• News briefs
• Columns
• Editorials
• Letters
• Series
• Writers
• Other years

• Search tips
• Email alert
• RSS
• Mobile
• Subscribe
• Institutions
• Staff directory
• Advertising
• Permissions
• Reprints
• News media
• Site guide
• Useful links
• About
• Premium
• Contact

• AMA Wire
• CPT
• DMPHP
• JAMA
• JAMA&Archives
• news@JAMA
• Virtual Mentor
• Physician jobs

Going beyond delete: How to really erase information

Updating computer systems can be challenging enough, but then you have to get rid of the old one. And more important, get rid of the data it stores.

By Tyler Chin, amednews staff. Sept. 12, 2005.

• PRINT|
• E-MAIL|
• RESPOND|
• REPRINTS|
• SHARE
•  

When you replace computer systems, it's likely you will have to throw out your existing computer equipment. But before you can dispose of that hardware, you need to take three steps:

• Converting or transferring files from the old to the new system, although that data conversion generally will be handled by your vendor if you're switching physician practice management or electronic medical records systems.
• Deleting personal information and patient records stored in the old computer.
• Figuring out how to dispose of that PC.

Of the three things on that to-do list, removing patient data from the computer's hard disk should be your top priority, because if you don't, you will be exposed to several risks if those data fall into the wrong hands.

First, you could be fined or even imprisoned for violating the federal privacy and security rules of the Health Insurance Portability and Accountability Act. Second, patients could sue you for breach of privacy or another tort under state law. Third, patients also could sue you if criminals use the data to steal your patients' identities. Fourth, you could find yourself the lead story in your local newspaper or television station.

"In some ways [public embarrassment] will be the worst penalty," said Robert Gellman, a privacy and information policy consultant in Washington, D.C. "These kinds of stories are very attractive to newspapers."

There are three ways to get rid of data from a PC, and deleting files and reformatting a computer's hard disk or drive aren't among them, experts say. When you delete files or reformat the hard disk, the data simply are hidden and can easily be retrieved by computer experts, said Tom Grove, a HIPAA and information technology consultant in Manassas, Va.

One way to ensure that data are permanently erased is to physically destroy the hard disk by removing it from the box and drilling a hole right through the center of the disk, Grove said.

Another involves using free and commercial software programs that overwrite the hard disk with random zeros and ones, Grove said. Such software is available for $30 to $50. The software follows the data security standard of the U.S. Defense Dept., which calls for three "passes" or overwrites, he said. Overwriting "is not something you do in just five minutes. It's an overnight job -- the kind of thing you set up at night and it's done when you come back to the office the next morning," he added.

Physicians also can erase data from old computers by running a powerful magnet over the hard disk, either by outsourcing the job to a third party or doing it themselves. This method, which is known as "degaussing" and renders the disk unusable, usually costs "approximately $10 per hard drive plus shipping if applicable," said Richard Angeloni, a spokesman for Brown & Toland Medical Group, a San Francisco-based independent practice association.

Although experts say that either degaussing or data erasure software will permanently wipe or "sanitize" a hard disk, the IPA uses both methods on every PC or laptop it disposes of just to be sure. "We prefer extreme measures only because ... potentially at some point in time an individual will come along and be able to defeat [a single measure as advances in technology are made]," said Tom Macmillan, the IPA's director of information technology.

But before you erase data and toss a PC away, you should make sure you save or transfer files from the old computer system to a new one. You can do that by transferring old files on a CD-ROM, network or server, Grove said. "You obviously don't want to throw away your only copy of important data."

If you're switching to a computer running Windows XP, you should be able to read Windows 95 or Windows 2000 documents on the new PC, experts say. But problems can occur if you're still running an application based on DOS -- Microsoft's original operating system -- on the old PC. In that case, you might or might not be able to install that application on a new Windows XP computer, said Troy Johnson, manager of information technologies at MedAllies, a Wappinger, N.Y.-based company that provides information technology and services to physician offices. "It would have to be on a case-by-case basis," he added.

Although there's a good chance you might not be able to install a DOS program from Microsoft, you should be able to read DOS files on the new PC if they are simple text files, Johnson said.

But files created using software from other third-party vendors might have their own proprietary format. You may want to check with your vendor to see if they have a new version that runs under Windows XP and a conversion tool to convert the old version files.

If they don't, or the DOS applications won't run on the new PC, you might have to keep the old computer if you want to continue using the DOS application.

"Most of my hospital clients have at least one machine that's running DOS because they have some software program that they haven't replaced yet," Grove said. "It's the only DOS machine in the house. It sits in the corner. ... Everybody hopes that it doesn't die."

Back to top

 ADDITIONAL INFORMATION: