Going beyond delete: How to really erase information

Updating computer systems can be challenging enough, but then you have to get rid of the old one. And more important, get rid of the data it stores.

By Tyler Chin, AMNews staff. Sept. 12, 2005.

When you replace computer systems, it's likely you will have to throw out your existing computer equipment. But before you can dispose of that hardware, you need to take three steps:

• Converting or transferring files from the old to the new system, although that data conversion generally will be handled by your vendor if you're switching physician practice management or electronic medical records systems.
• Deleting personal information and patient records stored in the old computer.
• Figuring out how to dispose of that PC.

Of the three things on that to-do list, removing patient data from the computer's hard disk should be your top priority, because if you don't, you will be exposed to several risks if those data fall into the wrong hands.

First, you could be fined or even imprisoned for violating the federal privacy and security rules of the Health Insurance Portability and Accountability Act. Second, patients could sue you for breach of privacy or another tort under state law. Third, patients also could sue you if criminals use the data to steal your patients' identities. Fourth, you could find yourself the lead story in your local newspaper or television station.

"In some ways [public embarrassment] will be the worst penalty," said Robert Gellman, a privacy and information policy consultant in Washington, D.C. "These kinds of stories are very attractive to newspapers."

There are three ways to get rid of data from a PC, and deleting files and reformatting a computer's hard disk or drive aren't among them, experts say. When you delete files or reformat the hard disk, the data simply are hidden and can easily be retrieved by computer experts, said Tom Grove, a HIPAA and information technology consultant in Manassas, Va.