Devices used with Restricted Information that contain hard drives, SD cards, non-volatile RAM, memory cards or other storage must either have the RI securely wiped before disposal or the device must be disposed of in some other secure manner
If RI is left on devices after they are disposed of, others may be able to access the RI, which could lead to breaches of the confidential information of our patients, research subjects, students and employees. This could in turn lead to required notifications of individuals and regulators, fines, penalties and reputational harm.
Yes. As an example, back in 2010, CBS News found PHI on the hard drives of photocopiers they bought which had been previous leased to Affinity Health. The PHI of over 300,000 patients was discovered and Affinity Health entered into a $1.2 million settlement with the Office for Civil Rights. Read more here.
Please contact your local IT support group before disposing of any electronic devices that may contain RI. They can help you check if the device contains any Restricted Information and advise you on secure disposal. You can also check with the Office of Compliance Services Information Security team by emailing InfoSecAll@mednet.ucla.edu.
We must have a Business Associate Agreement with a vendor before they may take an electronic device that contains PHI offsite for disposal or repair. Equivalent agreements such as Appendix DS are necessary when non-PHI RI is involved. Alternatively, please contact your local IT support group for information on how to securely erase UCLA Restricted Information from the device.