Healthcare - Protect Your Patient’s Data

Paper Shredding Is Not Enough

Healthcare providers of any size or type are required to comply with a variety of HIPAA regulations, including the safeguarding and destruction of the Electronic Protected Health Information (ePHI) that resides on older equipment that is being upgraded or taken out of service.

HIPAA’s “Final Security Rule”

As a covered entity you must comply with:

§164.310 (d)(2)(i) – Disposal
Required: Policies & procedures to address the final disposition of ePHI

This disposal implementation specification states that covered entities must:

“…Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”

As covered entities replace and update hardware and various equipment, ePHI can remain on a wide variety of equipment and devices including PCs, copy machines, printers, cell phones, tablets and imaging equipment. Unless properly sanitized, hard drives and other storage media can retain ePHI — which makes the data vulnerable to a costly data breach.

That’s why the implementation specification requires healthcare professionals to initiate policies and procedures for preventing medical records and other ePHI from being disclosed while disposing of equipment and devices. Finding a company to perform data sanitization or electronics recycling that will “do it for free” in an effort to save money, or allowing a company to delay a pick up to save money could be a de facto violation of HIPAA.

Since the single act of disposing of a computer without first “scrubbing” the hard drive to remove ePHI would violate several different HIPAA provisions, improper vetting of your service vendors can prove costly for your organization. Discount recyclers are not trained in the proper data security protocols, and also do not hold the independent certifications that will ensure all of the data on any of the devices they take possession of will be properly destroyed.

Fines for Non-Compliance

The Enforcement Rule requires HHS and the Attorney General from each state to issue fines of up to $50,000 per violation, up to a maximum of $1,500,000 per year. A continuing violation is deemed a separate violation for each day it occurs.

But that is just the HIPAA fines. For instance, a healthcare provider who recently had 57 hard drives stolen from a storage closet also faced significant related costs. Although the HHS settlement required the provider to pay $1.5 million, the company has spent nearly $17 million in investigation, notification and protection costs to date – bringing the total to $18.5 million. The company also had to provide affected individuals with free credit monitoring services, free identity monitoring, consultation, and identity theft restoration.

Some highlights from the 2014 Bitglass Healthcare Breach Report show why HIPAA-covered entities must put a focus on the security of the data that resides on electronic devices:

  • 68% of healthcare data breaches since 2010 occurred when devices or files were lost or stolen, with only 23% due to hacking.

  • 48% of breaches involved a laptop, desktop, or mobile device.

  • 4% of breaches accounted for 80% of total records compromised. An above-average 78% of compromised records were the result of loss or theft.

  • Electronic health records have 50 times the black market value of a credit card.

In addition, the 2014 Fifth Annual Study on Medical Identity Theft conducted by the Ponemon Institute calculates the average out-of-pocket loss per victim of medical identity theft at $18,660.

 e-End Provides A Complete Compliance Solution

By following NSA and NIST 800-88R1 guidelines, e-End can ensure your organization that all data, including ePHI, on the computers, office equipment, medical equipment and other devices we handle cannot be recovered by any means. With our proprietary, compact and portable media destruction equipment, e-End can perform data sanitization services onsite at your office or facility with no disruption.

e-End has earned NAID AAA Certification from the National Association for Information Destruction for purging data on all electronic and non-paper media (including hard drives, cell phones and other electronic media) at both e-End’s facility and at our client’s facility.

Having A Defendable Audit Trail Is Critical

Since your IT Department’s focus should be keeping vital systems online and protecting your network, it is more cost and time effective to rely on e-End’s Data Security Team to handle your data destruction needs — especially since your team cannot self-certify their own work. As an independent third-party, we can issue you a Certificate of Certified Data Sanitization and Certificate of Recycling that serves as a defendable audit trail in case of an audit.

If needed, we can also capture and record the serial numbers of hard drives and other storage media — plus devices and equipment — for your records.

For more information on how we can keep you in compliance with HIPAA’s Final Security Rule, contact us today.

Computer Recycling Drop Off Location:

Monday – Friday: 9AM-4PM
Saturday - Sunday: Closed

7118 Geoffrey Way Unit E
Frederick, MD 21704
Phone: (240) 529-1010