Healthcare & Medical
§164.310 (d)(2)(i) Disposal
§164.310 (d)(2)(ii) Media Reuse
Protect Your Patient’s Data – Paper Shredding Is Not Enough
As covered entities replace and update hardware and other media, electronic patient health information (EPHI) can remain on hard drives and other media. EPHI is stored on copiers, faxes, printers, imaging equipment, medical office PCs and a host of other equipment and devices. This implementation specification requires policies and procedures for preventing EPHI from being disclosed while disposing of EPHI or electronic media and devices used to store EPHI. Policies and procedures should include approved methods (HHS/CMS “Security Standards Physical Safeguards” &NIST SP-800-66-Rev1) of disposal and the process for ensuring that EPHI processed by or stored on the hardware and electronic media is no longer accessible.
Healthcare professionals are required to anticipate and protect against potential risks to the records. Allowing someone to “do it for free” in an effort to save money or allowing a company to delay a pick up because it is not in their best financial interests could be a de facto violation of HIPAA since this type of recycling cannot be independently certified, and because proper security protocol is rarely practiced.
Fines for Non-Compliance
The Enforcement Rule requires HHS and states’ Attorneys General to issue fines of up to $50,000 per violation, up to a maximum of $1,500,000 per year. A continuing violation is deemed a separate violation for each day it occurs. The single act of disposing of a computer without first “scrubbing” the hard drive to remove electronic protected health information would violate several different HIPAAprovisions.
EPHI destroyed by Computer Recycling LLC is performed using two methods, hard drive erasure/overwrite in compliance with DoD standard 5220.22-M and/or physical destruction of the data-containing media to meet NIST SP 800-88 guidelines. With proprietary, compact and portable media destruction equipment, Computer Recycling LLC can perform data sanitization in a doctor’s office or hospital facility with minimal disruption.
Certificates of Data Sanitization & Recycling
If one party mishandles medical information, everyone identified with the chain of possession becomes a suspect. Our Certificate of Data Sanitization and Certificate of Recycling is your proof of compliance.
Secondly, it’s not only a violation of the law to improperly release individually identifiable information, but healthcare professionals are also required to anticipate and protect against potential risks to the records (§164.312/316). In fact, failure to reasonably anticipate risks itself can be interpreted as a violation of the law.
Have more questions? Call us at 800-511-8205 to speak to a disposition and data security expert!