Keeping Compliant: HIPAA disposal of electronics

When it comes to the disposal of end-of-life media, health care organizations must use specific and safe methods to stay compliant—here's how degaussing can help you do so.

 

The Health Insurance Portability and Accountability Act contains multiple sections that pertain to the secure protection of patient data.

When it comes to the disposal of end-of-life media, health care organizations must use specific and safe methods to stay compliant—here’s how degaussing can help you do so.

Breaking down HIPAA
Due to the abundance of personal information contained on laptops and computers in health care facilities, protecting them from unauthorized access is one of the highest priorities for HIPAA compliance. This covers incidental exposure, like leaving a laptop logged on near a patient, to less talked about instances like proper sanitization of end-of-life media.

According to the Department of Health and Human Services, two of the top five most investigated compliance infraction cases are:

  • Lack of security involving digital health records.
  • Inadequate administrative safeguards for digital health records.

Many hospitals try to protect against active cybercriminal activity, like ransomware or other viruses that can be transmitted through electronics and steal files. Many employees, though, are unaware of the dangers that surround end-of-life media.

The HHS reported multiple compliance requirements under section 45 CFR 164 pertaining to safe disposal of any hard disk drives or other electronics that may have at one point contained patient health care records:

  • 45 CFR 164.530(c): Safeguards must be in place to prevent accidental or unauthorized access to disposed information.
  • 45 CFR 164.310(d)(i) and (ii): Procedures are required to be implemented in regard to the safe and secure sanitization of patient health care records before media is removed from the facility for destruction or re-use.
  • 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i): Employees must be trained in erasure of information from electronic media.

Even though these compliance laws are in place, there’s still a vast amount of negligence across the board in every industry, meaning health care organizations aren’t necessarily immune to it. According to a Ponemon study that surveyed 3,000 individuals who work in the IT field, three-quarters of respondents’ companies have experienced data theft in the past two years, while 50 percent attribute the breaches directly to employee negligence.

Hospitals must securely dispose of electronics with patient data on it.

Keeping compliant
Some hospitals have rooms dedicated to electronics that’ll never be used again—hard disk drives, laptops, USBs and computers. They can’t get rid of them because doing so would be a breach of law, but keeping them in an accessible room is just as dangerous.

Degaussing is approved by the National Security Agency as the only way to securely erase data from electronics. These devices demagnetize the memory storage, rendering the information inside completely unreadable. This is far different from software wipes, which only scramble the data—information can still be retrieved.

“Degaussing is the only way to safely erase data.”

Degaussers range in size and price, making them an affordable asset for any organization. Little training is required to operate this technology and allows for the speedy and safe disposal of technology.

Compliance negligence can be defended against with the right tools. Not only does breaking protocol leak out personal health information of patients, but data breaches are costly in their own sense. Organizations need to think about all the factors in play; potential fines and action taken by a governing body, impending lawsuits for breach of patient confidentiality, costs associated with identity protection for patients and fees associated with restructuring methods and procedures to ensure another data breach won’t occur.

Don’t wait until HIPAA law is broken to start improving data protection. The cost of allowing a data breach is much more substantial than the buy-in price for a degausser. If you have any questions about how to best protect your data, feel free to contact us at here Proton Data.

Proton Data Security: