In 2018, the Federal Department of Health and Human Services’ (HSS) Office for Civil Rights (OCR) republished the rules for disposing of electronic devices, media and data bearing devices for HIPAA covered entities. In simpler terms, it is a summary of HIPAA data destruction regulations to safeguard financial information or protected health information (PHI).
The takeaway for HIPAA-compliant electronic device and media data destruction
HSS recommends creating an organizational risk analysis that will guide your process to develop a protocol that protects patient records (PHI) and financial data. This top level scrutiny will provide the foundation for a comprehensive HIPAA data destruction plan and chain of custody for data bearing asset disposition. The overall goal is to ensure the secure hard drive shred or erasure of a patient’s health information so that it’s irretrievable and 100% secure.
HIPAA Data Breach Risk Analysis Planning
It’s the burden of responsibility for all HIPAA-covered entities to create their own analysis and a data destruction plan for their data and assets. Consider the following as your legal, IT, asset disposition and other departments create your internal plan to meet HIPAA data destruction guidelines:
- What data is maintained by your organization and where is it stored? Have all asset recovery-controlled equipment and devices been identified and isolated? (See our list of common data storage devices.)
- Is your organization’s data disposal plan up to date (and reviewed regularly)?
- Are all asset tags and corporate identifying marks removed when a device reaches end of life or end of lease?
- Is data destruction of the organization’s assets handled by a certified data destruction provider? (Learn more about NAID AAA certified data destruction.)
- Have the individuals handling the organization’s assets cleared workforce security processes and undergone appropriate asset disposition and data destruction awareness training?
- Is onsite hard drive shredding (or other data destruction method) required?
- Is IT equipment staged/stored securely, including lease returns and IT refresh programs, prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
- What is your IT asset chain of custody protocol? Are you prepared for an audit if there is a data breach or question of responsible management?
If this list seems like a lot, consider the flip side to active planning and safeguarding your patient’s medical records and financial data. Under HIPAA regulations you may be subject to penalties for misconduct or failure to meet technical, administrative, and physical safeguard requirements of IT assets and PHI under the HIPAA Security Rule. Don’t forget to take into account the legal and brand ramifications resulting from a data breach.
If you have any questions about HIPAA data destruction guidelines for your company, contact your VAR, ITAD or service provider. They should have solutions that meet your company’s compliance requirements for HIPAA data destruction for all your electronic devices and media. If not, reach out to Guardian for a service provider that can help.
