Home > Resource Center > Blog > HIPAA and Data Destruction for IT Devices – What You Should Know
HIPAA and Data Destruction for IT Devices – What You Should Know

HIPAA and Data Destruction for IT Devices – What You Should Know

Posted in Blog

Glenn Laga

In 2018, the Federal Department of Health and Human Services’ (HSS) Office for Civil Rights (OCR) republished the rules for disposing of electronic devices, media and data bearing devices for HIPAA covered entities. In simpler terms, it is a summary of HIPAA data destruction regulations to safeguard financial information or protected health information (PHI).

The takeaway for HIPAA-compliant electronic device and media data destruction

HSS recommends creating an organizational risk analysis that will guide your process to develop a protocol that protects patient records (PHI) and financial data. This top level scrutiny will provide the foundation for a comprehensive HIPAA data destruction plan and chain of custody for data bearing asset disposition. The overall goal is to ensure the secure hard drive shred or erasure of a patient’s health information so that it’s irretrievable and 100% secure.

HIPAA Data Breach Risk Analysis Planning

It’s the burden of responsibility for all HIPAA-covered entities to create their own analysis and a data destruction plan for their data and assets. Consider the following as your legal, IT, asset disposition and other departments create your internal plan to meet HIPAA data destruction guidelines:

  • What data is maintained by your organization and where is it stored? Have all asset recovery-controlled equipment and devices been identified and isolated? (See our list of common data storage devices.)
  • Is your organization’s data disposal plan up to date (and reviewed regularly)?
  • Are all asset tags and corporate identifying marks removed when a device reaches end of life or end of lease?
  • Is data destruction of the organization’s assets handled by a certified data destruction provider? (Learn more about NAID AAA certified data destruction.)
  • Have the individuals handling the organization’s assets cleared workforce security processes and undergone appropriate asset disposition and data destruction awareness training?
  • Is onsite hard drive shredding (or other data destruction method) required?
  • Is IT equipment staged/stored securely, including lease returns and IT refresh programs, prior to transfer to external sources for disposal or destruction?
  • What are the logistics and security controls in moving the equipment?
  • What is your IT asset chain of custody protocol? Are you prepared for an audit if there is a data breach or question of responsible management?

If this list seems like a lot, consider the flip side to active planning and safeguarding your patient’s medical records and financial data. Under HIPAA regulations you may be subject to penalties for misconduct or failure to meet technical, administrative, and physical safeguard requirements of IT assets and PHI under the HIPAA Security Rule. Don’t forget to take into account the legal and brand ramifications resulting from a data breach.

If you have any questions about HIPAA data destruction guidelines for your company, contact your VAR, ITAD or service provider. They should have solutions that meet your company’s compliance requirements for HIPAA data destruction for all your electronic devices and media. If not, reach out to Guardian for a service provider that can help.

Ready to get started?

Get a quote > Discuss your challenge >

Why choose data erasure services instead of shredding? Or degaussing? Or mutilating?

There’s only one reason to choose data erasure instead of other types of eData destruction: to retain and reuse the hard drive for remarketing or …

Why choose data erasure services instead of shredding? Or degaussing? Or mutilating? Keep Reading >

Keep Reading >

Top 5 Data Destruction Trends and Takeaways from the (NAID) i-SIGMA Conference 2022

The Guardian team recently flew back (and boy, are our arms tired) from the i-SIGMA  (International Secure Information Governance & Management Association) National Conference and …

Top 5 Data Destruction Trends and Takeaways from the (NAID) i-SIGMA Conference 2022 Keep Reading >

Keep Reading >

6 post-COVID reasons to include data destruction in your Earth Day work event

April is the harbinger of Earth Day – a renewed and energetic effort toward environmental stewardship and community leadership. For many ITADs, VARs, resellers and …

6 post-COVID reasons to include data destruction in your Earth Day work event Keep Reading >

Keep Reading >

Stay in the know

Get relevant information right in your inbox

We do not sell or share your information with anyone

Previous Next
Close
Test Caption
Test Description goes like this