News & Blog

Data Destruction for HIPAA compliance

data destruction for HIPAA compliance

The HIPAA (The Health Insurance Portability and Accountability Act) strictly regulates covered entities not to disclose PHI (Protected Health Information) to the unauthorized public, in the process of the creation, storage, transmission of PHI.

PHI includes almost all information on a patient:

1)     any identifying information about a patient as an individual, including his or her name, phone number, email address, social number, health insurance subscriber number, credit card information, photographs, etc.

2)     a patient’s medical information, including medical conditions, prescriptions, x-ray image, blood test report, etc.

Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per the calendar year. Many OCR (The Office of Civil Rights) HIPAA settlements have resulted in fines of over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.

Many cite ‘Improper Disposal of PHI’ as one of the top 10 most common HIPAA violations.

Employees inadvertently throw away documents in the trash, or dispose of USB drives, external hard drives, or computers, causing frequent PHI leaks.

PHI printed on paper can be easily disposed of by shredding in a document shredder. However, complete deleting ePHI (electronic Protected Health Information), PHI stored in a computer, is not simple: Even if you run ‘delete’ or ‘format’ command to erase the information on Windows, the information can be easily recovered.  Besides, the storage device stores the most information just before disposal, so if you dispose of the device without data destruction, you will encounter a tremendous amount of information leakage accident.

Standard §164.310(d)(1) Device and Media Controls, in HHS HIPAA Security Series 3: Security Standards – Physical Safeguards, regulates that covered entity must “implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored,” and “implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.” It also gives three methods of ePHI data destruction, as examples, for the data to be unusable and/or inaccessible: erasure software, degaussing, and physical destruction.

Secudrive Drive Eraser can completely erase data stored on computer hard drives, USB flash drives, external hard drives, and SSDs, as one of the erasure software solutions. The solution supports about 23 international standard algorithms. The software comes in a USB flash drive, plugging the USB flash drive into the computer and clicking the executable file makes the data deletion process very easy. It’s easy enough for non-IT professionals to run it on Windows. The results of data wiping are saved back to USB in the form of logs and reports. You can use tamper-proof reports as evidence of HIPAA compliance.

Data destruction service providers often perform degaussing and physical destruction methods because of physical tasks such as removing the hard disk from the computer. If you outsource the service, there is a risk of loss or theft during shipping or storage. It cost relatively expensive as well. Secudrive Drive Eraser could be one of the best options due to cost-effectiveness as well as security.

Share on facebook
Share on linkedin
Share on twitter
Loading cart ⌛️ ...