Protect Your Patient's Data - Paper Shredding Is Not Enough
HIPAA's "Final Security Rule"
§164.310 (d)(2)(i) Disposal
§164.310 (d)(2)(ii) Media Reuse
Required: Policies & procedures to address the final disposition of EPHI
As covered entities replace and update hardware and other media, electronic patient health information (EPHI) can remain on hard drives and other media.
EPHI is stored on copiers, faxes, printers, imaging equipment, medical office PCs and a host of other equipment and devices.
This implementation specification requires policies and procedures for preventing EPHI from being disclosed while disposing of EPHI or electronic media and devices used to store EPHI. Policies and procedures should include approved methods (HHS/CMS "Security Standards Physical Safeguards" & NIST SP-800-66-Rev1) of disposal and the process for ensuring that EPHI processed by or stored on the hardware and electronic media is no longer accessible.
Healthcare professionals are required to anticipate and protect against potential risks to the records. Allowing someone to "do it for free" in an effort to save money or allowing a company to delay a pick up because it is not in their best financial interests could be a defacto violation of HIPAA since this type of recycling cannot be independently certified, and because proper security protocol is rarely practiced.
Fines for Non-Compliance
The Enforcement Rule requires HHS and states' Attorneys General to issue fines of up to $50,000 per violation, up to a maximum of $1,500,000 per year. A continuing violation is deemed a separate violation for each day it occurs. The single act of disposing of a computer without first "scrubbing" the hard drive to remove electronic protected health information would violate several different HIPAA provisions.
e-End Solution
Complete compliance
EPHI destroyed by e-End is performed using two methods, hard drive erasure/overwrite in compliance with DoD standard 5220.22-M and/or physical destruction of the data-containing media to meet NIST SP 800-88 guidelines. With proprietary, compact and portable media destruction equipment, e-End can perform data sanitization in a doctor's office or hospital facility with minimal disruption.
Our e-End Compliance Packet contains everything you need for your facility to comply with HIPAA's "Final Security Rule"
- A template of policies and procedures that is easily adapted to your current IT Standard Operating Procedures.
- Stickers to clearly mark decommissioned equipment and media for proper recycling.
- Regular pick up schedule to avoid any appearance of impropriety and to reduce risk of civil suits.
Having A Defendable Audit Trail Is Critical
Certificates of Data Sanitization & Recycling
If one party mishandles medical information, everyone identified with the chain of possession becomes a suspect. Our Certificate of Data Sanitization and Certificate of Recycling is your proof of compliance.
Secondly, it's not only a violation of the law to improperly release individually identifiable information, but healthcare professionals are also required to anticipate and protect against potential risks to the records (§164.312/316). In fact, failure to reasonably anticipate risks itself can be interpreted as a violation of the law.
Have more questions? Call us at 240-529-1010 to speak to a disposition and data security expert!
Find out more!
Please fill out form to get more info on how we can help your practice comply with HIPAA's "Final Security Rule" or call us at 240-529-1010
