HIPAA Compliant Hard Drive Destruction
When disposing of digital media containing EPHI, such as recycling unused computer equipment or destroying old computer hard drives, organizations must follow certain rules. The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including information residing on computer hard drives and backup tapes. E-Waste Security’s onsite hard drive destruction service helps health providers comply with HIPAA requirements during the computer recycling process.
Disposal of Protected Health Information
Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI. What is “Reasonable” ePHI data destruction?
Covered entities are encouraged to consider the steps that other prudent health care information professionals are taking to protect patient privacy in connection with record disposal.
HOW TO DESTROY COMPUTER HARD DRIVES CONTAINING EPHI
Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI. The term “reasonable” is ambiguous, and covered entities should error on safe side for data destruction. For example, if physical hard drive shredding is available, erasing hard drives may no longer seem “reasonable” under HIPAA regulations. Also, if on-site data destruction is available, allowing a vendor remove PHI for off-site destruction may no longer be prudent.
Please see HIPAA Security Standards: Digital Data Destruction to read the technical legislation.
ONSITE HARD DRIVE DESTRUCTION PROCESS
HIPAA: RULES FOR DESTROYING HARD DRIVES
Privacy and Security Rules do not require a particular disposal method; however, covered entities must review their circumstances to determine what is “reasonable” to safeguard PHI all the way through the disposal process. Proper digital media and computer hard drive disposal methods include, but are not limited to destroying electronic media by shredding, incineration, melting or pulverizing.
Organizations should assess potential risks to patient privacy and the type and amount of PHI to be disposed of such as, name, social security, drivers license, debit or credit card, diagnosis and treatment.
Hiring an outside vendor to dispose of protected health information is acceptable. When hiring an outside vendor to dispose of protected health information, a covered entity MUST enter into a contract or other agreement with the business contracted to dispose of PHI.