HITECH Data Sanitization and Hard Drive Destruction
Complying with ePHI security enforcement
The Four Rules of HITECH and Data Destruction
The four main considerations for complying with HITECH and passing your audits are: 1) keeping an unbroken chain of custody, 2) verified data destruction, 3) detailed documentation, and 4) vendor due diligence. Keep written policies and procedures.
For organizations handling ePHI, HIPAA and HITECH compliance is critical. Don’t let your computer recycling, IT Asset Disposition, and data destruction process be the weak- link in your security protocal.
Chain of Custody
Establish a clear chain of custody for IT assets from the point of employee last use to the destruction of hard drives and SSDs. Pay especially close attention to the hard drives and SSDs where the information is stored.
Keep equipment in a locked cage to keep data out of the hands of unauthorized personnel.
On-Site Witnessed Destruction
Breaches occur when data is out of the hands of authorized personnel. ePHI contained on digital media should remain in your custody up until the point it is destroyed. Sending hard drives out for destruction may be considered a data breach.
Documentation: Certificate of Destruction
Keep an inventory of all digital media in your possession. This includes the make, model and serial number of each hard drive and SSD. Additionally, document the same information for the computer where the drive came from.
Your third-party data destruction vendor should issue a Certificate of Destruction that confirms your report. This process is critical for any audit.
Vendor Due Diligence / Certification
The HIPAA Security Rule requires healthcare organizations perform due-diligence when hiring a Business Associate. This requirement can be met by doing your own research and vetting or by using a vendor that is certified by a recognized authority.
“For practical information on how to handle the disposal of computers and digital media containing ePHI – consult NIST 800-88, Guidelines for Media Sanitization” –
Department of Health and Human Services.
HITECH Enforcement and Implications
- Increased Penalties: HITECH increased the penalties for non-compliance with HIPAA, encouraging greater adherence to data protection requirements.
- Breach Notification Requirements: Enhances the requirements for breach notifications, including notifications to the affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media.
- Business Associates: Expands the definition of business associates and ensures they are directly liable for compliance with certain HIPAA Privacy and Security Rule requirements.
- Audits: Mandates regular audits by HHS to ensure compliance with HIPAA and HITECH requirements.
HITECH, HIPAA, and the Security Rule
Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of ePHI. The term “reasonable” is ambiguous, and covered entities should error on safe side for data destruction. For example, if physical hard drive shredding is available, erasing hard drives may no longer seem “reasonable” under HIPAA regulations. Also, if on-site data destruction is available, allowing a vendor remove PHI for off-site destruction may no longer be in compliance with HIPAA.