Australia was just hit with one of the largest breaches in its history. Hackers stole both PII and health information on 12.9 million people, including their prescription history. In the U.S. health agencies and any company holding health information must protect the privacy and confidentiality of health-related information.
HIPAA (The Health Insurance Portability and Accountability Act Privacy Rule) is a privacy law that permits healthcare providers to allow patients to determine who can access their health information. In addition, the management of medical records is something medical practices and companies must practice. The AMA’s Code of Ethics states:
- Have policies in place that prohibit unauthorized staff from accessing patient medical records. Your communications team doesn’t need to be able to read a patient’s chart before that patient goes for surgery.
- Establish timelines for how long medical records are held by establishing how far back in a patient’s medical history would a doctor need to see in order to provide treatments.
- Securely store records until they’re transferred to another physician at the patient’s request or destroyed.
- Ensure that medical records or electronic equipment used in their storage are destroyed before being recycled or discarded.
Whether you’re a medical clinic, hospital, or private practice, it’s your responsibility to ensure that electronic protected health information (ePHI) is secure. Electronic health records (EHR) are convenient and easy to share between specialists and practices, but they also require top security to prevent breaches and unpermitted access. If you’re updating your office equipment, you must make sure you are ensuring security throughout the electronics recycling process.
The Consequences of Data Breaches From Improper Data Disposal or Security Practices
Back in 2013, Advocate Health Care had four computers stolen, followed by the theft of another laptop a few months later. On those computers were unencrypted records for over 4 million patients. The information thieves could access included credit card information, health insurance information, names, addresses, and birth dates. The agency was handed a $5.5 million fine for failing to follow HIPAA standards.
Also occurring in 2013, Seton Healthcare had a laptop stolen. Despite requirements that encryption software be installed, this laptop didn’t. Patient names, addresses, contact information, SSNs, medical records, health insurance information, and account numbers for 5,500 patients were on it. While there are no reports of fines being handed down, it’s likely. The HIPAA Omnibus rule laid out the following fines for HIPAA violations effective February 18, 2009.
- Reasonable diligence was followed: $100 to a maximum of $50,000 per violation.
- No willful neglect but due diligence wasn’t followed: $1,000 to a maximum of $50,000 per violation.
- Willful neglect that was corrected promptly: $10,000 to a $50,000 maximum per violation.
- Willful neglect that wasn’t corrected in a timely manner: $50,000 minimum per violation to a yearly maximum of $1.5 million.
How Do You Protect ePHI When Recycling
The most important rule is that ePHI is deleted before any electronic device is recycled or refurbished for reuse. You need to carefully choose who handles data destruction and recycling. If it’s going to go overseas where you have no idea where it ends up, it’s not worth the risk. Choose a provider that provides proof of data destruction and processes electronics in a U.S. facility.
There are several ways to destroy data and some are not right for destroying medical information. If you think deleting files takes care of everything, you’re wrong. Deleting information only removes the pathway between a file and the app or software that accesses it. Someone with the right knowledge can rebuild that pathway and get to the information.
A factory restore also isn’t enough. It helps, but there are still ways to get the information if you have the knowledge. Data destruction is essential, and there are a few ways to do it.
Data sanitization involves the use of high-powered magnets on older magnetic storage equipment like HDDs or tapes. Newer technology like SSDs requires specially designed software that overwrites information with 0s and 1s so many times and in random patterns that make it impossible to access the overwritten software.
If there is no life left in a device, physical destruction is optimal. Once a hard drive or storage device has been chopped into hundreds of pieces, it’s impossible to get it back. This is one of the best options for data destruction.
Getting computers, tablets, fax machines, radiology equipment, etc. to a facility for data destruction is the next consideration. It’s going to be on trucks, which means you have to hope it reaches the destination.
Look for companies that offer real-time tracking with a secure transportation company. Get a certificate that items have been picked up for processing, and you protect yourself if something does happen. Better, work with a company like ERI that destroys data at your location for complete peace of mind.
Recycle E-Waste Responsibly
Responsible e-waste recycling is essential. Ten years ago, studies found one of the commercial districts in Accra, Ghana, was one of the most polluted places on earth. Arsenic, cadmium, lead, and mercury reached concentrations more than 100 times safe levels.
Countries around the world were sending their e-waste to this area where children and adults worked to dismantle what was salvageable and burn the rest. Companies were profiting off Ghana’s impoverished families. Changes have taken place since then, but people need to carefully choose their data destruction and e-recycling partners.
Make sure the company you partner with destroys data and processes all salvageable and recyclable components within the U.S. ERI is one of the nation’s largest data destruction and e-recycling providers. Everything we do is carefully planned to ensure everything is safely processed in the U.S. by our workers. Their safety is just as important to us, and that’s why we work hard to retain ISO, e-Steward, R2, and several other certifications.
Our data destruction processes meet whatever level of security you require. For most electronics storing ePHI, NIST 800-88 Rev1 standards are sufficient, but we offer enhanced data destruction if you need it. ERI also offers on-site data destruction if you’d rather witness data being destroyed before devices leave your building.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://eridirect.com/blog/2024/07/secure-recycling-data-security-and-recycling-health-information-systems/