HIPAA compliant hard drive destruction is a data shredding service available to Georgia healthcare facilities – free of charge.
Both confidential and secure, HIPAA shredding provides an additional physical safeguard when it comes to the security of electronic protected health information (ePHI). As such, it only makes sense for metro Atlanta hospitals and other covered entities to include hard disk destruction as part of the proper disposal of medical records.
Of course, the goal of HIPAA compliant hard drive destruction is to protect the patient’s individually identifiable health information from unauthorized access. Among the personally identifiable information (PII) at risk are the patient’s: name, date of birth, social security number, driver’s license number, credit card/bank information, diagnosis/treatment.
Consequently, a HIPAA breach of protected health information could result in both identity theft and monetary loss for the patient. There is also the possibility of damage to the patient’s reputation. Not to mention a costly HIPAA violation citation for the covered entity.
How to Prevent HIPAA Violations
The last thing any healthcare provider wants is a HIPAA violation citation, especially due to improper disposal of patient records. To prevent stiff penalties for the covered entity, as well as significant harm to the patient, it is imperative to be in complete compliance with the HIPAA policies and procedures. That is where the designated compliance officer comes in.
Depending on the size of the covered entity, the health information management staff may have both a HIPAA Privacy Officer and a HIPAA Security Officer. As such, their job is to adhere to the HIPAA compliance requirements. That said, when it comes to the disposal of medical records, the best policy is to implement reasonable safeguards based on the HIPAA Security Rule.
HIPAA Security Rule
The HIPAA Security Rule is a valuable resource when it comes to the retention and destruction of health information. The guidelines set forth on how to destroy medical records are especially helpful. In particular are the security requirements about electronic protected health information. Although each HIPAA security officer is responsible for the policies and procedures for the final disposition of ePHI, they must nevertheless remain compliant with the HIPAA safeguards.
According to the Security Rule, the recommended safeguards fall into three categories:
- Administrative- policies and procedures addressing security measures that protect ePHI. (45 CFR 164.308)
- Physical- protection of ePHI through physical measures such as the security of equipment and facilities. (45 CFR 164.310)
- Technical- use of technology to both protect and prevent unauthorized access to ePHI. (45 CFR 164.304)
Obviously, since we are reviewing the HIPAA compliant hard drive destruction requirements, it would make sense to look at the physical safeguards.
Physical Safeguards for Electronic Protected Health Information
To better understand the meaning of physical safeguards, it is helpful to think of placing barriers or obstructions that would prevent unauthorized access to ePHI. Some examples could include: securing access to workstations, posting security guards at entrances to work locations, and limiting access to restricted areas. With that in mind, the physical safeguards outlined in the HIPAA Security Rule fall under the following areas:
Workstation (Use and Security)
Device and Media Controls
The Device and Media Controls are further subdivided into addressable and required implementations. Consequently, there are only two areas listed under the required, and they are the Media Re-use and Disposal. As stated on the Department of Health and Human Services website 164.310 (d)(2) (i)
“§ 164.310 (2) Implementation specifications: (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
In our case, a prime example of “electronic storage media containing protected health information” would be a standard hard drive. It makes sense, then, that the goal of physical safeguards would be to protect the digital health information located inside the electronic data storage. One of the best ways of achieving that goal is by destroying the hard drive. That is where a hard drive destruction policy comes in to play.
Hard Drive Destruction Policy
Hard disk drives and other electronic storage media are vulnerable to unauthorized intrusion and require the necessary protection. Consequently, covered healthcare facilities and providers may want to include a hard drive destruction policy as part of their health information management. The reason for destroying hard drives, of course, is that it acts as an additional means of safeguarding electronic health records (EHR).
When writing a hard drive destruction policy, it may be helpful to consider the following:
- Type of HDD destruction
- Location of destruction (onsite/offsite)
- Data to include in Certificate of Destruction
It is also good to keep in mind that the main goal of a hard drive destruction policy is to prevent the unauthorized access of protected health information. By implementing reasonable safeguards, such as the shredding of HIPAA data, a covered entity adds another layer of protection to their medical records. Not only does HIPAA compliant hard drive destruction help to protect patient privacy, it also helps to avoid potential HIPAA violations as well.
HIPAA Compliant Hard Drive Destruction Requirements
The purpose of destroying a hard drive or other electronic storage media is to render the device so that it is unusable and/or inaccessible. In other words, the hard disk is to be damaged to the point where it is beyond repair. Please keep in mind that there are several methods available that will help you to stay within the HIPAA compliant hard drive destruction requirements. In fact, there are several options available when it comes to hard drive disposal.
Hard Drive Disposal Options
Hard drive disposal is a required implementation of the physical safeguards set forth in the HIPAA Security Rule. Fortunately, there are several options available to achieve the goal of secure hard disk disposal. In fact, the U.S. Department of Health & Human Services provides the following examples of proper disposal methods:
Although there may not be one “best way to destroy a hard drive,” any of the methods listed above will certainly do the job. Regardless which one you choose; the result should always be the physical destruction of the hard drive. You may be interested in learning more about our free onsite hard drive shredding service. (Our shredder of choice is the Ameri-Shred AMS-150HD).
Covered Entities Benefit From HIPAA Compliant Shredding
HIPAA compliant hard drive destruction is not limited to hospitals and healthcare facilities, but is beneficial to all covered entities. In fact, shredding hard drive services are available to:
Health care clearinghouses
Basically, any healthcare program responsible for protecting electronic health records would benefit from adding hard drive shredding to their data destruction policy.
One of the main reasons for organizations such as HMOs and health insurance companies to destroy hard drives is that it provides an additional physical safeguard for ePHI. By shredding digital health information, it renders the data unusable and/or inaccessible.
Considering that secure data shredding services are now available free of charge, it is easy to see how it would be beneficial to covered entities in Georgia.
Note: Here is a handy tool provided by the Centers for Medicare & Medicaid Services to help determine if an individual or organization is a covered entity.
Certified Hard Drive Destruction
When destroying a hard drive containing HIPAA data, it is important to cover all the bases. That is why a CE’s policies and procedures for final disposition of ePHI should include a hard drive destruction certificate. Basically, the certificate of destruction serves as part of the documentation for the disposal of electronic health records. The certificate of destruction should include the following:
Number of HDDs destroyed
Method of destruction (shredding)
Serial number of each hard drive
Location of shredding
Person responsible for destruction
Final disposition of shredded HDDs
By utilizing a certificate of destruction hard drive template, the covered entity can easily document the disposal of medical records. It is simply a matter of entering the time/date and the above listed information pertaining to the HIPAA data destruction.
Choosing a HIPAA Vendor for Data Destruction
Most covered entities will contract the services of a HIPAA vendor for their data destruction. The reason for this is that hospitals and healthcare facilities are typically not equipped to destroy hard drives.
Although it’s possible for a covered entity to purchase and operate a hard drive destroyer at their facility, it’s probably not the best use of their resources. Considering the cost of labor and equipment, hiring a hard drive destruction service that is HIPAA compliant makes more sense.
When choosing a HIPAA vendor for data destruction it is always good to check local shredding companies that offer HIPAA compliant hard drive destruction.
HIPAA vendors that shred and properly dispose of electronic health records should always be your first choice. Of course, the hard drive shredding service that you choose should be HIPAA certified and be able to fulfill a HIPAA vendor agreement.
Why Use a HIPAA Vendor Agreement
A basic example of a HIPAA vendor agreement would be a contract between a covered entity and a hard drive shredding service. The written document spells out a mutual understanding between the covered entity and the HIPAA vendor. For the purposes of hard drive shredding, the agreement between the vendor and CE could include the following:
- Location where the hard drive destruction will take place
- Record of HDD serial numbers
- Certificate of destruction
As you can see, the HIPAA vendor agreement is adaptable to meet the specific needs of the covered entity. Perhaps the most important aspect of the vendor agreement, though, is that the service provider is HIPAA compliant. Which leads us to the topic of a HIPAA Business Associate (45 CFR 160.103).
Just like a HIPAA vendor, a business associate is a person or entity who can provide a service or function for a covered entity. As such, healthcare facilities can directly hire a business associate to provide HIPAA compliant hard drive destruction. Before proceeding, though, it is important to determine if the business associate will have access to protected health information. If so, then a business associate contract or written agreement is in order.
Business Associate Contract: Written Partnership Agreement
When considering what to include in a business associate contract, the covered entity should keep in mind the HIPAA Privacy Rule. As such, one of the key components is that the business associate provides the CE with satisfactory assurances that they will appropriately safeguard the PHI. Although all of the required elements of a business associate contract can be found at 45 CFR 164.504 (e), here are some highlights:
- Determine the parameters of how the business associate will use the protected health information.
- Include written assurances that the BA will not use or disclose protected health information other than stated in the business associate contract.
- Business associate will implement appropriate safeguards to prevent the unauthorized access of PHI.
Of course, whenever a healthcare facility or covered entity enters a contract with a business associate, it is important to have a clear understanding of any fees or costs. A mutual agreement between the two parties concerning cost of services will help to avoid future confusion.
Hard Drive Shredding Costs
When it comes to HIPAA compliant hard drive destruction, local shredding companies vary on their costs. Obviously, fees charged for utilizing a secure shredding service to destroy hard drives will cover a wide range in price. However, it is good to know that there are certain factors that influence the hard drive destruction costs:
- Location of shredding (onsite or offsite)
- Number of HDDs
- Certificate of destruction provided
- Hard drive disposal
Although the factors listed above play a significant role in hard drive shredding costs, there is, however, a more affordable way of destroying a hard drive – free.
At Ecycle Atlanta, our customers can enjoy free hard drive destruction as part of our computer recycling service. Both the confidential shredding service and computer recycling are provided at no cost. Contact us today to schedule your HIPAA compliant hard drive destruction.
Onsite Hard Drive Destruction at Your Facility
Some of our customers may prefer having their HIPAA data shredded onsite where they can personally observe the hard disk destruction. If so, our secure onsite shredding service provides you the option of HIPAA compliant hard drive destruction at your facility. Simply contact Ecycle Atlanta to schedule our mobile shredder for your hospital or healthcare center.