HIPAA ALERT: HHS Issued Guidelines on e-Device Disposal

The United States Department of Health and Human Services (HHS) recently issued guidance on how to properly dispose of electronic devices to prevent data breaches.

Healthcare organizations are prime targets for data breaches. Often times, detailed security plans are put in place to protect networks from online vulnerabilities, but they fail to cover offline equipment with the same sense of urgency.

The HIPAA Security Rule requires covered entities and business associates to securely dispose of electronic devices such as desktops, laptops, servers, USB drives and hard drives to ensure the Protected Health Information (PHI) cannot be retrieved.

Improper disposal of these devices puts organizations at huge, unnecessary risk. Ponemon Institute’s 2018 Cost of a Data Breach Study found that healthcare organizations lose an average of $408 for each lost or stolen record after a breach. According to the study, costs include investigation, filings, loss of business, reputation loss, and employee time spent on recovery.

In the notice, HHS stresses that electronic media should be cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization and recommends the following:

Considerations

• What data is maintained by the organization and where is it stored?
• Is the organization’s data disposal plan up to date?
• Are all asset tags and corporate identifying marks removed?
• Have all asset recovery-controlled equipment and devices been identified and isolated?
• Is data destruction of the organization’s assets handled by a certified provider?
• Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
• Is onsite hard drive destruction required?
• What is the chain of custody?
• How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
• What are the logistics and security controls in moving the equipment?

Decommissioning Steps

• Ensure devices and media are securely erased and then either securely destroyed or recycled.
• Ensure inventories are accurately updated to reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned.
• Ensure data privacy is protected via proper migration to another system or total destruction of the data.

PHI Destruction and Disposal

• Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
• Ensure that ePHI is properly destroyed and cannot be recreated.
• Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
• Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives).
• Ensure that ePHI is removed from reusable media before they are used to record new information.

How can healthcare organizations implement these recommendations? Find an IT asset disposition (ITAD) partner who can verify their hard drive data destruction processes are compliant with NIST standards and certified to e-Stewards or R2 to ensure all equipment, and the data contained, is handled securely and responsibly.

As the only fully certified ITAD provider in the region, SEAM helps healthcare organizations safely and securely dispose of, recycle or resell their IT equipment to meet all HIPAA requirements and provides transparent reports for auditable proof and complete chain of custody. Contact SEAM for a free risk audit of your South Dakota, North Dakota, Iowa or Nebraska healthcare organization’s current policies and procedures.