Health Records & HIPAA
Security should be a top concern when upgrading
to electronic health records to avoid a data breach.
Compliant Data Destruction and Sanitization
you operate a one person practice or are part of
a hospital, there is greater than 50% chance that
you are in violation of HIPAA's Final Security Rule
which establishes a set of standards to protect
the confidentiality, integrity and availability
of electronic health information. These standards
are receiving limited attention even though they
are required to ensure the security of electronic
"HIPAA Security Rule requires that covered
entities implement policies and procedures to address
the final disposition of electronic PHI and/or the
hardware or electronic media on which it is stored,
as well as to implement procedures for removal of
electronic PHI from electronic media before the
media are made available for re-use. See 45 CFR
164.310(d)(2)(i) and (ii)."
healthcare providers we speak with or visit, from
small doctors offices to large healthcare providers,
are in violation of either the Final Security Rule's
Disposal or Media Re-use requirements - and most
were not even aware of their violation. One of the
most preventable problems we encounter is the lack
of security for the information that sits dormant
on obsolete electronics or media when new upgraded
systems needed for electronic health records (EHRs)
are purchased. Being proactive, like good medicine,
is the key to staying compliant with the Final Security
Rule and preventing a costly data breach.
Vice President Joe Biden announced that $1.2 billion
in federal grants is being made available for EHRs
along with a total of $36 billion in stimulus money
over the next 6 years. With money finally starting
to flow so healthcare organizations can make the
switch to EHRs it is vital the necessary security
steps are being taken to address HIPAA's Final Security
Rule. Click on this link for the complete Health
Insurance Reform: Security Standards; Final Rule.
the past several years, millions of data files have
been improperly exposed to unauthorized individuals.
This includes breaches caused by the unsecure information
sitting on obsolete electronics needing to be destroyed.
With organization upgrading systems for EHRs the
amounts of obsolete electronics holding personal
data will continue to grow. If this information
is neglected it will create an extremely costly
data breach, perhaps eliminating portions of the
billions in savings the government predicts will
be created each year from EHRs.
protection can be overwhelming, but when broken
down into all of its parts it is a simple policy
that can be implemented by an organization regardless
of its size. Solving a major problem can be as easy
as having a third party come on-site to destroy
retired electronic media (such as printers and hard
drives) in a matter of hours for very little cost.
Considering that one piece of electronic media can
hold thousand of documents, data sanitization must
be performed on all retired electronics.
a data security plan and putting it in place before
a breach occurs sounds obvious, but many organizations
overlook it. According to the Ponemon Institute
the majority of 213 CEOs and other C-Level Executives
surveyed in a recent study were not convinced in
their company's ability to safeguard sensitive and
confidential information. 94% of them also reported
that they have had their data attacked in the last
six months. Remember, being proactive is the key
to data protection. If you are always reacting to
a data breach then more money will be necessary
to fix a data breach than the original solution
would have cost.
in a data security plan is not only good for data
security; it is also a great return on investment.
A proper data protection plan not only creates security
it creates a 432% ROI through cost savings alone,
according to the Ponemon Institute.
step that is a vital part of a successful data protection
plan is choosing a specialist to perform onsite
sanitization of electronic media. Once medical systems
start to be upgraded a surplus of electronics will
be created - all of them holding patient information
that needs to be destroyed in compliance with HIPAA.
Forgetting about the security of retired electronics
is a fine, or worse, a civil suit.
HiTech Act allows State attorneys to sue on behalf
of data breach victims in civil court. Having a
third party provide a Certificate of Data Sanitization
after they sanitize your data is the only way to
properly prove data sanitization has been done.
Remember a facility cannot audit themselves.
choosing a specialist to perform data sanitization,
make sure they certifytheir data sanitization and
insure compliance with federal regulations. Having
a third party perform data sanitization not only
put the task into the hand of professional who handle
data sanitization on a day to day basis, it also
gives you an audit trail that verifies the work
was done. If at any point the question arises about
what happened to the data you will have the documentation
necessary that shows the information was destroyed.
Having a paper trail is just as important as having
the work done.
healthcare industry has made security procedures
like paper-shredding a common practice. This same
amount of care and security needs to be given to
electronics and the files on their hard drives that
becomes obsolete as newequipment is purchased for
upgrades. The time needs to be spent now on resolving
the issue of retired healthcare electronics and
their data before more money needs to be spent on
costly, preventable data breaches. Be proactive
in your organizations approach to data security
and data sanitization and be the among the leaders
in the healthcare industry. Don't allow a data breach
or HIPAA violation to shed bad light on your organization
and become the example of what not to do. In the
end data security can be very simple to implement
and is proven to help the bottom line.
call 520-406-7446 for a free on site consultation.