Health Records & HIPAA
Security should be a top concern when upgrading
to electronic health records to avoid a data breach.
Compliant Data Destruction and Sanitization
you operate a one person practice or are part of
a hospital, there is greater than 50% chance that
you are in violation of HIPAA's
Final Security Rule which establishes a set
of standards to protect the confidentiality, integrity
and availability of electronic health information.
These standards are receiving limited attention
even though they are required to ensure the security
of electronic health records.
"HIPAA Security Rule requires that covered
entities implement policies and procedures to address
the final disposition of electronic PHI and/or the
hardware or electronic media on which it is stored,
as well as to implement procedures for removal of
electronic PHI from electronic media before the
media are made available for re-use. See 45 CFR
164.310(d)(2)(i) and (ii)."
healthcare providers we speak with or visit, from
small doctors offices to large healthcare providers,
are in violation of either the Final Security Rule's
Disposal or Media Re-use requirements - and most
were not even aware of their violation. One of the
most preventable problems we encounter is the lack
of security for the information that sits dormant
on obsolete electronics or media when new upgraded
systems needed for electronic health records (EHRs)
are purchased. Being proactive, like good medicine,
is the key to staying compliant with the Final Security
Rule and preventing a costly data breach.
Vice President Joe
Biden announced that $1.2 billion in federal grants
is being made available for EHRs along with a total
of $36 billion in stimulus money over the next 6
years. With money finally starting to flow so healthcare
organizations can make the switch to EHRs it is
vital the necessary security steps are being taken
to address HIPAA's Final Security Rule. Click on
link for the complete Health Insurance Reform:
Standards; Final Rule.
the past several years, millions of data files have
been improperly exposed to unauthorized individuals.
This includes breaches caused by the unsecure information
sitting on obsolete electronics needing to be destroyed.
With organization upgrading systems for EHRs the
amounts of obsolete electronics holding personal
data will continue to grow. If this information
is neglected it will create an extremely costly
data breach, perhaps eliminating portions of the
billions in savings the government predicts will
be created each year from EHRs.
protection can be overwhelming, but when broken
down into all of its parts it is a simple policy
that can be implemented by an organization regardless
of its size. Solving a major problem can be as easy
as having a third party come on-site to destroy
retired electronic media (such as printers and hard
drives) in a matter of hours for very little cost.
Considering that one piece of electronic media can
hold thousand of documents, data sanitization must
be performed on all retired electronics.
a data security plan and putting it in place before
a breach occurs sounds obvious, but many organizations
overlook it. According to the Ponemon
Institute the majority of 213
CEOs and other C-Level Executives surveyed in a
recent study were not convinced in their company's
ability to safeguard sensitive and confidential
information. 94% of them also reported that they
have had their data attacked in the last six months.
Remember, being proactive is the key to data protection.
If you are always reacting to a data breach then
more money will be necessary to fix a data breach
than the original solution would have cost.
in a data security plan is not only good for data
security; it is also a great return on investment.
A proper data protection plan not only creates security
it creates a 432%
ROI through cost savings alone, according to
the Ponemon Institute.
step that is a vital part of a successful data protection
plan is choosing a specialist to perform onsite
sanitization of electronic media. Once medical systems
start to be upgraded a surplus of electronics will
be created - all of them holding patient information
that needs to be destroyed in compliance with HIPAA.
Forgetting about the security of retired electronics
is a fine, or worse, a civil suit.
Act allows State attorneys to sue on behalf
of data breach victims in civil court. Having a
third party provide a Certificate of Data Sanitization
after they sanitize your data is the only way to
properly prove data sanitization has been done.
Remember a facility cannot audit themselves.
choosing a specialist to perform data sanitization,
make sure they certifytheir data sanitization and
insure compliance with federal regulations. Having
a third party perform data sanitization not only
put the task into the hand of professional who handle
data sanitization on a day to day basis, it also
gives you an audit trail that verifies the work
was done. If at any point the question arises about
what happened to the data you will have the documentation
necessary that shows the information was destroyed.
Having a paper trail is just as important as having
the work done.
healthcare industry has made security procedures
like paper-shredding a common practice. This same
amount of care and security needs to be given to
electronics and the files on their hard drives that
becomes obsolete as newequipment is purchased for
upgrades. The time needs to be spent now on resolving
the issue of retired healthcare electronics and
their data before more money needs to be spent on
costly, preventable data breaches. Be proactive
in your organizations approach to data security
and data sanitization and be the among the leaders
in the healthcare industry. Don't allow a data breach
or HIPAA violation to shed bad light on your organization
and become the example of what not to do. In the
end data security can be very simple to implement
and is proven to help the bottom line.
call 520-406-7446 for a free on site consultation.