Certified IT Recycling Dramatically Reduces The Risk Of PHI Data BreachesJune 26, 2012
The article, How to avoid a health data spill when recycling IT, Steve Skurnac, President, SIMS Recycling Solutions, does a fine job offering the background, justification and the importance for medical organizations to develop and implement sound IT recycling policies and procedures.
In the opening paragraph of the article, Mr, Skurnac writes, “Safeguarding health information doesn’t end just because a product’s lifecycle ceases. And with estimates that health records carry a street value fifty times that of financial records, health entities still need to actually destroy the data – without stepping outside environmental guidelines.”
Think about the street value of health data (fifty times that of financial records) for a moment. Now think about the negative impact to medical organizations for being out of compliance with HIPAA Privacy and Security Rules resulting from a protected health information (PHI) breach?
Under the HITECH Breach Notification Rule, notification to The Office for Civil Rights (OCR) of breaches involving five hundred or more individuals must occur contemporaneously with notice to affected individuals. This compliance requirement alone brings significant reputational risk to any medical organization.
According to a HHS report to the U.S. Congress of PHI data breaches since 2009, two hundred and fifty-two incidents occurred that went on to affect more than ten million patients. The breach reports submitted to OCR for the reporting period described the five common causes of incidents in rank order: 1) theft; 2) loss of electronic media or paper records containing PHI; 3) unauthorized access to, use, or disclosure of PHI; 4) human error; and 5) improper disposal.
When taking all five common causes of PHI breach incidents into consideration, a medical organization without a sound IT recycling and storage media destruction policy puts themselves at significant risk for experiencing a common PHI breach incident.
So how can medical organizations minimize, to the greatest extent possible, the risk of a PHI data breach when recycling?
Mr. Skurnac offers a number of valuable best practices and activities medical organizations should consider when addressing IT recycling policy and procedures. One best practice he offers is, “regardless of an agency’s internal data destruction protocols, any recycler under consideration needs to offer data destruction services compliant with the National Institute of Standards and Technology (NIST) and validation of that destruction to make certain all patient and employee data is destroyed before equipment is recycled. A recycler that can perform on-site degaussing and hard drive destruction provides an agency with another layer of security.
This “other layer of security” is critical to dramatically reducing the risk of PHI data breaches. The service is called Destruction Beyond Hard Drives or (HDD) and it’s highly recommended to select a qualified vendor that can perform the destruction on site. Vendors that provide HDD services are capable of destroying any and all memory storage devices along with issuing a Certificate of Destruction. A Certificate of Destruction outlines the serial numbers and more of each memory storage device to verify destruction.
Destruction Beyond Hard Drives process and certification methods meet HIPAA standards for PHI memory storage destruction and certification.