How Expensive Is A HIPAA Violation for Data Breach?
HIPAA Complaint Computer Disposal Philadelphia
Ever wonder how much it costs a company if they violate HIPAA Regulations and a patient’s personal information is divulged due to improper Media or Data Storage destruction and handling?
As an example, it cost the Cancer Care Group $750,000 in 2016.
Cornell Prescription Pharmacy was fined $125,000 for HIPAA Violations because they failed to execute data destruction on some paper documents with hundreds of patient’s information was divulged.
Another health care system was fined $850,000 when a laptop that was left in storage was stolen.
Employee theft of old laptops, computers, thumb drives, printers, and many types of media is one of the most common ways data is breached. Why? Because rather than properly disposing of these devices and media storage tools, they are often placed in back rooms, or in storage, and employees, thinking that these device are just collecting dust, take them home, and sometimes resell them online. Unfortunately, many of these devices still contain huge data files with patients PHI on them and if discovered, the health care system is 100% responsible for this violation for failure to properly secure a patient’s PHI.
How stringent is HIPAA about these sorts of violations? Very. Some of the largest fines levied against a health care facility have been the result of an employee having a laptop stolen from their personal vehicle. You are responsible for securing PHI, maintaining chain of custody, having a plan in place to destroy it, and properly training employees so they don’t expose PHI. And if they do, you will be held responsible for HIPAA Violations.
It is important to not leave old computers, laptops, mini-discs, CD’s, DVD’s, thumb drives, and even printers in storage, or worse, to throw them in the dumpster. These devices must all be destroyed, and destroyed properly to make sure you are not charged with a HIPAA violation and have to deal with the subsequent fines that come with it.
How to Perform HIPAA Compliant Computer Disposal
The first thing you need to know is that HIPAA DOES NOT in ANY WAY provide guidelines, suggestions, recommendations or in any way mandate methods or procedures by which you “should” dispose of computers containing PHI (Protected Health Information).
You may find websites that imply this is the case. They may insinuate there are HIPAA Compliant methodologies for destroying PHI. This is NOT the case at all. If you read the Physical Security Standards Section) of the HIPAA rules, you will see clearly that they do not in any way advise you as to HOW you can or should dispose of computers or media.
What they do say is that you must protect your patients PHI (Protected Health Information) when disposing of technology, and you must have in place, YOUR PLAN for how you are going to do that.
So if you see a website suggesting they have “HIPAA Compliant” Computer Disposal: Using degaussing, crushing, etc as being “HIPAA Complaint” – what you need to know is that NONE of these methods are suggested, recommended, or recognized as “HIPAA compliant computer and media disposal” BY HIPAA. And if you use any of these methods, and PHI is divulged, you are still on the hook for it.
In a nutshell what HIPAA says is this: Make sure YOU do whatever YOU have to do to make sure you don’t divulge PHI. You must document the destruction properly and maintain control of your computers and media 100% until they are verified to have been destroyed. This is what you must do to comply with HIPAA – you must destroy all PHI and make sure nobody can ever recover it by whatever means YOU choose, and if you get it wrong, you will have to deal with the consequences of a major HIPAA violation.
Here is what EXACTLY what HIPAA Says About Computer and Media Disposal:
HIPAA requires policies and procedures that address the disposition of protected health information (PHI) and the hardware that it’s stored on. All PHI must be removed from media before items are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii).
How Do You Dispose Of Your Computers and Comply with HIPAA Physical Standards?
The bottom line is, you need to dispose of your computers, laptops, tablets, printers (yes printers often have data stored on them now), thumb drives, CD/DVD drives, CD’s, thumb drives, and all other forms of media using a method that guarantee 100% that there is no recoverable PHI on them.
And the truth is, there isn’t any one machine or device that can guarantee no PHI has been missed. As an example, we often find CD’s left in CD/DVD drives with huge files of PHI left on them. No machine can find that kind of media.
The ONLY way to make 100% certain none of your patients PHI is lost or recovered is to go through a step by step process for checking each device carefully, testing it, inspecting it, and then destroying the components that need to be destroyed using a machine that shreds everything in a way no data could ever be recovered, and then testing everything again, inspecting it again, and then testing it again.
As an example, there are some forms of media storage devices that must be shredded down to pieces smaller than two millimeters to make sure no data can be recovered from them. These same media storage devices are also often smaller than a quarter in size, and are easily dropped and/or misplaced and can have Gigabytes of PHI on them.
Physically Checking and Inspecting
You can’t just look at an electronic component and know there isn’t any data stored there. You have to physically inspect each component and know what you are looking for. As an example, we often find CD’s and DVD’s with PHI on them left inserted in old DVD drives on laptops and desktop computers. That is why we have to power up and check every single drive.
There are storage devices as small as your thumbnail that can store many Gigabytes of PHI on them. If you don’t know where to look for them, they can easily be overlooked, and cause a huge PHI leak.
Physical Security Standards also insist upon chain of custody controls. At Life Cycle Solutions we know this and we designed our entire HIPAA Complaint Computer Disposal Philadelphia Process around documenting and maintaining chain of custody from pick up of your computers and media until final disposition.
Final Disposition
At Life Cycle Solutions, we use only state of the art computer recycling and media destruction methods. We test everything, and then test it again. We don’t just “smash” hard drives and storage components (this is more common than you might imagine) We grind them up (called hard drive shredding) into tiny little pieces that can never be reassembled.
Certificate of Destruction for HIPAA Complaint Computer Disposal Philadelphia
We provide Certificate of Destruction upon request. For HIPAA Complaint Computer Disposal Philadelphia and Media Disposal, documentation of final disposition is always going to be safer than no documentation. If you are ever audited for HIPAA Compliance, it is best to be able to prove the final disposition of any computers or media that contained PHI than to simply say “we had them destroyed.” Chain of Custody is important to maintain HIPAA Compliance. A Certificate of Destruction will go a long way toward this end.
Environmental Considerations – Where Do Your Computers and Electronics End Up?
When you dispose of computers and electronics, it is important to know that many of metals and chemical compounds used to build electronics are terrible for the environment. When we perform computer recycling and electronics recycling, none of those components or compounds will end up in a landfill – or in an overseas landfill – or at an overseas “chop shop” – or worse, in the ocean itself.
Unfortunately– all of these things can happen and do happen every day around the world. But if you work with us, you can rest easy knowing that we verify ALL of our downstream vendors. We know precisely where your materials end up. We verify it because we care a great deal about the environment, and we know our customers do as well.
But beyond just caring about the environment – your e waste is ultimately your company’s responsibility. You have to make certain it is disposed of properly. The last thing you want is the Environmental Protection Agency (EPA) showing up at your office to investigate you because they found your electronic components in a landfill. The fines and the cost of environmental remediation can be astronomical. Where your e waste ends up matters.
This is why Life Cycle Solutions is R2 Certified, and a member of NAID – because we believe in what these associations are doing, and we know there must be standards developed, maintained, and verified so E waste is disposed of ethically and responsibly. Otherwise, people just tend to “do whatever.”
