HIPAA Compliant Hard Drive Destruction: Data Destruction Guidelines

Medicus IT

By Medicus IT

Destroying a hard drive might sound like something reserved for a James Bond-type spy and espionage thriller. However, for covered entities under HIPAA, it's something that must be done from time to time.

HIPAA Compliant Hard Drive Destruction

Simply throwing out a hard drive that contains confidential information — such as patient data — puts your practice at serious risk. There is no way to be sure that all the data on a hard drive is clean, and if it gets into the wrong hands, you may be looking at some hefty fines.

To ensure that your information is safe, you must take the necessary precautions when getting rid of a hard drive.

This is where learning the HIPAA compliant hard drive destruction process can prove tremendously valuable.

Download our HIPAA Security Risk Assessment Checklist to ensure your HIPAA  Assessment is done right.

Reasonable Safeguards

The HIPAA Privacy Rule requires organizations to follow specific guidelines for destroying a hard drive. But, there is some vagueness to these rules.

The rule requires organizations that are considered covered entities to implement "reasonable" safeguards when it comes to getting rid of hard drives.

The best way to understand this is to think of all the ways you can get rid of sensitive information to ensure that it doesn't get in the wrong hands. For example, you should be shredding any documents you have with private data or information on it as opposed to just throwing them away.

So, for hard drives, physically destroying the hard drive is now the norm whereas merely erasing the data is no longer "reasonable" under HIPAA regulations.

Using a Certified Destruction Vendor

When hiring a third-party destruction vendor, HIPAA regulations require you to do proper due diligence.

Meaning that you conduct your own research and vetting to decide whether or not they meet all the requirements to be a proper destruction vendor, or you can choose one that is already certified by a recognized authority.

Proper Documentation of the Destruction

Once a hard drive is destroyed, you must have adequate documentation proving it.

A Certificate of Destruction will cover this, as it outlines the method of destruction, how many units were destroyed, what type of units, the serial numbers of every unit, where the destruction occurred (on-site or off-site), and finally, who witnessed the destruction of the drives.

Also, all digital media leaving your organization has to be inventoried and recorded so that you can establish a proper chain-of-custody.

Penalties For Failure to Comply with HIPAA and Data Destruction Regulations

As with many of the rules and regulations outlined in HIPAA, the penalties for violation of the laws can be quite severe.

Fines can range from $100 to $50,000 per violation.

If you are found guilty of intentionally selling a hard drive with information, you may be looking at $250,000 in fines and up to 10 years in prison. Any accidental, wrongful disclosure of information can equate to $50,000 in fines or a year in prison.

Just keep that in mind if you ever think about merely throwing a hard drive away as opposed to getting it destroyed.

How Medicus IT Can Help You Stay HIPAA Compliant and Keep Your Data Safe

It's essential to make sure you work with someone who understands HIPAA inside and out to avoid those costly fines for not being HIPAA compliant.

Our team has extensive knowledge of healthcare-specific IT experiences. Because of all the technological advancements in the healthcare industry, it's vital to ensure that when you're upgrading your tech and the operations of your practice, that you're continuing to remain HIPAA compliant.

By partnering with Medicus IT, we take care of you so that you can do what you do best; take care of your patients.

For more information or a free network assessment, contact us, and schedule your free network assessment today!

Get My FREE Assessment

LEAVE A REPLY