Meeting HIPAA Hard Drive Destruction Regulations
July 13, 2014
All healthcare covered entities, whether a single physician practice or a large medical center, must meet Health Insurance Portability and Accountability Act (HIPAA) regulations regarding the proper disposal of electronic media that contains electronic patient health information (EPHI) at the end of life, or at time or re-use. It is important to follow these regulations as HIPAA allows fines up to $250,000 and 10 years in prison for each violation of EPHI privacy rules.
For end of life, HIPAA requires that all hard drives and media disks must first be “rendered unusable and/or inaccessible”. A healthcare covered entity can do this in a variety of ways – and reformatting or overwriting the hard drive is not one of those ways as it’s ineffective from stopping determined people from getting access to sensitive data! You need to have a destruction technology that is easy to use and very effective.
Clearing is a method of using software or hardware products to overwrite media with non-sensitive data. While this is effective in wiping the data on the hard drive it can be a slow process and require you to start up every computer to wipe them. This process might work best for the small to medium size physician practice.
Degaussing is another method. It uses a strong magnetic field applied to the magnetic media to fully erase the data. The degaussing equipment must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic field and completely erase its stored information. The NSA/CSS evaluates degaussers and has published a list of approved devices for the erasure of sensitive or classified magnetic storage devices.
If a covered entity does not have access to degaussing equipment, another way to dispose of the EPHI is to physically damage the drive beyond repair so that the disks inside cannot possibly be spun up or read from making the data inaccessible. This can be done by crushing, shredding, incinerating or mechanically incinerating the drive unit. The EPHI residing on a deformed hard drive is still intact, but it is much more difficult to retrieve.
Many companies choose to outsource the destruction of hard drives, primarily due to the cost of the destruction equipment ($1000 to $50,000) or the volume of disks (too few or too many) that need to be destroyed. Many of these disk destruction service companies also provide recycling services for the destroyed disks.
Lastly, don’t forget that many printers contain hard drives that save images of the documents that your company printed, copied or scanned and they must also be destroyed.
