Safe & Sound with Marianne Kolbasuk McGee

Secure Disposal of Data: Lessons Learned

Steps to Take to Avoid Breaches

If you think your computers and protected health information are being properly destroyed because you've hired a specialized company to do the job, well, think again.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

That's a lesson that some organizations are learning the hard way.

For example, last month, Texas Health Harris Methodist Hospital Fort Worth disclosed it was contacting 277,000 patients to inform them of a breach involving decades-old microfiche medical records that were slated for destruction by business associate Shred-It International. Instead, the records were found intact in a dumpster in a public park.

That Texas Health incident is the largest 2013 breach posted to the Department of Health and Human Services' "wall of shame" tally of major breaches.

This incident joins nearly three dozen other "improper disposal" breaches listed on the wall of shame that have occurred since September 2009 and affected 500 or more individuals

While the Texas Health breach involved old microfiche records, most of the improper disposal breaches on the HHS tally were tied to paper records. And five of those improper disposal breaches, including Texas Health, involved business associates.

The Cost of a Breach

If business associates are doing shoddy work properly destroying records or devices, they'd better improve their performance soon. Otherwise, breaches experienced by their healthcare clients could become very expensive for these vendors.

Under the HIPAA Omnibus Rule, business associates are directly liable for HIPAA non-compliance. HHS' Office for Civil Rights will begin enforcing HIPAA Omnibus starting on Sept. 23, and penalties for non-compliance can range up to $1.5 million per HIPAA violation.

Across the Atlantic, some organizations are already discovering how hefty government fines can be when patient data is improperly disposed.

The United Kingdom's Information Commissioner's Office last month issued a £200,000 (about $300,000 U.S.) fine to a healthcare provider after a computer with a hard drive containing data on nearly 3,000 patients was sold on eBay (see: Sale of Drive on e-Bay Leads to Fine.

Steps to Take

It's important for U.S. healthcare organizations to take note of these breaches involving improper disposal, especially in light of rising HIPAA penalties.

Organizations need to do a better job vetting disposal companies before they're hired. And, just as important, they need to do a better job verifying that data, devices or documents are actually destroyed.

Companies hired to destroy data generally use one of three methods, says Sean Mcgann, vice president at Sims Recycling, a provider of electronic disposal services. Those include: deploying software that overwrites the sensitive data; electromagnetically erasing the data; and physical destroying the data through crushing, shredding or other means.

Healthcare organizations also need to remember that other equipment besides computers and storage devices can contain PHI, Mcgann notes. That includes copiers and fax machines.

To play it safe, Mcgann suggests organizations consider "pulling out the hard drive and hitting it with hammer," before shipping off electronic equipment for destruction or donating it to others. Another option, he says, is to hold on to the hard drive, lock it up, and just ship the rest of the gear.

Organizations should also keep in mind that improper disposal of PHI can lead to ID theft and fraud. "If [disposed] equipment has Social Security numbers stored on it, to thieves, it's like winning a lottery," Mcgann says.

So if your organization is taking pains to protect data in compliance with the new HIPAA Omnibus Rule and other regulatory demands, don't overlook the risks involved with the disposal of PHI. Otherwise, you'd also better be stashing away funds to deal with potential breaches and fines.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.