Secure Disposal of Data: Lessons LearnedSteps to Take to Avoid Breaches
If you think your computers and protected health information are being properly destroyed because you've hired a specialized company to do the job, well, think again.
That's a lesson that some organizations are learning the hard way.
If your organization is taking pains to protect data in compliance with the new HIPAA Omnibus Rule and other regulatory demands, don't overlook the risks involved with the disposal of PHI.
For example, last month, Texas Health Harris Methodist Hospital Fort Worth disclosed it was contacting 277,000 patients to inform them of a breach involving decades-old microfiche medical records that were slated for destruction by business associate Shred-It International. Instead, the records were found intact in a dumpster in a public park.
This incident joins nearly three dozen other "improper disposal" breaches listed on the wall of shame that have occurred since September 2009 and affected 500 or more individuals
While the Texas Health breach involved old microfiche records, most of the improper disposal breaches on the HHS tally were tied to paper records. And five of those improper disposal breaches, including Texas Health, involved business associates.
The Cost of a Breach
If business associates are doing shoddy work properly destroying records or devices, they'd better improve their performance soon. Otherwise, breaches experienced by their healthcare clients could become very expensive for these vendors.
Under the HIPAA Omnibus Rule, business associates are directly liable for HIPAA non-compliance. HHS' Office for Civil Rights will begin enforcing HIPAA Omnibus starting on Sept. 23, and penalties for non-compliance can range up to $1.5 million per HIPAA violation.
Across the Atlantic, some organizations are already discovering how hefty government fines can be when patient data is improperly disposed.
The United Kingdom's Information Commissioner's Office last month issued a Â£200,000 (about $300,000 U.S.) fine to a healthcare provider after a computer with a hard drive containing data on nearly 3,000 patients was sold on eBay (see: Sale of Drive on e-Bay Leads to Fine.
Steps to Take
It's important for U.S. healthcare organizations to take note of these breaches involving improper disposal, especially in light of rising HIPAA penalties.
Organizations need to do a better job vetting disposal companies before they're hired. And, just as important, they need to do a better job verifying that data, devices or documents are actually destroyed.
Companies hired to destroy data generally use one of three methods, says Sean Mcgann, vice president at Sims Recycling, a provider of electronic disposal services. Those include: deploying software that overwrites the sensitive data; electromagnetically erasing the data; and physical destroying the data through crushing, shredding or other means.
Healthcare organizations also need to remember that other equipment besides computers and storage devices can contain PHI, Mcgann notes. That includes copiers and fax machines.
To play it safe, Mcgann suggests organizations consider "pulling out the hard drive and hitting it with hammer," before shipping off electronic equipment for destruction or donating it to others. Another option, he says, is to hold on to the hard drive, lock it up, and just ship the rest of the gear.
Organizations should also keep in mind that improper disposal of PHI can lead to ID theft and fraud. "If [disposed] equipment has Social Security numbers stored on it, to thieves, it's like winning a lottery," Mcgann says.
So if your organization is taking pains to protect data in compliance with the new HIPAA Omnibus Rule and other regulatory demands, don't overlook the risks involved with the disposal of PHI. Otherwise, you'd also better be stashing away funds to deal with potential breaches and fines.