Wipe Drives To Protect PHI & Stay HIPAA Compliant

Protected Health Information (PHI) is any health-related data, comprising patient demographics, medical history, mental health status, insurance record, test and laboratory results, etc., of an individual. All the healthcare organizations using such medical records are responsible for guarding PHI, right from its collection to its disposal. As per the Health Insurance Portability and Accountability Act (HIPAA), such medical records are subject to the Data Privacy Rule. The HIPAA Privacy Rule suggests that organizations using PHI shared by individuals must observe appropriate administrative, technical, and physical safeguards to prevent undue disclosure or data breach.

In January 2022, 50 data breach cases were filed with the Office for Civil Rights (OCR) under the US Department of Health and Human Services (HHS). The PHI of more than 2.3 million individuals was exposed. On the other hand, a recent survey by Netwrix suggests that the healthcare industry has demonstrated the worst performance for controlling redundant, obsolete, and trivial (ROT) PHI-related files. There is a major gap observed in terms of data retention and destruction policies. Highest among all industries surveyed, 69% of healthcare providers do not follow any policy or procedure to maintain periodic and methodical wiping of PHI that is no longer required. The need to dispose of unwanted PHI data is imminent and permanent sanitization of media can only help health organizations prevent breaches, ward off penalties, and stay compliant.

HIPAA Violation and Penalties:

The covered entities must execute reasonable safeguards to avert PHI breach incidents and avoid prohibited usage and disclosures of the data.  Here are some high-penalty PHI breach incidents to prove how ineffective risk assessment and improper disposal of devices can cause HIPAA violations and lead to millions of dollars of penalties:

Such incidents lead to non-compliance with HIPAA Rules that cost high financial and legal penalties to the covered entities. In our previous article, we have clearly spelled out the Penalty For HIPAA Security Rule Non-Compliance. As mentioned in the article, the OCR has defined the right to charge $50,000 as the minimum criminal penalty for willful HIPAA violations and up to $1.5 million for repeat violations. The maximum fine is up to $250,000, besides the accused is also liable to pay a certain amount to the victims as compensation for their medical data loss.

To stay HIPAA compliant and protect confidential patient data, all healthcare service providers must follow robust data destruction and protection measures when putting devices to rest. Conducting frequent staff training programs, risk assessments, documentation of reports, due diligence, and restricted access to such confidential data are all mandatory to prevent HIPAA violations. Read our in-depth article on everything you need to know to ensure compliance with the HIPAA security rule, to get detailed insights on HIPAA compliance.

Wipe Drives to Attain HIPAA Compliance:

HIPAA requires that all covered entities (healthcare organizations) must have in place policies and procedures to address the final disposal of PHI (paper records) and ePHI (electronic PHI) stored on devices in order to prevent the imposition of penalties. In general, HIPAA does not specify any particular method for data destruction, however, states the following:

• For PHI in paper records: Disposal methods could include shredding, burning, and pulverizing the records so that they cannot be reconstructed.

• For ePHI stored electronically: Using software-based erasure methods to overwrite the media could be considered in order to permanently wipe the device and make it reusable. Media can be sanitized using NIST Guidelines for Media Sanitization that specify Clear, Purge, and Destroy as the methods of data destruction.

By now we know that HIPAA specifically recommends if ePHI or PHI is no longer required or has fulfilled the purpose of collection, secure data disposal is imminent.

Wipe Drives Using BitRaser Drive Eraser – HIPAA Compliant Solution:

We recommend using a professional and certified data erasure tool BitRaser Drive Eraser, that is compliant with NIST guidelines for media sanitization and uses Clear and Purge methods of data sanitization. BitRaser Drive Eraser is a HIPAA-compliant solution that allows the erasure of PHI & ePHI in accordance with the standards and implementations of the HIPAA Security Rule. The software helps you wipe hidden areas of the drives including the remapped sectors. BitRaser supports single or multiple overwriting technology along with the support of verification methods to ensure permanent data wiping. The tool generates 100% tamper-proof digital reports and certificates that act as audit trails to serve as proof of destruction as per HIPAA documentation requirements.

BitRaser software is beneficial for HIPAA-regulated entities that are required to follow permanent data destruction of protected health information (PHI) that is no longer needed. BitRaser from Stellar has implemented all security and data privacy controls as per the HIPAA Security Rule.

Conclusion:

Healthcare breaches have been in the news either due to cybersecurity lapses or due to improper disposal of devices. Either way, healthcare organizations are penalized for compromising sensitive PHI information. All the organizations directly or indirectly accessing PHI must ensure that they are appropriately handling, disclosing, and destroying the data at the end of life. Using secure data destruction techniques of overwriting the device, ePHI can be erased beyond recovery giving healthcare organizations peace of mind that sensitive PHI data is permanently destroyed and far from the reach of cybercriminals.