Wipe Drives To Protect PHI & Stay HIPAA Compliant

Home    »  Data Erasure   »   Wipe Drives To Protect PHI & Stay HIPAA Compliant

This blog identifies the importance of wiping storage drives to prevent massive financial and legal penalties imposed due to mishandling of PHI. Read on to learn how permanent media sanitization helps in HIPAA compliance and protects sensitive PHI from the reach of cybercriminals.

Protected Health Information (PHI) is any health-related data, comprising patient demographics, medical history, mental health status, insurance record, test and laboratory results, etc., of an individual. All the healthcare organizations using such medical records are responsible for guarding PHI, right from its collection to its disposal. As per the Health Insurance Portability and Accountability Act (HIPAA), such medical records are subject to Data Privacy Rule. The HIPAA Privacy Rule suggests that organizations using PHI shared by individuals must observe appropriate administrative, technical, and physical safeguards to prevent undue disclosure or data breach.

In January 2022, 50 data breach cases were filed with the Office for Civil Rights (OCR) under the US Department of Health and Human Services (HHS). The PHI of more than 2.3 million individuals was exposed. On the other hand, a recent survey by Netwrix suggests that the healthcare industry has demonstrated the worst performance for controlling redundant, obsolete, and trivial (ROT) PHI-related files. There is a major gap observed in terms of data retention and destruction policies. Highest among all industries surveyed, 69% of healthcare providers do not follow any policy or procedure to maintain periodic and methodical wiping of PHI that is no longer required. The need to dispose of unwanted PHI data is imminent and permanent sanitization of media can only help health organizations prevent breaches, ward-off penalties, and stay compliant.

HIPAA Violation and Penalties

The covered entities must execute reasonable safeguards to avert PHI breach incidents and avoid prohibited usage and disclosures of the data.  Here are some high penalty PHI breach incidents to prove how ineffective risk assessment and improper disposal of devices can cause HIPAA violations and lead to millions of dollars of penalties:

CompanyIncidentPenaltyHIPAA Violation
Oregon Health & Science University– PHI of 4,022 patients at risk.- Accidental disclosure of PHI via a cloud storage service, risking medical record of 3,044 patients.$2.7 millionOCR investigation unveiled HIPAA Rules had been violated alongside widespread and diverse problems at OHSU.
CardioNetStolen laptop caused ePHI data leakage of 1,391 patients.$2.5 millionInadequate risk management process of CardioNet cost high to the Wireless Health Services Provider.
HealthReach Community Health CentersProtected Health Information of more than 100,000 Patients’ was compromised.UndisclosedInappropriate handling of hardware led to non-compliance with HIPAA. Organization suffered financial and reputational loss.

Such incidents lead to non-compliance with HIPAA Rules that cost high financial and legal penalties to the covered entities. In our previous article, we have clearly spelt out the Penalty For HIPAA Security Rule Non-Compliance. As mentioned in the article, the OCR has defined the right to charge $50,000 as the minimum criminal penalty for willful HIPAA violations and up to $1.5 million for repeat violations. The maximum fine is up to $250,000, besides the accused is also liable to pay a certain amount to the victims as compensation for their medical data loss.

To stay HIPAA compliant and protect confidential patient’s data, all healthcare service providers must follow robust data destruction and protection measures when putting devices to rest. Conducting frequent staff training programs, risk assessments, documentation of reports, due diligence, and restricted access to such confidential data are all mandatory to prevent HIPAA violations. Read our in-depth article on everything you need to know to ensure compliance with the HIPAA security rule, to get detailed insights on HIPAA compliance.

Wipe Drives to Attain HIPAA Compliance

HIPAA requires that all covered entities (healthcare organizations) must have in place policies and procedures to address the final disposal of PHI (paper records) and ePHI (electronic PHI) stored on devices in order to prevent the imposition of penalties. In general, HIPAA does not specify any particular method for data destruction, however, states the following:

  • For PHI in paper records: Disposal methods could include shredding, burning, and pulverizing the records so that they cannot be reconstructed.
  • For ePHI stored electronically: Using software-based erasure methods to overwrite the media could be considered in order to permanently wipe the device and make it reusable. Media can be sanitized using NIST Guidelines for Media Sanitization that specifies Clear, Purge, and Destroy as the methods of data destruction.

By now we know that HIPAA specifically recommends if ePHI or PHI is no longer required or has fulfilled the purpose of collection, secure data disposal is imminent.


Wipe Drives Using BitRaser To Protect PHI & Reuse Devices

We recommend using a professional and certified data erasure tool like BitRaser Drive Eraser, that is compliant with NIST guidelines for media sanitization and uses Clear and Purge methods of data sanitization. The DIY software allows the erasure of hidden areas of the drives including the remapped sectors. The software supports single or multiple overwriting technology along with the support of verification methods to ensure permanent data wiping. The tool generates digital reports and certificates that act as audit trails for compliance and serve as proof of destruction.

Conclusion:

Health care breaches have been in news either due to cybersecurity lapses or due to improper disposal of devices. Either way, healthcare organizations are penalized for compromising sensitive PHI information. All the organizations directly or indirectly accessing PHI must ensure that they are appropriately handling, disclosing, and destructing the data at the end of life. Using secure data destruction techniques of overwriting the device, ePHI can be erased beyond recovery giving healthcare organizations peace of mind that sensitive PHI data is permanently destroyed and far from the reach of cybercriminals.

About The Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Search Category

Featured Blogs

April 26, 2022
Wipe Drives To Protect PHI & Stay HIPAA Compliant
Learn More
April 22, 2022
Top 5 Benefits of Mobile Diagnostics Software
Learn More
April 15, 2022
Role of Data Erasure in Disaster Recovery Plan
Learn More
March 24, 2022
Role of Data Erasure in Data Remediation For Maintaining Data Security
Learn More
March 9, 2022
Improper Disposal of PII May Lead to Data Breach
Learn More

Latest Releases

April 11, 2022
BitRaser File Eraser v5.0.0.1 (Mac) Released
Learn More
March 16, 2022
BitRaser Drive Eraser 3.0.0.5 Released
Learn More
January 10, 2022
BitRaser Mobile Eraser & Diagnostics 3.0.0.3 (Windows & Mac) Released
Learn More
September 22, 2021
BitRaser Drive Eraser 3.0.0.4 Released
Learn More
August 23, 2021
BitRaser Mobile Eraser & Diagnostics 3.0.0.3 Released
Learn More