This blog identifies the importance of wiping storage drives to prevent massive financial and legal penalties imposed due to mishandling of PHI. Read on to learn how permanent media sanitization helps in HIPAA compliance and protects sensitive PHI from the reach of cybercriminals.
Protected Health Information (PHI) is any health-related data, comprising patient demographics, medical history, mental health status, insurance record, test and laboratory results, etc., of an individual. All the healthcare organizations using such medical records are responsible for guarding PHI, right from its collection to its disposal. As per the Health Insurance Portability and Accountability Act (HIPAA), such medical records are subject to Data Privacy Rule. The HIPAA Privacy Rule suggests that organizations using PHI shared by individuals must observe appropriate administrative, technical, and physical safeguards to prevent undue disclosure or data breach.
In January 2022, 50 data breach cases were filed with the Office for Civil Rights (OCR) under the US Department of Health and Human Services (HHS). The PHI of more than 2.3 million individuals was exposed. On the other hand, a recent survey by Netwrix suggests that the healthcare industry has demonstrated the worst performance for controlling redundant, obsolete, and trivial (ROT) PHI-related files. There is a major gap observed in terms of data retention and destruction policies. Highest among all industries surveyed, 69% of healthcare providers do not follow any policy or procedure to maintain periodic and methodical wiping of PHI that is no longer required. The need to dispose of unwanted PHI data is imminent and permanent sanitization of media can only help health organizations prevent breaches, ward-off penalties, and stay compliant.
The covered entities must execute reasonable safeguards to avert PHI breach incidents and avoid prohibited usage and disclosures of the data. Here are some high penalty PHI breach incidents to prove how ineffective risk assessment and improper disposal of devices can cause HIPAA violations and lead to millions of dollars of penalties:
|Oregon Health & Science University||– PHI of 4,022 patients at risk.- Accidental disclosure of PHI via a cloud storage service, risking medical record of 3,044 patients.||$2.7 million||OCR investigation unveiled HIPAA Rules had been violated alongside widespread and diverse problems at OHSU.|
|CardioNet||Stolen laptop caused ePHI data leakage of 1,391 patients.||$2.5 million||Inadequate risk management process of CardioNet cost high to the Wireless Health Services Provider.|
|HealthReach Community Health Centers||Protected Health Information of more than 100,000 Patients’ was compromised.||Undisclosed||Inappropriate handling of hardware led to non-compliance with HIPAA. Organization suffered financial and reputational loss.|
Such incidents lead to non-compliance with HIPAA Rules that cost high financial and legal penalties to the covered entities. In our previous article, we have clearly spelt out the Penalty For HIPAA Security Rule Non-Compliance. As mentioned in the article, the OCR has defined the right to charge $50,000 as the minimum criminal penalty for willful HIPAA violations and up to $1.5 million for repeat violations. The maximum fine is up to $250,000, besides the accused is also liable to pay a certain amount to the victims as compensation for their medical data loss.
To stay HIPAA compliant and protect confidential patient’s data, all healthcare service providers must follow robust data destruction and protection measures when putting devices to rest. Conducting frequent staff training programs, risk assessments, documentation of reports, due diligence, and restricted access to such confidential data are all mandatory to prevent HIPAA violations. Read our in-depth article on everything you need to know to ensure compliance with the HIPAA security rule, to get detailed insights on HIPAA compliance.
HIPAA requires that all covered entities (healthcare organizations) must have in place policies and procedures to address the final disposal of PHI (paper records) and ePHI (electronic PHI) stored on devices in order to prevent the imposition of penalties. In general, HIPAA does not specify any particular method for data destruction, however, states the following:
By now we know that HIPAA specifically recommends if ePHI or PHI is no longer required or has fulfilled the purpose of collection, secure data disposal is imminent.
We recommend using a professional and certified data erasure tool like BitRaser Drive Eraser, that is compliant with NIST guidelines for media sanitization and uses Clear and Purge methods of data sanitization. The DIY software allows the erasure of hidden areas of the drives including the remapped sectors. The software supports single or multiple overwriting technology along with the support of verification methods to ensure permanent data wiping. The tool generates digital reports and certificates that act as audit trails for compliance and serve as proof of destruction.
Health care breaches have been in news either due to cybersecurity lapses or due to improper disposal of devices. Either way, healthcare organizations are penalized for compromising sensitive PHI information. All the organizations directly or indirectly accessing PHI must ensure that they are appropriately handling, disclosing, and destructing the data at the end of life. Using secure data destruction techniques of overwriting the device, ePHI can be erased beyond recovery giving healthcare organizations peace of mind that sensitive PHI data is permanently destroyed and far from the reach of cybercriminals.