Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
It is important to realize that many of the devices in your office may contain patient information, even after you are no longer using the devices. Information can be stored in hard drives and memory that is on circuit boards and if the information finds it way into the wrong hands you have a HIPAA Violation.
A high-profile case involved the resale of photocopiers that contained huge amounts of patient information. That event happened in 2010, and in 2013 Affinity Health settled the case with the Office for Civil Rights for $1.2 million dollars. That event was featured on CBS News.
What devices do you have in your office that may contain patient information?
- Fax machines
- Copy machines
- Imaging machines (such as ultrasound)
- Removable hard drives
- Flash drives
- Your cell phones
Yes, even your cell phones! If you have texted back and forth with patients or have taken clinical pictures with your cell phones they will contain protected patient information. So, the question becomes what do I do with these devices?
Hard Drives that are in good working order can be wiped with Department of Defense Grade Software. You can do this yourself but then you are taking on the full responsibility of doing this right. The best way to dispose of old electronics is to use a R2 certified electronics recycling vendor. An R2 certified vendor is a vendor that is certified to security, and proper destruction of your electronics. In this manner somebody will never be able to use one of your devices to get access to patient information. A visit to the EPA website provides information on R2 certified recyclers.
A R2 certified recycler will:
- Guarantee the destruction of data on all media using industry-standard practices. If you have sensitive data, the best way to destroy it is by device for example by hard drive, leveraging the serial number of the device. With methodology, you will receive a serialized Certificate of Destruction.
- demonstrate compliance with all applicable standards for environmental protection, data security, and human health prior to certification.
Due to the number of devices that you have in your practice and the amount of data that may be present on those devices, data destruction may no longer be a do-it-yourself project. If you have a knowledge of IT and have the time and resources you can still clean all phi off these devices yourself, but if you do not have all the tools you need, it is probably in your best interest to contract with a R2 certified electronics recycler, get a HIPAA Business Associate Agreement and then send all of your retired electronics to that company. It may also be in your best interest personally to send your personal electronics to an electronic recycler. This way you will also protect yourself from identity theft.
It is important to remember healthcare breaches cost organizations $6.45 million per breach, the highest cost per breach for nine years in a row. The average cost for per breached healthcare record ($429) is more than double any other industry. (Source: ICM 202 Cost of a Data Breach Report https://www.ibm.com/security/data-breach)
In healthcare, we are at the center of the data security storm, and the sooner we bring our policies and procedures in step with industry standards, the better protected we will be from becoming a victim of a HIPAA data breach. For more information on how to improve your policies and procedures and to get started on a HIPAA Security Program in your office please, reach out to TLD Systems at http://www.tldsystems.com or call (631) 403 6687.