Home /  News and Insights

/ Data Security and Asset Disposition

Data Security and Asset Disposition

Asset Disposition vendors play a major role in keeping your data safe

How to know if your data is safe with your asset disposition vendor?

The HIPAA Enforcement Rule sets the guidelines for investigating breaches of electronic protected health information (ePHI) and the penalties that may be imposed on covered entities responsible for an avoidable breach. Covered entities should be aware that fines and penalties can range from $50,000 to $1,500,000 per incident for failing to implement reasonable safeguards when disposing of equipment, such as discarding PHI without proper destruction.

Physical safeguards for disposal include proper handling of electronic media, as defined by the Security Rule, which covers receipt, removal, storage, and disposal of electronic storage media. The NAID Certification Program establishes standards for secure data and equipment destruction processes, including operational security, employee hiring and screening, and responsible disposal.

ZRG Helps Mitigate Risk when disposing of medical equipment. When removing a medical device from active use, it is important to follow an orderly decommissioning procedure, which should include deleting stored data, decontaminating the device, dismantling it so it can’t be used, and disposing of electric or hazardous waste safely. To mitigate risk when disposing of medical equipment, covered entities should conduct proper due diligence on their Business Associates and contract with firms that have reasonable controls in place to prevent the loss of PHI and to properly respond in the event of a suspected data breach. This can be done by performing an on-site audit or finding a provider with the appropriate NAID Certification, which requires annual and unannounced on-site audits of firms to verify their qualifications in data destruction.

Additional References:

  • The Department of Health and Human Services put together a list of disposal FAQ’s: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf
  • Free BAA Templates and Data Security Policies are available for download at: http://cascade-assets.com/healthcare/