HIPAA Compliant Hard Drive Destruction: Ensuring Data Security
Abstract: The protection of patient information in the medical sector is very important. HIPAA sets strict regulations governing the protection of sensitive patient data by specifying standards for its destruction when it is no longer needed. Hence compliance with HIPAA regarding destroying hard drives is very necessary. Since unauthorized individuals can access Protected Health Information (PHI). Thereby attracting severe penalties with subsequent court-related matters if one contravenes it. This article will explore the importance, and how to ensure data disposal processes and meet regular standards.
In 2023, the healthcare sector witnessed an unfortunate milestone as the Office for Civil Rights (OCR) of the Department of Health and Human Services documented 725 significant security breaches, surpassing the previous record of 720 data leaks. Since 2015, every year except for 2015 itself has seen an increase in reported breaches. However, the previous year set a record for the highest number of breach incidents within these sectors. Upon closer examination, it appears that progress is occurring at a slower rate with each passing time interval, suggesting that a turning point might be achieved by 2024.
As the chart shows, twice as many healthcare security breaches are happening now than in 2017/2018. With two enormous healthcare data breaches disclosed on a daily basis on average in 2023. Not long ago, we were concerned about the alarming rate of one major healthcare data breach reported every day. If only we knew how terrible it would turn out to be so quickly.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) has laid down guidelines for the safe keeping of people’s health information. This includes step-by-step instructions and methods to ensure that health data is portable and accountable. These companies must take significant measures to safeguard clients’ information, treating it as confidential. Covered Entities must implement document and password protection, and subcontractors, along with all related business partners, must comply with these measures.
HIPAA Compliance Requirements for Drive Destruction
Mark electronic media containing ePHI information as unusable or inaccessible.
- There is one way to totally destroy a hard drive, and that is by physically breaking it. So that no one can access the information it contains.
- Maintain records of the hardware and electronic media containing ePHI that are received and removed.
- For EPHI and electronic media like computer hard drives, either render them useless or make the information contained in the media inaccessible.
- All digital media coming into or leaving the custody of the covered entity should be properly inventoried and reported.
- If hiring a business associate to perform data destruction services, the covered entity must enter into a written contract or agreement.
- EPHI should remain in the custody of or supervised by an authorized employee.
HIPAA Compliance: Violation & Penalties
To prevent PHI breaches by taking precautions and preventing misuse, covered entities should put adequate safeguards. The following are some expensive PHI breach incidences that illustrate how ineffective risk assessment and improper disposal of devices can result in HIPAA non-compliance and cost millions of dollars in penalties:
Case Name | Incident Date | Description | Key Violations | Outcome |
Essex Residential Care | 2024 | Failed to provide a son with timely access to his mother’s medical records. | Delay in providing access to medical records (161 days). | $100,000 civil monetary penalty. |
Phoenix Healthcare | 2024 | Failed to provide a daughter with timely access to her mother’s medical records. | Delay in providing access to medical records (323 days). | Initial $250,000 fine; reduced to $70,000 by ALJ, settled at $35,000. |
Green Ridge Behavioral Health | 2024 | Experienced a ransomware attack exposing the PHI of 14,000 individuals. | Lack of risk analysis, failure to reduce risks to ePHI, no policies for reviewing information system activity. | $40,000 penalty, no admission of wrongdoing. |
Montefiore Medical Center | 2024 | Theft of patient data by an employee, who sold the data to an identity theft ring. | Lack of risk analysis, failure to review information system activity, lack of mechanisms to examine system activity. | $4,750,000 penalty. |
Optum Medical Care of New Jersey | Fall 2021 | Patients not provided with requested records within the permitted time frame, waiting 84-231 days. | HIPAA Right of Access | Settled for $160,000 |
Lafourche Medical Group |
2021 | Phishing attack exposed PHI of 34,862 individuals; no security risk analysis conducted prior. | Failure to conduct security risk analysis, lack of procedures to review logs of system activity | Went with $480,000 |
St. Joseph’s Medical Center | 2020 | Allowed reporter access to patient information without authorization, violating HIPAA Privacy Rule. | Impermissible disclosure of PHI | Came to Terms with $80,000 |
Doctors’ Management Services | April 2017 | GandCrab ransomware attack; multiple HIPAA Rule violations including failure to conduct accurate risk analysis and impermissible disclosure of PHI of 206,695 individuals. | Multiple HIPAA Security Rule violations | Submitted to $100,000 |
L.A. Care Health Plan | 2021 | Multiple HIPAA Security Rule violations including lack of comprehensive risk analysis and insufficient security measures, resulting in impermissible disclosure of ePHI of 1,498 individuals. | Multiple HIPAA Security Rule violations | Yielded to $1,300,000 |
UnitedHealthcare | March 2021 | Failure to provide requested medical records to a patient, attributed to employee error, constituting HIPAA Right of Access failure. | HIPAA Right of Access | Reconciled with $80,000 |
iHealth Solutions, dba Advantum Health | 2017 | Server left unsecured, leading to theft of files containing ePHI of 267 individuals. | Failure to conduct risk analysis, impermissible disclosure of ePHI | Deferred to $75,000 |
Yakima Valley Memorial Hospital |
2020 | Security guards in the emergency department snooped on 419 medical records. | Failure to implement appropriate policies and procedures for HIPAA compliance | Bowed to $240,000 |
Manasa Health Center, LLC | April 2020 | Impermissible disclosures of PHI in response to negative Google Reviews, lack of policies and procedures for online disclosures, failure to issue breach notification letters. | Impermissible disclosure of PHI, lack of breach notification | Went For $30,000 |
MedEvolve Inc. | June 2020 | Server left exposed over the Internet, leading to the impermissible disclosure of PHI of 230,572 individuals. | Risk analysis failure, lack of business associate agreement, impermissible disclosure of PHI | Submitted to $350,000 |
David Mente, MA, LPC | 2021 | Failure to provide a father with his minor children’s health records, constituting HIPAA Right of Access violation. | HIPAA Right of Access | Settled for $15,000 |
Banner Health | 2016 | Hacking incident resulted in impermissible disclosure of PHI of 2.81 million individuals; identified multiple security failures including lack of risk analysis and insufficient technical safeguards. | Multiple HIPAA Security Rule violations | Deferred to $1,250,000 |
Life Hope Labs, LLC | 2020 | Failure to provide medical records of deceased father in a timely manner, taking 225 days. | HIPAA Right of Access | Penalty for $16,500 |
In our last publication we clearly explained the non-compliance penalties under HIPAA Security Rule that causes covered entities to pay a lot of money in fines and face legal suits initiated against them by the government. As stated in that article, the OCR has set $50,000 as the least possible criminal penalty for intentional HIPAA violations and $1.5 million as the highest possible fine for repeat violations. The highest fine that can be imposed is $250,000. Additionally, the offender must pay a specific sum of money to reimburse affected persons for the loss of their medical records.
Ensure HIPAA Compliance with Secure Drive Wiping
Healthcare organizations must have policies and procedures in place for safeguarding the final disposal of PHI (paper records) and ePHI (electronic PHI), stored on devices in order to prevent the imposition of penalties, as stipulated by HIPAA. It doesn’t specify how the data should be destroyed; however, it states that:
- For PHI in paper records – Disposal methods are shredding, burning, or pulverizing the records. So that they cannot be reconstructed.
- Concerning ePHI maintained/computerized form – There are erasure programs available which when employed will rewrite over all data within them. So they are no longer recoverable but rather ready for reuse again later on through permanent wiping techniques.
Media can be sanitized using NIST Guidelines for Media Sanitization that specify Clear, Purge, and Destroy as the methods of data destruction.
We now understand that HIPAA specifically recommends secure data disposal when ePHI or PHI is no longer needed or has served its purpose of collection.
Wipe Drive to Protect PHI and Stay HIPAA Compliant
It is suggested to opt the most secure and permanent way, which is an expert-tested SysTools Data Destruction Software. It works in accordance with established rules of NIST for media sanitation and adopts Clear and Purge techniques.
The tool uses the latest wiping technology to erase all the binary data registered as basic 0’s and 1’s by overwriting it with new data. Also, it provides many advanced features and can overwrite complete data and leave no scope of data recovery.
Key Learnings
Healthcare breaches have made headlines because of cybersecurity breaches or improperly disposing of devices. In any case, authorities penalize healthcare organizations for compromising sensitive PHI information. Operation must further ensure that they handle, reveal, and destroy such data properly. E-health care providers can rest assured that they have destroyed Private Health Information beyond recognition. Secure techniques achieve this by overwriting a device to erase data.