Your patients put a significant amount of trust into things outside of their control to protect them and the things important to them. They trust banking systems to protect their money, electronic systems to protect their homes and software to protect their computers. Also, they trust you and your healthcare to abide by the HIPAA security requirement that protects the safeguarding of their personal health information.
With this reality in mind, can you honestly say that you are doing everything you should be doing to ensure that you’re fully defending all that they entrust to you? Are you abiding by the HIPAA security requirements related to protecting their personal health information?
KNOW THE HIPAA SECURITY REQUIREMENT
The Health Insurance Portability and Accountability Act (HIPAA) is the enforceable national standard for protecting the confidentiality, integrity and security of individuals’ Personal Health Information (PHI).
The U.S. Health and Human Services (HHS) established the HIPAA Security Rule as a method of ensuring healthcare providers establish necessary safeguards to guard against security breaches or other incidents that could threaten the safety of their patients’ PHI or electronic PHI (ePHI).
According to the HIPAA Journal, “Under HIPAA, protected health information is considered to be individually identifiable information relating to the health status of an individual, the provision of healthcare, or individually identifiable information that is created, collected, or transmitted by a HIPAA-covered entity in relation to payment for healthcare services.”
This data could include medical records, prescriptions, hospital bills and treatment information. It also may include physical records and any PHI that is created, sent or received electronically that shows identification records or demographic information. This includes birth dates, sex, ethnicity, contact information or any emergency contact information. Healthcare sources have a responsibility to meet the requirements of these Rules for the lifetime of maintaining their patients’ records.
WHAT TO DO WHEN YOU’RE DONE WITH ePHI RECORDS
Eventually, healthcare providers will find it necessary to dispose of PHI and ePHI records. Thus, the HIPAA Security Rule requires that all HIPAA-covered entities have established policies prepared for the destruction of these contents when needed. These Rules do not specifically identify any one particular method of disposal. However, they do indicate that providers should determine a “reasonable” approach that will provide the most secure disposal of both PHI and ePHI.
When regarding ePHI, these “reasonable means” do not include throwing computer hard drives into dumpsters nor any other disposal sites that could be used by the public. This stands true, even if the hard drive has been broken in half or attempted to have been electronically wiped. Due to the recovery technology that currently exists, and the extreme value of the contents contained on these hard drives, these approaches still allow for too many potential risks of violated patient privacy. They also lack adequate information security.
Rather, for the purpose of complying with the HIPAA security requirement for protecting ePHI, hard drives that contain private patient information should be physically and fully destroyed in such a way that the disks inside cannot possibly be recreated, retrieved or read from. This can be accomplished at the highest degree only by a professional, bonded and licensed hard drive crushing company.
The proper hard drive crushing process should begin with the serial number of the drive being recorded. The drive should then be completely crushed and the responsible ISO14001-certified recycling company should recycle the crushed pieces. The company should then provide a certificate of destruction signifying the complete destruction of the drive and a guarantee of being backed by a $2M Professional Liability (E&O) policy.
DISPOSING OF PAPER PHI DOCUMENTS
Understandably, all HIPAA-covered health care providers must also maintain physical hardcopies of all ePHI for the purpose of avoiding the inability to continue interacting with patients in the event of an electrical failure, downed computer system, or during a disaster recovery effort. “Reasonable methods” for destroying patients’ PHI on paper must also be established in order to ensure compliance with HIPAA. These plans should include on-site or off-site professional shredding, burning or pulping the documents. This renders the records as fully unreadable, making it impossible to reconstruct them. Once again, the licensed and bonded company should provide a certificate of destruction signifying the complete destruction of the drive and provide a valid $2M Professional Liability (E&O) policy.
PROTECT YOUR PATIENTS’ INFORMATION
Your patients must be able to trust you and be fully confident that you are complying with the HIPAA security requirement that protect their PHI and ePHI. To ensure your healthcare practice stands in full compliance with the HIPAA Security Rule, contact Secure Destruction today to schedule an onsite or off-site hard drive crushing and/or document shredding date.