Electronic Health Records & HIPAA

Security should be a top concern when upgrading to electronic health records to avoid a data breach.

HIPAA Compliant Data Destruction and Sanitization

Whether you operate a one person practice or are part of a hospital, there is greater than 50% chance that you are in violation of HIPAA's Final Security Rule which establishes a set of standards to protect the confidentiality, integrity and availability of electronic health information. These standards are receiving limited attention even though they are required to ensure the security of electronic health records.

The "HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii)."

Many healthcare providers we speak with or visit, from small doctors offices to large healthcare providers, are in violation of either the Final Security Rule's Disposal or Media Re-use requirements - and most were not even aware of their violation. One of the most preventable problems we encounter is the lack of security for the information that sits dormant on obsolete electronics or media when new upgraded systems needed for electronic health records (EHRs) are purchased. Being proactive, like good medicine, is the key to staying compliant with the Final Security Rule and preventing a costly data breach.

Recently Vice President Joe Biden announced that $1.2 billion in federal grants is being made available for EHRs along with a total of $36 billion in stimulus money over the next 6 years. With money finally starting to flow so healthcare organizations can make the switch to EHRs it is vital the necessary security steps are being taken to address HIPAA's Final Security Rule. Click on this link for the complete Health Insurance Reform: Security Standards; Final Rule.

Over the past several years, millions of data files have been improperly exposed to unauthorized individuals. This includes breaches caused by the unsecure information sitting on obsolete electronics needing to be destroyed. With organization upgrading systems for EHRs the amounts of obsolete electronics holding personal data will continue to grow. If this information is neglected it will create an extremely costly data breach, perhaps eliminating portions of the billions in savings the government predicts will be created each year from EHRs.

Data protection can be overwhelming, but when broken down into all of its parts it is a simple policy that can be implemented by an organization regardless of its size. Solving a major problem can be as easy as having a third party come on-site to destroy retired electronic media (such as printers and hard drives) in a matter of hours for very little cost. Considering that one piece of electronic media can hold thousand of documents, data sanitization must be performed on all retired electronics.

Developing a data security plan and putting it in place before a breach occurs sounds obvious, but many organizations overlook it. According to the Ponemon Institute the majority of 213 CEOs and other C-Level Executives surveyed in a recent study were not convinced in their company's ability to safeguard sensitive and confidential information. 94% of them also reported that they have had their data attacked in the last six months. Remember, being proactive is the key to data protection. If you are always reacting to a data breach then more money will be necessary to fix a data breach than the original solution would have cost.

Investing in a data security plan is not only good for data security; it is also a great return on investment. A proper data protection plan not only creates security it creates a 432% ROI through cost savings alone, according to the Ponemon Institute.

One step that is a vital part of a successful data protection plan is choosing a specialist to perform onsite sanitization of electronic media. Once medical systems start to be upgraded a surplus of electronics will be created - all of them holding patient information that needs to be destroyed in compliance with HIPAA. Forgetting about the security of retired electronics is a fine, or worse, a civil suit.

The HiTech Act allows State attorneys to sue on behalf of data breach victims in civil court. Having a third party provide a Certificate of Data Sanitization after they sanitize your data is the only way to properly prove data sanitization has been done. Remember a facility cannot audit themselves.

When choosing a specialist to perform data sanitization, make sure they certifytheir data sanitization and insure compliance with federal regulations. Having a third party perform data sanitization not only put the task into the hand of professional who handle data sanitization on a day to day basis, it also gives you an audit trail that verifies the work was done. If at any point the question arises about what happened to the data you will have the documentation necessary that shows the information was destroyed. Having a paper trail is just as important as having the work done.

The healthcare industry has made security procedures like paper-shredding a common practice. This same amount of care and security needs to be given to electronics and the files on their hard drives that becomes obsolete as newequipment is purchased for upgrades. The time needs to be spent now on resolving the issue of retired healthcare electronics and their data before more money needs to be spent on costly, preventable data breaches. Be proactive in your organizations approach to data security and data sanitization and be the among the leaders in the healthcare industry. Don't allow a data breach or HIPAA violation to shed bad light on your organization and become the example of what not to do. In the end data security can be very simple to implement and is proven to help the bottom line.

Please call 520-406-7446 for a free on site consultation.