Secure Data Destruction for Health Service Providers

There are over 500 Federal and State regulations governing IT asset disposal. Back Thru The Future understands these risks and has the proven tools and the experience to guide our clients through this complicated regulatory landscape

The Importance of Vendor Due Diligence for Health Service Providers

Choosing the right secure data destruction partner

HIPAA data privacy rules are unquestionably the best known of all Federal data privacy regulations.  All health service providers are required to protect their clients sensitive personal health information.  This is a costly and complex challenge.  You are required to maintain control and security of this information over the entire life span of the data.  The final documented regulatory and legal records management required disposal of this information can be a cumbersome and tedious task, but failure to perform this task promptly and efficiently can cause significant organizational liability. Surveys have shown that the #1 concern of CIOs when considering data asset disposal is data security. Most health service organizations utilize third party vendors to provide for the destruction and disposal of the obsolete data media containing the Electronic protected health information (ePHI). Choosing the right vendor is important.

Can you trust your IT disposal vendor?

A recent Wall Street Journal article dealing with cyber security “What Keeps CIOs Up at Night” identifies 3rd party vendors security capabilities and practices as a major concern.  It is not only a major internal data security issue, but vendor due diligence is required under most Federal and State data privacy regulations. You must maintain documentation of your 3rd party vendor’s qualifications and experience. See “The importance of Vendor Due Diligence”

HIPAA compliance requires that a 3rd party providing ePHI destruction services must be a contracted “HIPAA Business Associate” This agreement requires that a third party handle your ePHI with the same care and protection that your organization provides. The specific requirements for the physical handling of data media is spelled by Health and Human Services (HHS) in their “Security Risk Assessment Tool”

Back Thru The Future® provides NIST Special Publication 800-88 “Guidelines for Media Sanitization” approved onsite hard drive shredding and degaussing services for healthcare organizations just like yours. State data privacy laws and Federal data privacy regulations require personally sensitive data be destroyed prior to the disposal of the media it is recorded on. The destruction must adhere to National Institute of Standards and Technology (NIST) guidelines. Hard drives and solid state drives are electronic devices and by law must be recycled by an authorized electronics recycler. We are one of a very limited number of companies that can provide environmentally compliant onsite hard drive shredding.

We are a National Association for Information Destruction (NAID) AAA Certified secure data destruction facility

Data protection regulations require organizations to monitor the qualifications and compliance of service providers that process sensitive information. NAID AAA secure data destruction certification is the data destruction industry’s standard for the destruction of sensitive information. It is a set of annually audited handling procedures that assures clients that the certified company is in fact qualified to perform the data destruction task according to the rigorous requirements of the certification process. Both Federal and State data privacy regulations require that if you out source the destruction of sensitive data that you perform a “vendor due diligence”. Choosing a NAID AAA Certified business will go a long way in establishing your organization’s compliance. We are the only licensed electronic recycling facility in the New York metropolitan area that is NAID AAA certified.

ISO 13485 Compliance

The ISO 13485 standard is the medical device industry’s most widely used international standard for a Quality Management System (QMS).  Back Thru The Future, has been helping medical device manufacturers remain compliant for over 30 years.

Developing and deploying a QMS that meets the requirements of this standard is necessary to commercialize your devices in global markets. Certification requires a risk-based approach for control of external providers of services. Service providers of high risk processes will require a higher level of control in evaluation and selection. These risks are in reference to the safety and performance of the medical device, however risks related to end-of-life processes also need to be considered. Destroying devices at end-of-life will protect you from data breaches, unauthorized use, and the secondary market.

Business experience and reputation

Back Thru The Future has been providing computer recycling services for over 30 years and supports in excess of 1000 clients.  We focus our secure data destruction services on industries with significant data privacy liabilities.  We presently support of 70% of all community hospitals and banks in the State of NJ. We have an excellent reputation and would be happy to provide industry references.


Distrust of Vendors Raises Security, Compliance Questions

Our latest health care data destruction case study.

Med Tech Intelligence – Medical Devices: Is There Life After Death?

Lab Manager Magazine – How to Securely Move Disks From Lab Instruments


Increasingly, health service organizations are absorbing the burdens of ever-changing data privacy regulatory requirements that force you into workflows that are not efficient, and that demand management time and attention. Our Safe Harbor Express® (or SHE) turnkey secure data destruction service represents an attractive solution to the challenges associated to destroying obsolete data assets. We take the complex HIPAA record keeping requirements and the time-consuming tasks of manually controlling and destroying obsolete data assets off your plate. It frees both management and employee time so that you can focus on
core IT functions.


HIPAA compliance

HIPAA compliance requires that a 3rd party providing ePHI destruction services must be a contracted “HIPAA Business Associate” This agreement requires that a third party handle your ePHI with the same care and protection that your organization provides.

Back Thru The Future’s Safe Harbor Express® (SHE) scheduled secure data destruction service is specifically designed to provide a turnkey solution for the HIPAA physical security requirement that health service providers have procedures in place to control the disposal of electronic devices and media containing ePHI. We perform this service as a contracted HIPAA Business Associate thus relieving your IT department of this time consuming and cumbersome task.

The HIPAA/HITECH required device and media control system specifies that you must know at all times where your ePHI resides and can prove that it is secure for its entire lifecycle, from the point a data asset enters your IT system to the moment that it becomes obsolete and recorded ePHI is destroyed. Once a data asset is determined to be obsolete and removed from your online system, your control system becomes a manual process. Manual systems are notoriously difficult to quality control, requiring significant management time and utilization of scarce technical resources. Employee turnover and time constraints can quickly create havoc with your procedures.

HIPAA security risk assessment

The Office of the National Coordinator for Health Information Technology (ONC) recognizes that conducting a risk assessment can be a challenging task. That’s why ONC, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), developed a downloadable SRA Tool  to help guide you through the process. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment.

Back Thru The Futures SHE agreement for scheduled secure data media destruction specifically addresses several security risk factors cited in the SRA Tool.  (read more)

Since the implementation of the HIPAA/HITECH data breach notification requirements, over 60% of all reported breaches have been caused by the loss of physical data storage devices/media. 

Despite media attention to online security breaches loss of control of physical data assets is a health service providers biggest risk. These reported breaches, in most cases, never compromised protected ePHI. The breach notification was triggered by the loss of control of a non-secure data asset.  Because of this, OCR compliance audits focus on health service providers data asset control policies.

HITECH has provided health services organizations tools to manage the “Data Breach Notification” liability.

These tools are called “Data Breach Notification Exclusions” for secured data. Secure data is defined as encrypted data or data that has been sanitized utilizing NIST Guidelines for Media Sanitization protocols. Applying NIST protocols to your obsolete and defective data assets, prior to disposal and while still within your security perimeter, represents a HIPAA data security best practice.

Medical equipment disposal concerns

The disposal of obsolete or defective medical equipment entails certain organizational responsibilities and potential liabilities. Certainly making sure that the medical equipment is disposed of in an environmentally appropriate manner is an important consideration and could entail either environmentally compliant recycling or responsible reuse. A larger concern should be if the equipment has any capability of recording and storing patient information.  This represents a HIPAA data privacy responsibility.  Back Thru The Future specializes in the destruction of all types of electronic data storage.  We provide secure data destruction services to many health care organizations as well a medical device manufacturers and distributors. Read about our capabilities.


Health service providers PCI DSS concerns

Billing Departments handle significant numbers of credit card transactions and are required to maintain Payment Card Industry (PCI) data security certification. DSS compliance requires that not only do you protect cardholder information you must also maintain the integrity of your card data collection system.  You must regularly monitor all collection devices to make sure they function properly and have not been tampered with. There are 12 security issues that must be maintained for PCI DSS Compliance

3rd party service providers must be certified PCI DSS compliant as well

You are required to confirm that any 3rd party service provider that comes in contact with card holder data which includes data storage media as well as card data collection devices is certified by the PCI DSS council for that activity.

PCI defines a service provider as: A Business entity that is not a payment brand, directly involved in processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or impact the security of card holder data.

Back Thru The Future provides secure data destruction services for the shredding of data media that holds cardholder data as well a product destruction services for card reading devices.  Back Thru The Future has met the PCI DSS third party compliance certification requirements of completing the 96 page PCI Third Party Self Assessment Questionnaire “SAQ”


The number of patient health records compromised in HIPAA data breaches since 2009


Safe Harbor Express®
The $1,700,000 mistake to avoid
HIPAA IT Disposal Risk
HIPAA PHI Disposal Rule

100% of our client quality control surveys rate both our pre-project and
post-project communications as “Excellent”

92% of our new client quality control surveys have been returned marked “exceeded expectations”.

Our Mission is Protecting our Clients from Environmental and Data Security Liabilities
with Secure, Auditable and Compliant Recycling and Data Destruction Services.