HIPAA Guidelines for the Healthcare Industry

Maintaining HIPAA compliance during normal business operations can be challenging. What happens when organizations dispose of their IT equipment or medical devices can be just as important, as many of those items contain patient data. Finding a disposal vendor that understands the HIPAA guidelines and can help you maintain compliance is crucial.

What are the HIPAA Rules?

The HIPAA Privacy Rule requires that covered entities, such as medical device manufacturers, distributors, and healthcare systems apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. 

You are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.

Read the full Summary of HIPAA Security Rules

Destruction and Disposal

Covered entities must implement reasonable safeguards to avoid incidental and prohibited disclosures of PHI. This includes the disposal of information, in any form. In addition, the HIPAA Security Rule requires that medical device manufacturers, distributors, and healthcare systems implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.
Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.  
 

Proper disposal methods of Electronic Medical Devices and computer equipment containing PHI may include:
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

Vendor Due Diligence

The US Department of Health and Human Services states that to dispose of a computer or other electronic media that stores electronic protected Health Information, certain steps have been taken to remove the electronic protected health information (ePHI) stored on the computers or other media before its disposal or reuse or the media itself needs to be destroyed before its disposal.
“The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse…. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media.”

Is your disposal vendor clearing out your data and reselling your devices or are they providing you with a Certificate of Destruction to ensure total destruction has occurred?

A certificate of destruction accomplishes two things:
1. It is your proof that your devices were destroyed in an environmentally compliant manner by a certified electronics recycler.
2. The proof of destruction satisfies regulatory and audit requirements regarding various privacy laws.

Violations

The penalties for violating the HIPAA rules depend on the severity of the violation. If the violations are serious, have been persisting for a long time, or there are multiple areas of violations, financial penalties may be issued.
The penalty structure is:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

Each violation carries a separate HIPAA penalty and a number of factors are taken into account. These factors include the length of time the violation took place, the nature of the data that was exposed, the number of people affected by the violation, the level of harm that was inflicted by the violation, and the willingness of the offender to assist in the investigation.

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation

The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. The HITECH Act increased the possible penalties for HIPAA violations to strengthen enforcement of HIPAA compliance and to give HIPAA covered entities a greater incentive to press forward with their compliance programs.

Download the NIST Special Publication 800-88 Guidelines for Media Sanitization