Erase Drives to Stay HIPAA Compliance and Protect PHI

Ritu Roy | data wipe Forensics How to's mac os Software Technology Windows | 4 minutes read | Modified on: 20-03-2023
erase-drives-to-stay-hipaa-compliance-and-protect-phi

Summary: This blog highlights how crucial it is to wipe storage drives in order to avoid suffering severe monetary losses or legal repercussions as a result of improper handling of PHI. Continue reading to see how permanent device sanitization helps in HIPAA compliance and protects private information from thieves.

Some Important Information

All health-related data, including a patient’s demographics, medical history, mental health condition, insurance record, test and laboratory results, etc., are considered protected health information (PHI). It is the responsibility of all healthcare organisations employing these medical records to protect PHI at all times, from collection through disposal. Such medical records are governed by the HIPAA (Health Insurance Portability and Accountability Act) Data Privacy Rule. According to the HIPAA Privacy Rule, businesses that use PHI provided by individuals are required to implement the proper administrative, technical, and physical protections to guard against unauthorised disclosure or data breaches.

50 data breach cases involving the US Department of Health and Human Services were reported to the Office for Civil Rights (OCR) in January 2022. (HHS). There was a breach of PHI involving more than 2.3 million people. Instead, a recent Netwrix survey indicates that the healthcare sector has performed the poorest in terms of managing redundant, outdated, and trivial (ROT) PHI-related files. Regarding data retention and erasure policies, a significant gap has been found. Healthcare professionals are least likely of all studied industries to adopt any policy or procedure to maintain routine, methodical wiping of PHI that is no longer needed, at 69%. Permanent sanitization of media will only help health companies prevent breaches, avoid fines, and remain compliant since the requirement to dispose of unnecessary PHI data is rapidly approaching.

HIPAA Infraction and Penalties

The covered entities must implement reasonable security measures to prevent PHI breaches and prevent the data’s unauthorised use and dissemination. The following high-penalty PHI breach events demonstrate how insufficient risk assessment and inappropriate device disposal can result in HIPAA breaches and millions of dollars in fines:

CompanyIncidentPenaltyHIPAA Violation
Oregon Health & Science University  4,022 patients’ PHI is at risk. 3,044 patients’ medical records are at risk due to an accidently disclosing PHI via a cloud storage provider.  $2.7 million  Investigation by OCR revealed extensive and numerous issues at OHSU, along with HIPAA Regulations violations.  
CardioNet  1,391 patients’ ePHI data were compromised due to a stolen laptop.  $2.5 million  CardioNet’s ineffective risk management procedure cost the wireless health services provider a lot of money.  
HealthReach Community Health Centers  More than 100,000 patients’ protected health information was jeopardised.  Undisclosed  HIPAA compliance was violated as a result of improper hardware handling. Losses to the organization’s finances and reputation occurred.  

Such occurrences result in HIPAA Rules non-compliance, which carries severe financial and legal consequences for the covered organisations. We outlined the penalty for HIPAA Security Rule non-compliance in our earlier piece. The minimum criminal fine for intentional HIPAA violations, as indicated in the article, is $50,000, and multiple offences can result in fines of up to $1.5 million. The accused is also required to pay a specific sum to the victims as compensation for the loss of their medical data, with a maximum fine of $250,000 possible.

All healthcare service providers must follow stringent data deletion and protection protocols when retiring equipment in order to maintain HIPAA compliance and safeguard patient data. To avoid HIPAA violations, it is necessary to regularly conduct staff training programs, conduct risk assessments, document reports, exercise due diligence, and restrict access to such confidential data. To learn more about HIPAA compliance, read our in-depth article on what you need to know to ensure adherence to the HIPAA security rule.

Erase Drives to Compliance with HIPAA

To avoid fines, HIPAA mandates that all covered entities (healthcare organisations) have policies and processes in place for dealing with the destruction of PHI (paper records) and ePHI (electronic PHI) held on devices. Although HIPAA generally does not define a specific process for data disposal, it does state the following:

PHI in written records: Records could be destroyed by crushing, burning, or shredding them in order to render them unrecoverable.

ePHI that is electronically stored: The media could be overwritten using software-based erasure techniques to permanently erase the device and make it reusable. The NIST Recommendations for Media Sanitization, which list Clear, Purge, and Destroy as the techniques of data deletion, can be used to sanitise media.

By now, we are aware that HIPAA expressly advises secure data deletion if ePHI or PHI is no longer needed or has served its intended purpose.

To Protect PHI and Reuse Devices, Wipe Drives with CubexSoft Data Wipe.

We advise utilising a professional, NIST-compliant data erasing product like CubexSoft Drive Eraser, which uses the Clear and Purge methods of data sanitization and is professional and certified. The remapped sectors and other secret regions of the drives can be erased using the DIY software. The software supports both single- and multiple-overwriting technology, as well as several verification techniques, to assure complete data erasure. The technology provides digital reports and certificates that function as destruction proof and audit trails for compliance.

Conclusion

Healthcare hacks have been in the headlines recently, either as a result of cybersecurity errors or inappropriate device disposal. Healthcare organisations face consequences for breaching PHI in any case. All businesses that have direct or indirect access to PHI must make sure that the information is handled, disclosed, and destroyed properly at the end of its useful life. Healthcare businesses can have peace of mind knowing that critical PHI data is completely deleted and out of the hands of hackers by using secure data destruction procedures such as overwriting the device.