The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the possible penalties.
Fines and Penalties
Failing to implement reasonable safeguards to protect PHI when disposing of equipment can result in fines and penalties. Discarding PHI without its destruction is a violation that qualifies for the highest level of HIPAA fines. Penalties can range from $50,000 to $1,500,000 per incident, and the fines are between $10,000 and $50,000 per record when the HHS determines that un-secure disposal of computers is the result of inadequate policies or training.
Physical Safeguards for Disposal
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect your hospitals electronic information systems and unauthorized intrusion.” This standard covers the proper handling of electronic media, including receipt, removal, backup, storage, reuse, disposal, and accountability. In this context, electronic media means “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.”
The NAID Certification Program establishes standards for secure data and equipment destruction processes. These include:
- Operational security
- Employee hiring and screening
- The destruction processes
- Responsible disposal
- Insurance
Create a Decommissioning Procedure Checklist
No matter what the reason is for removing a medical device from active use, you need to follow an orderly decommissioning procedure, which should include:
- Deleting stored data
- Decontaminating the device
- Dismantling the device so that it can’t be used
- Disposing of electric or hazardous waste in a safe and environmentally responsible manner
ZRG helps mitigate risk when disposing of medical equipment. Covered entities need to demonstrate they are contracting with firms that have reasonable controls in place to prevent the loss of PHI and to properly respond in the event of a suspected data breach. Either perform proper due diligence yourself with an on-site audit and/or find a provider with the appropriate NAID certification, which requires annual and unannounced on-site audits of firms to verify their qualifications in data destruction.
Additional References:
• The Department of Health and Human Services’ list of disposal FAQ’s
