Data Security & HIPAA

Data Security & HIPAA

As healthcare networks across the country have allowed employees to work from home, it is essential to remember this equipment needs to be handled appropriately as people come back to work. We at ACE understand the risks and returns this equipment can provide to an entity.

45 CFR 164.310(d)(2)(i) and (ii) covers the disposal of electronic equipment, which requires policies and procedures to be developed and implemented to address the final disposition of ePHI (Electronic Protected Health Information), and the media on which it is stored. ePHI must be removed from electronic devices before they are re-used, scrapped, or recycled.
​
Prior to disposing of electronic media, all ePHI on the devices must be rendered unreadable, indecipherable, and incapable of being reconstructed. OCR suggests clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (physical destruction) the information from the electronic media.

If a covered entity is unable to perform these actions, a vendor can be used. That vendor would naturally be a business associate, and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are handed over.

The failure to remove ePHI prior to disposal is a violation of HIPAA Rules, and one that could potentially result in an impermissible disclosure of protected health information. It could also lead to a financial penalty for noncompliance with HIPAA Rules.