Between 2005 and 2019, more than 249 million people were affected by healthcare data breaches. More than 157 million of those cases happened between 2014 and 2019. Several factors can lead to a breach, but one of them is improper disposal of outdated or unnecessary electronics like computers, storage devices, copiers, etc. More than 23.5 million cases were linked to the loss or theft of portable electronic devices.
When a third-party vendor was hired to dispose of healthcare records for several providers, something went wrong. Providers, including Elkhart Emergency Physicians and St. Joseph Health System, learned that their items were found at a dumpsite after being mixed with other trash. This improper disposal impacted approximately eight years of patient records.
In 2014, a New Jersey doctor was storing unused electronics in a shed behind the medical practice. Patient records from 1982 to 2009 had been stolen in that break-in. Leaving items to sit for months or years before hiring ITAD services is not advisable.
While many healthcare breaches are linked to ransomware and malware, thieves are always looking for other ways to get their hands on medical records. Your healthcare company must take steps to encrypt information, keep laptops and computers secure when they’re not in use by a worker, and properly dispose of old electronics.
Follow the Laws for Disposal of Electronics and Patient Data
As a healthcare company, you’re bound by several laws that require you to protect your patients’ privacy. Violations of The Health Insurance Portability and Accountability Act (HIPAA) can lead to both civil and criminal penalties.
HIPAA goes hand in hand with The Health Information Technology for Economic and Clinical Health (HITECH) Act, requiring healthcare companies to protect privacy and security. Those who violate HITECH face penalties. The fines depend on the penalty tier, which ranges from Tier 1 to Tier 4.
- Tier 1 (Unaware rules have been violated – $100 to $50,000 per violation/maximum of $25,000 per year
- Tier 2 (Should have known rules had been violated) – $1,000 to $50,000 per violation/maximum of $100,000 per year
- Tier 3 (Willful neglect but violations were corrected within 30 days) – 10,000 to $50,000 per violation/maximum of $250,000 per year
- Tier 4 (Willful neglect and no effort was made to correct them within 30 days) – $50,000 per violation/maximum of $1.5 million per year
That covers HIPAA and HITECH. There are a couple of other federal laws you need to keep in mind. The Comprehensive Environmental Response Compensation and Liability Act (CERCLA) is one of them. This regulation requires any business that generates hazardous waste to dispose of it properly. As part of the healthcare industry, you face fines and cleanup costs if you or someone you donate your electronics to disposes of any hazardous waste illegally or improperly.
The Resource Conservation and Recovery Act (RCRA) also requires proper disposal of hazardous waste. Older equipment with cathode ray tubes and other hazardous materials have to be kept out of the landfill.
If you partner with an ITAD facility that is knowledgeable in HIPAA laws and the best environmental practices, you remove the risk of any violation. To do this, you need to understand what needs to be recycled.
What Items Must Be Destroyed
Data is in so many things. You must be careful that you’re destroying all electronics. Computers, external hard drives, tablets, copiers, and printers are just part of it. You also need to hire ITAD to properly recycle and destroy data in smartwatches, servers, phone systems, lab equipment, and more.
If your healthcare company or practice uses a fax machine, it has to be properly destroyed. Modems and routers, EKG equipment, and televisions are also recyclable. A good rule of thumb is if it has a cord or battery and is used to store, transmit, or collect patient information, you need to dispose of it properly.
What if the electronic items aren’t used on patients or to store patients’ information? Remember that electronic devices contain heavy metals, plastics, and glass components that harm the environment. In many states, you must keep these items out of the landfill. Recycle them with an electronics recycler to help protect the earth.
Ensure You Partner With the Right ITAD Provider
How do you make sure you’re not in violation of HIPAA or HITECH? You must ensure that any electronic personal health information is handled responsibly and follows the laws. When you have electronics that need to be destroyed or recycled, you need to choose your ITAD partner carefully. There are some simple steps to take to make sure you select the right ITAD provider.
#1 – Check the Company’s Certifications
Look for one who is certified in e-Stewards, ISO 9001, ISO 14001, ISO 45001, NAID AAA, and R2. Why choose these certifications? They are only given to ITAD companies who pass random audits ensuring recycling is done responsibly, follows the laws, and protects the employees working in that company. They guarantee a company never sends electronics to another country where they could be disposed of improperly or sold to others looking to get confidential information from old drives.
ERI holds all of those certifications and has eight recycling facilities across the U.S., ensuring the ITAD expert can help businesses with secure and responsible electronics recycling. If your healthcare company has outdated or broken electronics you no longer need, give us a call. We’re happy to help destroy the data, get you a fair price for anything that can be remarketed, and recycle the rest.
#2 – Ask About Secure Shipping Containers and Abilities to Track
It’s important when shipping healthcare electronics that they’re secure. ERI came up with an innovative solution for one large hospital group. Secure recycling bins were placed in the hospital for easy drop-off, but the locked containers were tamper-proof. Once filled, the containers were securely shipped to ERI for data destruction and recycling, following HIPAA and PHI requirements.
Ask about the chain of custody and how you’ll be able to track the electronics you send for data destruction and recycling. With ERI, you always know exactly where your items are thanks to Optech software. Keep up-to-date with the progress your IT assets are making, an inventory of everything you sent to us, and what will be sold for reuse.
#3 – Make Sure You Get a Certificate of Destruction
You want to prove that data was destroyed and that your third-party vendor recycled items following HIPAA and HITECH regulations. Ensure the ITAD provider you choose gives you a certificate of destruction at the end of the process. With ERI’s Enhanced Data Destruction, you can even have video footage to verify NAID-certified procedures were used as your electronics were destroyed. We can recycle many types of specialized healthcare electronics, including monitors, IV pumps, EKG machines, X-ray machines, and ultrasound, CT, and PET scanners.
As our facilities are secure with fences and gates, alarms, guards, and video surveillance, you’re not going to have to worry about someone sneaking in and stealing your devices until they’re processed. We destroy data at the level you need. Even if you’re a government agency, you never have to worry. Data is destroyed, items are shredded, and the metals, plastics, and glass are recycled in the U.S. Our company never ships items to another country. Learn more by calling us at 1-800-ERI-DIRECT.