All healthcare providers are mandated to comply with the myriad of both environmental and data protection requirements including The Health Insurance Portability and Accountability Act of 1996 (HIPAA), The Health Information Technology for Economic and Clinical Health (HITECH), The Resource Conservation and Recovery Act (RCRA), state and local laws, as well as possibly the Federal Information Security Modernization Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS).
HIPAA’s “Final Security Rule” requires the safeguarding and destruction of any Electronic Protected Health Information (ePHI) residing on legacy equipment or electronic health records (EHRs) being upgraded or taken out of service.
As healthcare organizations refresh hardware, equipment, and EHRs, ePHI can remain on a wide variety of devices including computers, mobile devices, copiers, printers, and imaging equipment. Unless those devices are data sanitized properly, ePHI may still be present, especially if ineffective means such as primitive physical destruction methods are used. This exposes the organization to the potential for a costly data breach and reputation damage.
Most people responsible for healthcare compliance are aware of the healthcare provider that had 57 hard drives stolen from a storage closet resulting in a $1.5M HHS settlement and almost $17 million in costs to investigate, remediate, and achieve adequate controls. What if those hard drives were found in a landfill? Reused in a computer and resold without the data being sanitized completely? Would the cost impact be any different? The related facet of asset disposition is the responsible disposal of non-data bearing electronic devices such as pulse oximeters, glucose monitors, MRI equipment and televisions, as well as general e-waste.
However, it is about more than just the potential civil and criminal penalties for improper disposal. The healthcare community should be especially concerned about recycling practices since e-waste only comprises 3% of the waste stream to landfills, yet accounts for 70% of the toxic substances found in landfills, including lead and mercury. Worse yet, much of the domestically generated e-waste is shipped to developing countries where it is processed unsafely exposing communities, especially children, to extremely high levels of hazardous substances.
Protect your Organization
The issue is twofold: An organization must meet the challenge of both protecting ePHI contained in end-of-life equipment while also ensuring both data and non-data bearing electronics equipment is properly recycled to comply with all applicable regulations and to protect the reputation of the organization.
ERI safeguards organizations, people and the environment by ensuring full compliance with all applicable regulations for healthcare organizations. As the largest fully integrated IT and electronic asset disposition provider in the United States, we have a nationwide solution while maintaining the highest certifications for both data destruction (NAID) and responsible recycling at all our facilities. The EPA recognizes only two certifications for electronics recycling: R2 and e-Stewards – we hold both.
ERI provides comprehensive data destruction and electronics recycling services with a defensible “audit trail.” This enables organizations to demonstrate compliance with all requirements for data destruction under the applicable healthcare regulations as well as for environmental compliance.
Choosing ERI is the best way to safeguard your organization for IT and electronic asset disposition. However, if you choose to use other providers, please ensure that they are certified – it may even be a HIPAA violation if you don’t.
To learn more about how ERI can help your healthcare organization or for a free compliance assessment, contact us today.Schedule A Consultation