972-487-6800 webinfo@erecycler.net

Hippa: Health Insurance Portability and Accountability Act

This rule applies to everyone who handles medical data

HIPPA As It Applies To Data Destruction

HIPPA is a huge piece of legislation, regarding your medical information, the condensed information here is taken from the US Department of Health and Human Services. Erecycler knows the HIPPA rules and can help get your company into compliance, contact us today.

Health Insurance Portability and Accountability Act. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

All those who meet the definition of a ‘covered entity’ under HIPAA must comply with HIPAA requirements to protect the privacy and security of health information.  They must also provide individuals with certain rights with respect to accessing their health information.

Those defined as covered entities are:

  • Health care providers
  • Health plans
  • Healthcare clearinghouses

Until recently, only covered entities were required to comply with the HIPAA Privacy Rule and the Security Rule.  In 2009, HITECH extended HIPAA rules to apply to those who assist covered entities, known as ‘business associates.’  The proposed HIPAA rule would change HIPAA’s definition of business associates to include:

  • Entities or persons that provide data transmission services to a covered entity and require routine access to protected health information (PHI)
  • Subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate
  • Vendors that offer personal health records to one or more individuals on behalf of a covered entity

HITECH also strengthens enforcement penalties for healthcare professionals who are guilty of willful neglect.  It extends HIPAA’s penalties to business associates as well.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation. In general, examples of proper disposal methods may include, but are not limited to:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
http://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html
http://www.hrsa.gov/healthit/toolbox/HIVAIDSCaretoolbox/SecurityAndPrivacyIssues/whoisreq2comply.html

In Your Office Data Destruction

We will come to your location with our portable equipment and destroy your hard drives and record your serial numbers. Documentation and certificates of destruction are included. We can also degauss your back up tapes onsite and pick up your computers for recycling while we are there.
Get A Quote

Erecycler's 100hp Shredder

Our in House Shredder

In our Dallas facility we have enormous shredder capable of shredding approximately 2000 hard drives per hour; with the end result being many twisted and mangled bits of scrap metal that will be further recycled. Information destroyed in this way is absolutely unrecoverable. We offer this particular service for clientele in need of high volume destruction.
Get a Quote
erecycler keeps your data safe

Is Your Data Safe ?

We offer flexible data security plans. All of our data security plans meet or exceed the standards of Nist, Hippa, Facta, Dod and Nsa for data destruction. All destruction plans include the use of our private client portal to track your data destruction and certificates. 
Get A Quote