HIPAA-compliant data destruction
As information continues to flow, at some point, we are all in contact with information that we are charged with protecting. One of the more sensitive data categories is related to medical information, and is protected by the Health Insurance Portability and Accountability Act, or HIPAA.
It’s not easy to quantify the cost of a HIPAA data breach. Studies place the per-record cost of mitigating these breaches between $250 and $408 dollars. That doesn’t sound too bad, except that’s per record, and no data breach is ever limited to a single record. More likely it’s hundreds or even thousands of records that are compromised, and that means that a typical data breach will cost the exposed operation anywhere between $40 and $350 million to mitigate.
No two data breaches are alike, but to assume that this information is stolen through high-tech, Mission Impossible-style attacks is to seriously ignore the effectiveness of thorough, well-considered policies. Information thieves don’t need fancy equipment and genius-level hackers to steal information when you leave it lying out in the open in the form of bagged trash or discarded hard drives.
To control your data you need to know where it is
When it comes to HIPAA-compliant data disposal, the first step in developing a complete inventory of everywhere sensitive information is stored. A complete inventory of data storage, from paper files to hard drives, is the key to making sure that you can keep tabs on your HIPAA-related data, or what the Act refers to as protected health information (PHI).
The obvious places like filing cabinets, hard drives, and laptops will certainly get a spot on the inventory, but what about your office’s copy machine? Did you know that copiers keep an image on their hard drive of every page that’s ever been copied? How often are external storage methods like USB drives or cloud storage used to hold patient or client data? When you have a solid grip on exactly where all this information is located, things will be much easier when it’s time for that data to be retired.
One man’s junk …
Document destruction is more complicated than just having an in-house shredder, and the best levels of security and HIPAA-compliance require more man-hours and expertise than most organizations are able to provide using their own staff. When you decided to enlist the services of a professional, here are some key points to look for:
Chain of Custody – Are those files, hard drives, and shredded documents secure all the way from your office until they reach their final resting place? Reputable destruction companies will be able to provide logs, tracking, and complete security every step of the way.
Continually evolving services – As technology changes, the methods of securing and destroying data need to change too. If your data destruction company isn’t prepared to handle the next generation of HIPAA-compliant data storage, are they ready to handle your business in the upcoming years?
Sustainability – When dealing with obsolete hardware and paper documents, the future can hold so much more than a simple trip to the landfill. After a thorough scrubbing, many hardware pieces can find a new life in schools or in the hands of non-profits. If a laptop or mobile device is beyond repair, they still hold a variety of precious metals that can be extracted, sold, and reused. What is your data destruction company doing to reduce, recycle, or reuse?
It’s also a good idea to make sure to remove all asset tags from your outgoing and obsolete hardware so it doesn’t present itself as something that might contain valuable information. Some studies suggest that over 70% of hard drives that are believed to have been “wiped” still contain recoverable data. If we know these stats, you can be sure that the dumpster-diving thieves know them too. Now that you’ve got a better handle on how to manage the end-of-life process for data and hardware, we think the numbers will be on your side.
You’ve done right by your clients, customers, and patients up until now, so don’t drop the ball at the last minute and compromise their data. Not only can CDR ensure complete data destruction, but we can recommend ways to reuse or recycle whatever you have to dispose. Make the call and you’ll make the world a better place for everyone.