Welcome to out FAQ About IT Equipment Disposal & HIPAA Requirements. When making the decision to recycle unwanted IT Equipment, PCs, and Certain Medical Equipment Data Security and privacy is extremely important.
Frequenlty Asked Questions About IT Equipment Disposal & HIPAA Requirements For Businesses, Hospitals & Medical Facilities
Even non-functional Computers still have a hard drive full of data inside it. For Medical Facilities, hospitals, offices, and schools this can include sensitive customer or client data, as well as other business data.
IT is essential that all sensitive Electronic Data be removed completely, Beyond Surplus can handle all your Data Destruction requirements and Hippa compliant requirements.
Call 404-905-8235 If You Have Questions OR Schedule A Free Consultation Callback
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The HIPAA Privacy Rule restricts the use and disclosure of an individual’s protected health information (PHI). Healthcare organizations and medical facilities (referred to as “the covered entity,” or CE) and any vendors or business associates of that CE are responsible for adhering to the HIPAA HITECH requirements.
What does the HIPAA Privacy Rule require regarding the disposal of E-PHI (electronic protected health information)?
HIPAA requires policies and procedures that address the disposition of protected health information (PHI) and the hardware that it’s stored on. All PHI must be removed from media before items are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii).
HIPAA does not specify a particular disposal method. However Data must be destroyed by clearing (data completely overwritten), purging (degaussing), or destroying through shredding, incinerating, etc.).
What Data Destruction Methods Do You Offer & Are They Hippa Compliant?
Keep your company compliant. Our Data Destruction methods are compliant with HIPAA, Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, The Patriot Act, Identity Theft and Assumption Deterrence Act, and others. Our Data destruction methods render all media “unusable and/or inaccessible”.
Beyond Surplus Recommends Serialized Shredding of Hard Drives & Storage media. This includes removal, recording of hard drive serial numbers, physical shredding and generation of Serialized Certificate of Destruction with serial numbers of destroyed media and method of destruction. We also offer (Department Of Defense) DoD 5220.22-M 3 Pass data sanitization according to NIST SP 800-88 Guidelines for Media Sanitization.
All our Data Destruction methods and media sanitization methods are documented with a Certificate Of Recycling & Data Destruction for every load of equipment picked up.
Are healthcare organizations and medical facilities required to keep patient medical records for a specific amount of time?
No. Individual state laws dictate how long patient medical records must be retained. HIPAA does require safeguards are in place to protect the privacy of protected health information (PHI) for the amount of time that the information is maintained. See 45 CFR 164.530(c).
What devices are at risk in hospitals, medical facilities, and healthcare organizations?
- X-ray machines, both preventing usage and hacking into the system to generate image backups on a hacker’s network
- Pacemakers and other devices inside people
- Smartphones, Tablets, Computers or Laptops used to create electronic medical records (EMRs)
- Servers that store E-PHI, EMRs and payment information
- Defibrillators (including those implanted in people) that are Bluetooth enabled
- Temperature settings for connected coolers and refrigerators that contain blood, organs, medicine, and other elements — hacking piggybacks controls used to monitor temperature and make adjustments if device becomes too hot or cold
- CT scan machines, where radiation exposure limits could be adjusted
- MRI and other machines that rely on operators located in separate rooms or facilities for controls, settings, results recordings, and maintenance.
The list of hackable devices even includes those in-room screens and devices designed specifically to track who you are and what your medicine needs are. A simple hack can reset these back to square one, or create changes in your chart that would cause the wrong medicine to be administered.
Essentially, almost any connected device in your local hospital, medical facility, and healthcare organization is vulnerable.
Beyond Surplus Recommends Serialized Disposal of Devices that store E-PHI
Can a business such as Beyond Surplus be hired to dispose of protected health information?
Yes. Healthcare organizations and medical facilities are allowed to hire third-party vendors to dispose of protected health information. There must be an agreement or contract that requires the vendor to safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e).
What, exactly, can Beyond Surplus do to protect patient records, billing information, and other risks left on computers and other medical equipment?
At Beyond Surplus, we focus on protecting patient information, passwords and other sensitive data left in older devices. Simply throwing out an old Server, Laptop, PC, copier, smartphone, or hard drives can put organizations at significant risk because you cannot be sure that data lurking on these devices has been cleansed.
We tout the thorough serialized shredding and destruction of these devices because it is a simple and effective way to prevent information getting into the wrong hands. In the cases of healthcare facilities and hospitals, it helps you adhere to local and federal regulatory requirements protecting patient information and E-PHI.
In addition to the steps outlined above All equipment is transported in Secure Locked GPS tracked Trucks. We recommend physical shredding of hard drives and storage media over DoD 5220.22-M 3 Pass Wipe data sanitization.
It’s how we do our part, and we welcome a conversation with you about how you can do your part to protect your organization, customers, and even the environment.
FAQ About IT Equipment Disposal & HIPAA Transfer Of Liability
Beyond Surplus is a trusted vendor for specializing in medical equipment disposal. Liability is one reason facilities choose to throw away their equipment away. Unfortunately, when equipment is thrown into an e-waste bin or dumpster, the hospital staff usually have no idea where their equipment will end up.
We provide documentation and signed releases of liability for every medical device removed in the form of a Certificate of Recycling & data Destruction, this serves as documentation of transfer of liability.
Ready To Get Started?
Identify equipment at your facility by item type and classify E-PHI vs Non E-PHI.
Schedule A Free Consultation Call Back Or email so we can go over your options and services we can provide.