May 06, 2021

How can businesses ensure HIPAA compliant data destruction?

Large healthcare data breaches are up 25% over 2019 and have tripled in the last ten years. In addition, more than four out of ten healthcare organizations anticipate some type of data breach in the next five years. These statistics reflect a growing concern for healthcare organizations—the mounting risk of HIPAA violations due to stolen information. To better preserve data security and ensure HIPAA compliance, hospitals, health systems, and physician practices should have comprehensive programs in place that tackle potential hazards.

What Information Is at Risk?

Hackers and fraudsters are looking for some key pieces of data that enable identity theft and other nefarious activities. Such information includes:

  • Patient name
  • Date of birth
  • Social Security Number
  • Health plan number
  • Medical information
  • Financial data

Documents housing this information should be considered sensitive and secured appropriately to safeguard patient privacy.

Don’t Underestimate the Risks of Paper

Even though hacking incidents targeted at electronic information account for 67% of large data breaches and 92% of breached medical records, there are still potential security issues around paper-based information. In fact, according to a recent study paper and film are the most common causes for breached data in healthcare. Due to the nature of healthcare, it’s a safe bet that every document that’s printed or otherwise generated during the course of care contains some form of protected data. Consequently, organizations must have policies and procedures that govern and support paper document handling, storage, and disposal. Unfortunately, about a third of healthcare organizations do not have such a policy, and only 16% have access to a professional shredding service—a key strategy to ensure secure document disposal.
An experienced shredding service like Shred-it can provide document destruction at regularly scheduled intervals to make sure any confidential papers are destroyed appropriately and consistently. In addition, if an organization is going through a large-scale clean out, such as when purging old paper-based medical records, a one-time, on-demand shredding is also a wise choice. To streamline both periodic and one-time shredding events, organizations may want to institute a Shred-it all policy, where staff are not required to segregate confidential papers from regular ones. In these arrangements, all paper is shredded to reduce the risk of throwing sensitive documents into the regular trash. Unlike generic office shredders, a shredding service can easily handle a variety of formats, such as stand-alone documents, stapled and paper-clipped packets, x-rays, MRI recordings, and photographs.

Old Technology Presents Hazards as Well

In addition to safely destroying paper, it is also important that any data housed on outdated or unused technology is irretrievable, including data from old computers and photocopiers, USB keys, and CD-ROM, and DVD storage systems. While it may be tempting to throw non-functioning technology in a dumpster, the only way to be 100% confident that the information stored on the equipment cannot be accessed is to fully destroy the equipment.

Staff Training Is Also Essential

To ensure policies and procedures are effective, organizations must train staff on how to preserve information privacy and security, including employees’ role in paper handling, storage, and disposal. Although this has always been a HIPAA requirement, it is even more critical now as people shift between home and onsite work settings and may be taking papers back and forth between locations, increasing the risk of a HIPAA compliance violation.
When it comes to training, healthcare organizations have room for improvement. One in five do not offer information security training during employment and nearly that same number (18%) only train employees once. Whether an organization needs to provide new hire, annual refresher, or timely security reminders, online training can be beneficial because these programs are available 24/7/365 and are kept current with the latest HIPAA requirements.
Now is the time to make sure your HIPAA policies, procedures, and training are up to date. Learn more about how Shred-It can help your organization keep confidential information safe.