Secure Information Destruction: An Essential Element in HIPAA Compliance
Large healthcare data breaches are up 25% over 2019
and have tripled in the last ten years. In addition, more than four out of ten
healthcare organizations anticipate some type of data breach in the next five years. These statistics reflect a growing concern for healthcare organizations—the mounting risk of HIPAA violations due to stolen information. To better preserve data security and ensure HIPAA compliance, hospitals, health systems, and physician practices should have comprehensive programs in place that tackle potential hazards.
What Information Is at Risk?
Hackers and fraudsters are looking for some key pieces of data that enable identity theft and other nefarious activities. Such information includes:
- Patient name
- Date of birth
- Social Security Number
- Health plan number
- Medical information
- Financial data
Documents housing this information should be considered sensitive and secured appropriately to safeguard patient privacy.
Don’t Underestimate the Risks of Paper
Even though hacking incidents targeted at electronic information account for 67% of large data breaches and 92% of breached medical records
, there are still potential security issues around paper-based information. In fact, according to a recent study
paper and film are the most common causes for breached data in healthcare. Due to the nature of healthcare, it’s a safe bet that every document that’s printed or otherwise generated during the course of care contains some form of protected data. Consequently, organizations must have policies and procedures that govern and support paper document handling, storage, and disposal. Unfortunately, about a third of healthcare organizations
do not have such a policy, and only 16% have access to a professional shredding service—a key strategy to ensure secure document disposal.
An experienced shredding service like Shred-it can provide document destruction at regularly scheduled intervals to make sure any confidential papers are destroyed appropriately and consistently. In addition, if an organization is going through a large-scale clean out, such as when purging old paper-based medical records, a one-time, on-demand shredding is also a wise choice. To streamline both periodic and one-time shredding events, organizations may want to institute a Shred-it all policy
, where staff are not required to segregate confidential papers from regular ones. In these arrangements, all paper is shredded to reduce the risk of throwing sensitive documents into the regular trash. Unlike generic office shredders, a shredding service can easily handle a variety of formats, such as stand-alone documents, stapled and paper-clipped packets, x-rays, MRI recordings, and photographs.
Old Technology Presents Hazards as Well
In addition to safely destroying paper, it is also important that any data housed on outdated or unused technology is irretrievable, including data from old computers and photocopiers, USB keys, and CD-ROM, and DVD storage systems. While it may be tempting to throw non-functioning technology in a dumpster, the only way to be 100% confident that the information stored on the equipment cannot be accessed is to fully destroy the equipment
Staff Training Is Also Essential
To ensure policies and procedures are effective, organizations must train staff on how to preserve information privacy and security, including employees’ role in paper handling, storage, and disposal. Although this has always been a HIPAA requirement, it is even more critical now as people shift between home and onsite work settings and may be taking papers back and forth between locations, increasing the risk of a HIPAA compliance violation.
When it comes to training, healthcare organizations have room for improvement. One in five
do not offer information security training during employment and nearly that same number (18%) only train employees once. Whether an organization needs to provide new hire, annual refresher, or timely security reminders, online training can be beneficial because these programs are available 24/7/365 and are kept current with the latest HIPAA requirements
Now is the time to make sure your HIPAA policies, procedures, and training are up to date. Learn more about how Shred-It can help your organization keep confidential information safe