HIPAA Posts

Is your organization required to comply with HIPAA privacy standards? If so, you’ve probably heard the term PHI – which is short for Protected Health Information. In the past we’ve written about how Protected Health Information must be rendered “Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” — and that leads HIPAA covered entities and business associates to be especially careful about encryption at rest, encryption in-transit, and authentication.

However, today we’d like to take a step beyond that, to a day that no one enjoys but everyone experiences at some point. What happens when a hard drive containing Protected Health Information fails? The problem that most organizations face on that day, is the uncertainty about how to dispose of this type of storage device if they don’t have the luxury of being able to use software-based utilities for clearing it’s contents.

If you are subject to HIPAA (either as a Covered Entity or as a Business Associate), you may have heard that you have Media Sanitization obligations.  Anytime you take a storage device (like a laptop with a hard drive) and dispose of it, sell it, or otherwise transfer it, you need to pause briefly to make sure you follow your media sanitization obligations.  We find much of the material on this to be written in a way that is extremely hard for anyone but an IT / HIPAA specialist to understand, so we're writing this article in plain language to cover some of the key points.