Beyond Compliance: Ensuring Data Integrity and Security in the Pharmaceutical Industry

August 14, 2024 at 8:00 am by Amanda Canale

When it comes to the pharmaceutical industry, there is no disputing the fact that they handle vast amounts of sensitive data; ranging from proprietary research and development information to personal health records and clinical trial results. 

As cyber threats grow increasingly sophisticated, protecting this sensitive information from unauthorized access and potential breaches is critical. The stakes are understandably high, as this data is not only the backbone of life-saving drugs and therapies but also a prime target for cybercriminals. 

Thankfully now in the digital age there is a diverse range of cybersecurity measures pharmaceutical companies can adopt: from cloud and network security to compliance regulations and maintaining a strict chain of custody. However, even with these measures in place, the threat of a breach can last long after a drive has reached the end of its lifecycle, which is why high security data decommissioning is another crucial aspect of proper cybersecurity. 

Dark blue digital technology background with glowing cardiogram

Importance of Compliance Regulations

Pharmaceutical companies operate in a highly regulated environment where compliance is critical. Regulatory bodies like the U.S. Food and Drug Administration (FDA), the Health Insurance Portability and Accountability Act (HIPAA), and the EU’s General Data Protection Regulation (GDPR), among others, have stringent guidelines concerning data management. These guidelines also include what constitutes as proper destruction, an aspect of data security that we argue is the most important. 

These guidelines are in place to prevent unauthorized access to confidential information, safeguard patient privacy, and to maintain the integrity of research data. If a pharmaceutical company fails to comply with these regulations, it can result in severe penalties, including hefty fines, legal action, damage to their reputation, and of course, adverse effects on the lives of their patients. 

Critical Compliance Regulations

Regulations like the FDA’s 21 CFR Part 11, which governs electronic records and electronic signatures, require that companies implement robust controls to ensure data integrity and security. Part 11 requires that any actions taken on electronic records, including their destruction, be recorded in an audit trail. This documentation provides validated proof that the records were destroyed in compliance with regulatory standards and that the process was carried out by authorized personnel, ensuring that patient signatures remain secure. This kind of documentation is called a chain of custody, which we will discuss in-depth later on in this blog. 

Similarly, the EU’s General Data Protection Regulation (GDPR) mandates strict data protection measures. Pharmaceutical companies conducting medical trials in Europe are required to comply with GDPR regulations, including the mandate that patient data should never leave the clinical site and is only accessible by authorized personnel. 

For example, pharmaceutical companies must obtain explicit consent from their patients before collecting and processing their personal data. It also requires companies to implement strict security measures to protect data from unauthorized access or disclosure, including the secure disposal of personal data when it is no longer needed. Compliance with these regulations is not optional—it is a legal requirement that ensures the trust and safety of all stakeholders involved.  

One of the most prominent regulations is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards for protecting patient health information, requiring pharmaceutical companies to implement robust safeguards when handling, storing, and transmitting patient data. This includes ensuring that data is encrypted, access to information is restricted, and that there are protocols in place to detect and respond to potential data breaches. Companies must also provide patients with rights over their data, such as the ability to access and request corrections to their health information. 

Francesco Ferri, an OT security deployment and operations lead at GSK, a global biopharma company, told Industrial Cyber that, “a key factor that sets the pharmaceutical sector apart is that integrity takes priority over availability. Safety is always the main focus.”

We couldn’t agree more. After all, high-security data destruction equipment is essential for meeting these regulatory requirements.

Blue tinted photo of a stethoscope on top of an iPad with healthcare data

Criticality of High Security Data Destruction

Beyond compliance and the implementation of the most robust cybersecurity defenses, the need for high security data destruction measures is driven by the critical need for data security and patient privacy. The pharmaceutical industry is a lucrative target for cyberattacks due to the high value of the data it holds. From clinical trial results to proprietary formulas, the information stored by these companies is highly sought after by hackers and competitors. 

Traditional methods of data decommissioning, such as deleting or overwriting files, is not a sufficient form of destruction, especially now in an era where data recovery technologies have advanced significantly. Given the uptick in the storage capacity of hard drives, proper decommissioning is crucial in safeguarding sensitive information. High-security data destruction equipment ensures that data is irretrievably destroyed, leaving no possibility for reconstruction. 

Without proper destruction protocols, sensitive information can be retrieved, leading to breaches that could compromise patient safety, intellectual property, and an advantage for competitors. A breach of this data, in any capacity, could have catastrophic consequences, including the theft of intellectual property, which could cost billions in lost revenue, or the manipulation of research data, potentially leading to unsafe products reaching the market. 

Even though the pharmaceutical industry is worth over a trillion dollars, the average cost of a data breach is approximately $4.88 million, which can still gravely affect the average pharmaceutical company.

Chain of Custody’s Role in Data Security

It would be irresponsible of us to discuss proper compliance regulations and the criticality of high security data destruction in-depth without talking about the vital importance of creating and maintaining a chain of custody.

A chain of custody is strictly detailed documentation of the data’s handling, movement, access, and activity throughout its lifecycle. This type of documentation, which should only ever be handled by authorized personnel, is crucial not only for compliance and auditing purposes, but also in ensuring that the data has been securely destroyed once it reaches end-of-life. A chain of custody and secure data decommissioning procedure should always go hand-in-hand.

Shredded HDDs on a conveyor belt, the image is high contrast and dark

Conclusion

A robust cybersecurity system, compliance with regulatory mandates, a documented chain of custody, and a high security data decommissioning process combine to create a comprehensive framework for safeguarding sensitive information, ensuring data integrity, and mitigating risks throughout the entire data lifecycle. In doing so, pharmaceutical companies can reinforce the trust that stakeholders, including patients, partners, and regulators, place in their hands. 

Protecting this information through proper data destruction and cybersecurity practices are not just regulatory obligations but moral ones, as well. It shows a commitment to safeguarding the dignity and privacy of individuals who rely on pharmaceutical companies to act responsibly. Our very lives depend on it.

 

History of Federal Data Privacy Regulations in the US

July 3, 2019 at 2:52 pm by Paul Falcone

Throughout history, the United States has passed quite a few different laws to protect privacy for its citizens. Generally, the laws focus on protecting one specific aspect of privacy, but they are extremely specific and in-depth on that one aspect. With the growing of the digital age, it is important to wonder if the United States is doing a good enough job keeping up with cybersecurity and data privacy.

data-privacy-history

4th Amendment

One of the first privacy laws the United States passed was the 4th Amendment, which protects people from unlawful searches. While the 4th Amendment protects people from physical and apparent searches, it has birthed some confusion regarding modern technology. In the case of Carpenter v. United States, it was ruled that the 4th Amendment protects searches of cell phone location data, but it went all the way to The Supreme Court, and was ruled 5-4 in favor of the cell phone privacy.

Fair Credit Reporting Act (FCRA) 1970

The FCRA protects citizens from their consumer reporting agencies files being used against them. A consumer reporting agency file holds personal information used to decide credit, insurance, banking info, and more. It prevents the use of information in their file being used without their knowledge and it allows a person to know what is in their file. The FCRA also allows a person to dispute inaccuracies and forces agencies to delete false or inaccurate information as well as incomplete information.

US Department of Health, Education, and Welfare (HEW) 1973 Computers and the Rights of Citizens

HEW is a report that was focused on the growing use of computers, and how that could impact the future of data keeping and protection. It focused on consequences of using automated personal data systems, how to stop those consequences, and policy for social security numbers.

Privacy Act of 1974

The Privacy Act of 1974 was a turning point in data privacy and security. It protects information that would be retrieved by an individual through their name or any other personally identifiable mark, and prevents said information from being disclosed without written consent of the individual in question. The Privacy Act of 1974 is the biggest step the United States took for data privacy and paved the way for more specific data privacy laws in the future.

Federal Educational Rights and Privacy Act (FERPA) 1974

FERPA protects educational information from being disclosed. Essentially, the Act prohibits schools from sending out information to anyone. Parents are allowed access to the educational info, but once the student turns 18 and continues schooling beyond high school, the rights transfer to the student. There are of course, certain people to whom the schools can send information, but they are all either financial, for the good of the student’s education, or for legal purposes. Schools can disclose certain information, such as name and date of birth of a student, but to do so, they must contact said student beforehand and give them a reasonable amount of time to request it not be shared.

Right to Financial Privacy Act (RFPA) 1978

RFPA protects the financial privacy of people. Essentially, it does not allow anyone to view financial information of a person without the person being notified and given a chance to object. In the words of this law, a “person” is judged to be an individual or a partnership of five or less individuals. In other words, it does not extend to corporations or large partnerships.

Video Privacy Protection Act of 1988 (VPPA)

The VPPA protects from the disclosure of rental records of “prerecorded video cassette tapes or similar audio-visual material.” Effectively, it means that without written consent or a valid warrant, no one can get the information of what a person has rented in the past.

The Gramm-Leach-Bliley Act of 1999 (GLBA)

GLBA ensures that financial institutions explain their information sharing processes with a customer. It also makes the institutions safeguard their consumer’s sensitive information. A financial institution constitutes a company that deals in the business of loans, investment advice, or insurance.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA protects the health information of individuals. It forces the protection and integrity of health information and it expects institutions to protect against anticipated threats against the security of the info as well as illegal disclosure.

Driver’s Privacy Protection Act of 1994 (DPPA)

The DPPA protects the information held by any state DMV. It disallows the use or release of personal info obtained from any department in relation to a motor vehicle. The information covered by this act includes name, address, SSN, phone number, and other personal effects. It does not cover traffic violations, accidents, or license status.

Children’s Online Privacy Protection Act of 1998 (COPPA)

COPPA protects children’s privacy from being collected or used. A child is defined as being under the age of 13. It requires the consent of a parent for the information of a child to be taken or used. This act works specifically for websites and online services that were targeted at children.

Federal Information Security Management Act of 2002 (FISMA)

FISMA in short is the government protecting its own cybersecurity and set guidelines for their own security moving forward. This act was the government acknowledging the importance of cybersecurity. It has since been replaced by the Federal Information Modernization Act of 2014, which is commonly referred to as FISMA reform or FISMA2014. FISMA2014 amended laws to give the government more room to increase their own cybersecurity.

Fair and Accurate Credit Transactions Act of 2003 (FACTA)

FACTA provides consumers with more accurate credit related records and entitles them to one free credit report per year from the three credit reporting agencies — Experian, Equifax, and TransUnion. It also grants consumers the ability to purchase additional credit reports for a reasonable price. The act also allows consumers to place alerts on their credit histories, to help prevent identity theft.

Telephone Records and Privacy Protection Act of 2006 (TRPPA)

TRPPA prevents pretexting – the imitation or impersonation of someone else in order to gain personal information – to buy or sell personal phone records. It should be noted that it does not affect information agencies or law officials.

State Laws and Federal Mandate

As it currently stands, many of the states have their own specific data privacy laws. Some states have more protection than others. For instance, Massachusetts have passed more data security laws than Tennessee, which has stayed closer to the federal laws alone.

In the digital era we live in, data security is a rising problem. As technology improves, more personal information becomes digital, and more security is needed. There needs to be a federal mandate that brings a unified guideline to all states that will encourage stronger cybersecurity protocols. In this current day and age, individual citizens want to be 100% certain that their personal information is well protected. Furthermore, if all the states have different laws, companies will not be able to comply with all of them, and will be forced to adhere to the strictest policies, or discontinue business with certain states all together.

The United States has consistently been putting out laws to protect privacy and enforce cybersecurity. With the way history has been it is safe to assume that they will continue to do so into the future. It is clear the cybersecurity is a major concern of the United States. The next step would logically be the United States releasing a federal mandate to standardize the data privacy laws for all states. Moving into the future, the United States needs to stay on top of new technology, and pass laws to better protect their citizens from cybercriminals.

Data Security Regulation Compliance: Challenges and Solutions

July 1, 2019 at 8:28 pm by Paul Falcone

GDPR. GLBA. FACTA. These are just a few of the recent onslaught of acronyms that have risen to govern federal and state privacy and data security regulations for businesses and organizations. Some are truly new, while others have been established for quite some time and are just getting more attention now. Indeed, consumer privacy laws and protocols have been the focus of society’s conversation at large for the last two years. And, this global conversation is only just getting started.

If you’re just joining in on the discussion, or even if you’re not and you want a quick refresher, continue reading for a quick overview of the most important national and international data security regulations currently in effect.

The Top 8 Data Security Regulations

HIPAA Privacy & Security Rules

Providers, professionals, and clearinghouses (hereto referred as covered entities) in the healthcare industry that are covered under HIPAA must also adhere to specific security regulations for all Protected Health Information (PHI) that the organization collects.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of electronic PHI (ePHI). As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).These rules hold especially true with the disposal of PHI and requires the covered entity to not only destroy the ePHI and the hardware or electronic media on which it is stored, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse. Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination, or even harm to the individual’s reputation. Moreover, the covered entity can face serious penalties for noncompliance.

FACTA

The Fair and Accurate Credit Transactions Act (FACTA) is an addendum to the Fair Credit Reporting Act (FCRA) and covers creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information. FACTA limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual to whom the information pertains from identity theft.

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data. The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information.

Organizations under FACTA may also need to incorporate their data disposal policies into the organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

GLBA

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. Because these organizations are significantly involved in providing financial products and services, they therefore have access to personally identifiable and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

GLBA-covered organizations must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

FISMA

To ensure the protection of proprietary United States data within government agencies and affiliated organizations, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002. Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all US government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for the organization and an IT budget cut, as well as significant administrative ramifications to the organization. However, failure to comply with FISMA, especially when it comes to breach-avoidance and proper data destruction, can have much grander and more catastrophic implications. Should any private, secured federal data be compromised and the organization was found to be noncompliant, there are serious civil and criminal federal consequences.

GDPR

While a security regulation of the EU, the General Data Protection Regulation (GDPR) of 2016 is applicable to those US-based organizations that do business internationally. GDPR effectively puts the customer first over the business, ruling that all private data is owned by the customer and not the business in which it was collected.

GDPR ensures the protection and privacy of consumer data as it is handled, stored, disclosed, and disposed of by the organization that holds it. Following GDPR requires obtaining consumer consent before collecting any data, providing consumers with a full report on what data has been collected and how it’s used if they request it, as well as a copy of the data itself and the immediate and proper destruction of data if the consumer requests it to be deleted. The organization must also have proper security controls in place for the safeguarding of consumer data and must place someone within the company to oversee and manage these compliance policies, including for data disposal.

gdpr-data-center

An organization under GDPR that is found to be noncompliant is subject to a fine equaling two to four percent of its global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million).

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for the handling of personal information by all federally regulated organizations as well as private-sector commercial organizations, regardless of the industry.

Like GDPR, organizations covered by this law must first obtain a consumer’s permission and consent before collecting, using, disclosing, and/or storing any personally identifiable information (PII). In addition, PIPEDA mandates that the information obtained can only be used for the purpose in which it was originally collected or else the organization needs to obtain renewed consent by the consumer for the use change. Moreover, consumers have the right to access their stored personal information as well as the right to challenge its accuracy. (The only organizations exempt from PIPEDA are those that are already subject to the similar privacy laws for private-sector organizations within Alberta, British Columbia, and Quebec provinces.) Canadian-based organizations that handle PII crossing provincial or national borders are also subject to PIPEDA compliance.

SOX

Aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act,” the Sarbanes-Oxley (SOX) Act of 2002 addresses the standards by which the management and board of directors of any US-domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer cardholder data by helping to alleviate the vulnerabilities experienced by credit card merchants for payment card transactions and processing systems.

Following common sense, PCI DSS mandates the credit processing merchant organization adhere to the following three steps: 1) Assessment, as in analyzing the IT assets and payment card processing protocols for the organization to identify any vulnerabilities with regard to the storage of cardholder data; 2) Remediation, as in the fixing of all identified vulnerabilities, and also applicable to ensuring cardholder data is not stored unless it is needed by the business; and 3) Reporting, as in the compilation of records to ensure validity of any remediation actions and the submission of all compliance reports to the bank and card brands with whom the organization does business. Finally, these DSS rules apply to all entities globally that store, process, and/or transmit cardholder data, and with guidance for software developers and manufacturers of applications and devices used in those transactions.

A Standard for Compliance

Depending on the type of business you manage or own, your organization may be subject to one or more of these data and privacy security laws. Rather than create varied sets of rules and policies for each, which could cause issues in overhead and personnel costs, not to mention unnecessary protocol confusion and training needs, it would behoove your business to develop one data security protocol to cover all applicable regulations.

Data Disposal Best Practices

This one-size-fits-all mindset is especially cost-effective when it comes to the data destruction policies under the various laws and regulations.

No matter which regulation your organization follows, it’s recommended that you first create a private space within your organization to house a data and/or drive destruction machine rather than work off-site with a third party at their establishment. You should also create a limited group of personnel with the sole authorization to oversee all data security compliance processes as it pertains to the destruction of data that’s reached end-of-life.

Furthermore, when it comes to the end-of-life cycle, both data and the device in which the data is housed must be destroyed via shredding, degaussing, disintegrating, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. It may also behoove your organization to keep a record audit of all data destruction events to prove your company’s compliance if a breach at this level does occur.

To ensure these procedures remain as cost-effective as possible, you’ll want to choose a third-party vendor like SEM that has both documentation software, like the iWitness, as well as NIST- and NSA-approved data destruction machinery to purchase and keep at your organization.

How to Effectively Maintain HIPAA Compliance in the Cloud

January 21, 2019 at 8:23 pm by Heidi White

cloud-data-securityIn today’s digital age, the majority of data is stored electronically in internet-based cloud software. Whether for convenience or accessibility, or due to physical hardware storage limitations, using a cloud to store data has become a norm for businesses, organizations, and individuals alike. And while cloud systems offer security measures that physical storage systems cannot, they also come with their own set of risks and security threats.

Moreover, the size and even financial power of an organization doesn’t necessarily equate to better and more secure methods of privacy protection for data stored in its cloud. Recent data breaches at large data centers like Experian, Facebook, and Target have proven that the proper protection of private and otherwise sensitive information is paramount, especially when stored electronically.

For healthcare providers, professionals, and clearinghouses (hereto referred as covered entities), HIPAA has specific regulations for safeguarding Protected Health Information (PHI), especially when it comes to the disposal of such sensitive and private data.

HIPAA Regulations & Best Practices for Data Disposal

HIPAA-privacy-ruleIf you’re a covered entity and need to dispose of data containing PHI, you cannot simply abandon the PHI data or dispose of it using a public container like a dumpster that can be accessed by unauthorized personnel. The only time this is appropriate is if the PHI has already been rendered unreadable, indecipherable and otherwise cannot be reconstructed. In order to fully destroy this data, certain steps must be followed.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c).

HIPAA-PHI-ePHIThis Rule holds especially true with the disposal of PHI and requires the covered entity to not only destroy the electronic PHI (ePHI) and the hardware or electronic media it is stored on, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse.

In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of ePHI. As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).

It is up to the covered entity to determine a method of data destruction and disposal, by assessing their own potential risks to patient privacy as well as the form, type, and amount of PHI collected and stored. For instance, PHI such as name, social security number, driver’s license number, diagnosis, or treatment information are examples of sensitive information that may necessitate more care with regard to disposal. HIPAA does not require one method of data destruction and disposal over another, so long as the Security and Privacy Rules are followed.

HIPAA-degauss
Degaussing is a method of data disposal that completely erases the drive, rendering it unusable

In the case of ePHI, whether on hardware or in an internet cloud system, proper HIPAA disposal methods include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. You may also opt to maintain a secure area for PHI disposal and/or you are permitted to work with a disposal vendor like SEM to destroy the PHI on your organization’s behalf (so long as there is a written agreement or contract authorized by both parties). There are no set HIPAA rules for how employees or workforce members dispose of PHI; if you have off-site employees who use PHI or ePHI, you can require that they return all PHI to your organization for proper disposal.

Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination or even harm to the individual’s reputation.Moreover, the covered entity can face serious penalties for noncompliance.

Penalties for Noncompliance

HIPAA-compliance-fineIn tandem with the Department of Justice, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for the administration and enforcement of the HIPAA Security and Privacy Rules for the disposal of PHI.

Failure to comply with the HIPAA Security and Privacy Rules can result in an investigation and audit, and in some circumstances civil and criminal penalties. Factors such as violation date, whether the covered entity was aware of the failure to comply, or whether the failure to comply by the covered entity was willful neglect will determine the end consequence of the violation to either the Privacy or Security Rule.

If found guilty or in violation of either Rule, civil money penalties of $100 up to $50,000 per violation (and not exceeding $1,500,000 per calendar year for multiple violations) can be imposed. A civil penalty may not be imposed under certain circumstances, such as: the failure to comply was not due to willful neglect and was corrected during a 30-day period from the date in which the violation occurred; if the Department of Justice has imposed a criminal penalty; or, if the OCR chooses to reduce the penalty due to reasonable cause in the covered entity’s failure to comply, in that the penalty would be excessive given the nature and extent of the noncompliance.

HIPAA- prisonIn addition, criminal prosecution, in the form of a fine of $50,000 and up to one year of imprisonment, can be mandated for a person who knowingly obtains or discloses PHI and ePHI, which can occur as a result of improper disposal of the PHI. The criminal penalty increases to $100,000 and up to five years of imprisonment if the violation involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful act involves the intent to sell, transfer or use the PHI for commercial advantage, personal gain, or malicious harm.

One last note: the HIPAA Privacy Rule does not include requirements for the length of time medical data like PHI should be retained before disposal. Instead, check with your state’s laws for medical record retention rules before disposing of any data.

Talking Trash

June 13, 2018 at 4:28 pm by SEM
MGMA Connexion,  Mar 2004  by Leonard Rosen

Options for the storage and disposal of medical records

As health care organizations endeavor to comply with privacy and security standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), there is growing interest in effective and efficient ways to manage protected medical records – and how to destroy them once they become obsolete.

Neither HIPAA’s privacy standards for paper documents nor its security standards for electronic records dictate specific means of compliance. However, the preamble to Section 164.530 does cite a few examples of appropriate safeguards, such as locking file cabinets that contain protected documents and shredding such documents prior to disposal. For electronic media, Section 164.310 (“Physical safeguards”) requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.”

Each group’s appointed privacy official must decide which procedures and equipment will best prevent unauthorized, unnecessary and inadvertent disclosure of protected information. For storage, this means locked office doors and cabinets, computer firewalls and passwords, etc. For disposal, it means destroying records. No one should be able to dig trashed records out of the dumpster and misuse them. Discarded medical information often is still confidential.

Destruction equipment abounds The market offers a variety of record destruction equipment. Paper shredders come in all sizes, speeds, horsepowers and capacities, but there are three basic choices:
  • Personal – Desk-side shredders, available on casters for portability, can shred roughly six to 20 sheets at a time. This is convenient for offices with relatively few documents to destroy.
  • Departmental – Larger facilities with more documents to dispose of may install shredders that can handle 20-50 sheets at a time.
  • Centralized – A heavy-duty shredder can handle up to 400 sheets at a time and destroy bound reports and thick stacks of paper.

Whatever shredder models your practice selects, you will need protocols for managing shredded waste. Some companies offer regular pickup, transporting the trash to landfills or recycling facilities. Also on the market are powerful disintegrators that use rotary-knife systems to reduce high volumes of books, binders, paper bundles and other bulk materials to tiny particles. Depending on the model, these machines even pulverize CDs, DVDs, floppy discs, microfilm, credit cards, ID badges, tape cassettes and circuit boards, slicing them into indecipherable fragments at the rate of up to two tons per hour. Other machines, designed specifically for optical media, can completely remove data-bearing surfaces from CDs and DVDs. Because they leave inner disc hubs intact, the hubs serve as proof of destruction, eliminating the need for detailed logs and witnesses where certification of destruction is required. Old computers can tell tales Security may become an issue when a practice donates old computers to a school or some other organization. Most people don’t know that when a digital file is “deleted,” the information actually remains on the computer’s hard drive or a formatted diskette, as do deleted e-mail messages and records of online activity. This information is recoverable with sophisticated tools. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives/disks – or particular sections of them -before these magnetic media are discarded or reused. Overwritten areas should be unreadable, but look for a software brand that meets or exceeds the Department of Defense standard for permanent erasure of digital information. When you require absolute certainty in erasing magnetic media, certain degaussers remove all recorded information in a single pass, allowing hard drives, diskettes, audio and video tapes, and four- and eight-millimeter data cartridges to be reused many times with no interference from previous use. Hand-held degaussing wands erase both floppy and hard computer disks. For both electronic and paper records, the variety of equipment on the market today enables a medical practice to tailor record-disposal to its particular needs.

Making Sense of HIPAA

December 21, 2010 at 11:30 am by SEM

What is HIPAA?

HIPAA is an acronym for Health Insurance Portability Accountability Act which was enacted in 1996. It requires the Secretary of the U.S. Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information.

The HIPAA law applies to anyone that has visited any health care facility, basically everyone. Before the law was enacted, the fates of our medical records were left in the hands of the health care professionals. Some disposed of them properly but some just threw them into the dumpster. As with our old credit card statements and other mail or personal information, once they are thrown in the dumpster they are community property and anyone can have access to them.

HIPAA Medicine doctor working with computer interface as medical

Your Health Information Is Protected By Federal Law

Most of the population believes that medical and health information is private and should be protected, and want to know who has access to this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure.

How Our Information Is Treated and Disposed Of

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers.

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

    • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88. Guidelines for Media Sanitization

NIST Guidelines

Destruction of media is the ultimate form of sanitization. After media is destroyed, it cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.

Disintegration, incineration, pulverization, and melting: these sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. End-of-life data destruction machines can also be purchased to destroy the material on site.

Shredding: paper shredders can be used to destroy paper and in some models, flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed.

Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), Blue-ray Discs (BDs) and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.

Enforcement and Penalties for Noncompliance

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews.

The OCR will seek the cooperation of covered entities and may provide technical assistance to help them comply voluntarily with the Privacy Rule. Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.

Civil Money Penalties

OCR may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement. Criminal Penalties A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Privacy Rule.

Summary

HIPAA covers a broad area of responsibilities. We are all involved in this as we all have our personal records out of our personal control and in such are subject to having our personal information compromised. To understand HIPAA is to understand the relationship between the importance of our PHI and our health care providers and the realization that somebody could potentially obtain our information if the proper safeguards are not adhered to. HIPAA sets these guidelines to protect everybody.