I’d like to add one more wake-up call to small and medium sized organizations; allowing computer hard drives to leave your custody – usually during the decommissioning or recycling process – without physically destroying them first could be considered a data breach.
HIPAA regulations require “reasonable and appropriate” data destruction. Now that onsite hard
drive shredding services are easily accessible, is it “reasonable” to allow an outside vendor remove, erase and sell the organizations old hard drives?
Is the organization giving the electronic recycler “implied” authorization to access information? Without a written contract, the electronic recycling has no legal obligation to the organization? What if a patient found out that the organization sold the hard drives to the electronic recycler?
http://www.healthcareinfosecurity.com/clinic-hit-150000-hipaa-penalty-a-6321
Protect organization and yourself- hire a NAID Certified data destruction vendor to shred old computer hard drives at your location – before leaving your custody.