Health Insurance Portability and Accountability Act (HIPAA) regulations are extremely strict since they govern your most personal health care data. Violations of these laws have serious, and often expensive, repercussions making HIPAA compliance a top priority for any business or medical practice that falls under its jurisdiction. This can become a bit of a headache with the variety of media on which that data can now find itself stored, but there are compliant solutions available.
Are Hard Drives HIPAA Compliant?
The HIPAA Security Rule governs digital media, and it clearly delineates devices that public health information is not to be stored on. That list includes "laptops, USB flash drives, external hard drives, or mobile devices", unless the information is under strong encryption or is anonymized.
It is, of course, recommended in the strongest terms that any drives or devices holding sensitive data of any variety should have the strongest encryption possible.
Do Companies Destroy Old Hard Drives?
Many do destroy old hard drives, but fewer do than should. Proper hard drive destruction requires a specialized shredder to do so. Many companies – especially smaller ones with slender budgets – simply cannot afford the equipment to do it properly themselves, unless they outsource it.
Does Destroying a Hard Drive Remove All Data?
It depends on how the drive is destroyed and the type of hard drive. Simply smashing a drive is not enough to ensure that data can't be rescued.
Contemporary forensics can glean astounding amounts of information from relatively small physical pieces. This is why shredding devices (like the ones we use at Storage Quarters) are needed. Operating like a woodchipper designed specifically for tech, they rip the hard drive into thousands of tiny pieces – none large enough to hold significant data.
That level of thoroughness is especially important for SSDs. Because SSDs use flash memory chips instead of the spinning disk HDDs use, they're generally more durable to damage from shocks, drops, vibration, magnetic fields, and extreme temperatures – as well as casual hard drive destruction methods. That makes them more reliable than HDDs for general use and makes thorough drive destruction even more important to ensure no data can be retrieved.
As a side note: while SSDs are generally more durable than HDDs, they're not necessarily dependable for long-term storage because the cells can degrade over time or become less reliable. So, for HIPAA compliance, total drive destruction is essential for SSDs – but perhaps consider other options if long-term data storage is crucial.
What Are the Destruction Requirements for HIPAA?
HIPAA's hard drive destruction standards are understandably stringent. As is usually the case with sensitive materials, documenting the data's chain of custody is vital. As long as health data is on the device, this custody must be maintained. Sending such devices off-site disrupts this chain of custody.
If the drive in question is to be reused internally by the organization, destruction is not necessary. In all other instances, HIPAA dictates the drive be destroyed. As a vital part of the chain of custody (and preventing potential litigation), the destruction must be documented for auditors with a Certificate of Destruction, such as Storage Quarters provides.
Storage Quarters, Solutions for Your Most Sensitive Data
At Storage Quarters, our specialists in charge of handling medical records are fully trained in HIPAA-compliant procedures and best practices and bring more than 35 years of experience to the table. We provide certified hard drive destruction with fully compliant chain of custody documentation including Certificate of Destruction. Contact Storage Quarters today and let us put nearly four decades of information management experience at your service!