Electronic equipment doesn’t last forever. A lifespan of 3 to 5 years is pretty average for a laptop computer. When the time comes to decommission electronic equipment, organizations are faced with the same concerns – how to do it a secure way that (1) protects confidential and other protected data, (2) doesn’t violate e-waste disposal or privacy laws, and (3) is financially affordable for the organization.
Hospitals, medical practices, clinics, and other healthcare organizations have those same concerns and face another layer of complication. Because they handle protected health information (PHI), they are subject to the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health Act (HITECH).
Under HIPAA, any patient information stored electronically on computers, servers, and storage devices is considered electronic protected health information (ePHI). This means that HIPAA-protected information could be stored on:
- printers, faxes, scanners
- computer servers
- networking equipment
- electronic data storage devices and back-ups
- desktop, laptop computers, and smart phones that have been used to access PHI
When these devices can no longer be repaired or reused, healthcare organizations must ensure that they are following the HIPAA Privacy and Security Rule as well as HITECH in how they dispose of or resell any hardware or electronic media storing ePHI.
Failure to do this can result in serious fines and sanctions and subject an organization to an investigation by the U.S. Department of Health & Human Services (HHS). In fact, in January 2021, a health insurer had to pay HHS $5.1 million to settle potential HIPAA violations.
If you are a healthcare organization, here are some steps you can take to securely dispose of your IT assets in a compliant manner:
- Develop comprehensive policy and procedures for disposal and management of IT assets containing ePHI that will comply with HIPAA requirements. Any comprehensive plan should require tracking of your IT assets so that you know where they are at all times. There are many free and affordable asset tracking software options to help you easily manage this task like Assetbots.
- Create an audit trail for the specific device(s) that you are disposing of by recording each step of the disposition process. The goal is to create a detailed chain of custody for the assets.
- Secure the IT asset that will be disposed by tagging it with all relevant information such as make, model, serial number, date of purchase, tracking number, IP address, or other vital information. Have a trusted custodian remove it and place it in a safe area, and record the name of the custodian entrusted with this responsibility. This will reduce the risk of loss or theft.
- Sanitize data in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88. Determine if you want to handle the sanitization process in-house or work with an IT Asset Disposition (ITAD) service provider like Dispoteca. If you hire an ITAD, specify whether you want data sanitization done on-site or off-site.
- Arrange secure disposal of the equipment. Require any service providers (such as an ITAD) to sign a Business Associates Agreement (BAA). HIPAA requires covered entities to have a signed BAA with any service provider that may come into contact with PHI. The purpose of a BAA is to ensure that your service provider will appropriately safeguard PHI. You can find a template for a basic BAA to use with an ITAD here. Choose an ITAD like Dispoteca that understands the ramifications of HIPAA violations and isn’t engaging in an illegal practice such as exporting hazardous waste overseas.
- Request a report detailing the assets processed (listed by hardware serial number) after the equipment is recycled or resold. Ask for a certificate of destruction to confirm sanitization was completed.
- Update your IT equipment inventory with details of the disposition, including the date and manner of disposal and any payment you received for selling or recycling the equipment. Reconcile accounting records as necessary.
Most IT assets still have value at the end of their life and can be resold or recycled at no cost or at a profit to an organization. Dispoteca assists organizations of all sizes with the disposition of retired IT equipment, and will pay money to you for your surplus IT assets. Dispoteca offers an up-front purchase offer and can take special steps in the areas of security, legal compliance, and accountability when working with a healthcare organization.