HIPPA compliant
5 views
Skip to first unread message
Joe Nelson
Jan 17, 2018, 3:49:26 PM1/17/18
to refurbishers
Hey Gang, Is there a simple way to determine what qualifies for HIPPA compliance when it comes to wiping hard drives?
Thanks in advance
mi...@ereuseservices.com
Jan 17, 2018, 4:22:13 PM1/17/18
to refurbishers
Hi Joe,
Fortunately, HIPAA does not require any specific algorithm or pattern, but rather defers to NIST SP 800-88, which only requires a single pass (true-random or pseudo-random). That said, I’ve seen a higher concentration of healthcare organizations with internal policy that dictates 3 or even 7 pass processes than any other vertical market, as arbitrary as it seems. Regardless, I’ve worked with many organizations that fall under HIPAA who determined that a single pass “NIST” wipe is sufficient for compliance, and have yet to encounter any interpretation of HIPAA that suggests otherwise.
I hope this helps.
-Mike C.
E-Reuse Services, Inc.
Fortunately, HIPAA does not require any specific algorithm or pattern, but rather defers to NIST SP 800-88, which only requires a single pass (true-random or pseudo-random). That said, I’ve seen a higher concentration of healthcare organizations with internal policy that dictates 3 or even 7 pass processes than any other vertical market, as arbitrary as it seems. Regardless, I’ve worked with many organizations that fall under HIPAA who determined that a single pass “NIST” wipe is sufficient for compliance, and have yet to encounter any interpretation of HIPAA that suggests otherwise.
I hope this helps.
-Mike C.
E-Reuse Services, Inc.
Joe Nelson
Jan 17, 2018, 4:52:55 PM1/17/18
to refurbishers
Thanks Mike, And as long as we have single chain custody from the customer to our facility that should be within the compliance too?
--
You received this message because you are subscribed to the Google Groups "refurbishers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to refurbishers+unsubscribe@googlegroups.com.
To post to this group, send email to refurb...@googlegroups.com.
Visit this group at https://groups.google.com/group/refurbishers.
For more options, visit https://groups.google.com/d/optout.
Michael Cheslock
Jan 17, 2018, 5:13:21 PM1/17/18
to refurb...@googlegroups.com
Hi Joe,
That is my understanding, yes, however I am less familiar with any HIPAA chain of custody provision(s), and cannot confirm whether they dictate anything superfluous.
Best,
Mike C.
Sent from my mobile device; please excuse my brevity.
Mike Cheslock
E-Reuse Services, Inc.
To unsubscribe from this group and stop receiving emails from it, send an email to
refurbishers...@googlegroups.com.
Bob Johnson
Jan 17, 2018, 6:39:42 PM1/17/18
to refurb...@googlegroups.com
Hi Joe,
Technically speaking, HIPAA is completely silent on data destruction per se. When pressed, Health and Human Service separately has referenced NIST 800-88 as a possible source of guidance, but under the Privacy Rule, the only obligation is to "prevent unauthorized access to Protected Health Information (PHI)." Service providers will want to pay as much attention to their internal employee training and written policies and procedures, especially as they relate to breach notification and incident reporting/ remediation. Those are actually more important with regard to compliance than the type of overwriting process that's used (as long as that wiping process is effective).
Bob Johnson, NAID
Joe Nelson
Jan 17, 2018, 6:49:26 PM1/17/18
to refurbishers
Thanks Bob
Reply all
Reply to author
Forward
0 new messages