HIPAA compliance for NAID destruction services
October 17, 2013
In my last blog, I wrote about the strong-arm tactics being used by some HIPAA compliance consultants to coerce destruction providers into using their services. In this follow up, I offer my perspective on what compliance with the new HIPAA actually looks like.
I say “my perspective” because no one knows exactly how the U.S. Department of Health and Human Services (HHS) or their contracted auditors will determine what compliance for the new HIPAA requirements will look like. This uncertainty exists across the board but is particularly acute when you consider that secure destruction services have so few points of overlap. When your only job is to get the material from the customer to the mouth of a destruction unit (or connection to sanitization software), the overlap is relatively small.
For instance, the risk assessment required under the Security Rule actually only applies to electronic protected health information (ePHI), so if you are only destroying paper, it arguably would not apply at all. (Note: I would not advise anyone to rely on this technicality. If you had a data breach or HIPAA violation and did not do a risk assessment, though it may not be technically a requirement, as a business associate it would be hard to defend why you did not assess your organization’s security vulnerabilities.
I also want to reiterate a point I made in the last blog. HIPAA compliance does not require or necessitate the use of a third party to conduct a risk assessment, write policies or train employees. It is not necessarily a bad idea but it is not required and, in the case of secure destruction services, not critical. It is perfectly acceptable, in theory, to do them internally or rely on a set of self-assessment tools. Some of those tools are even provided by HHS.
Before I can talk about compliance for secure destruction services, I need to highlight the points of overlap. As I said, compared to a covered entity or any other type of business associate, the compliance overlap with HIPAA is nominal. Here are the overlap areas:
- Risk assessment (with both the process and result documented)
- Employee screening
- Employee training, which is documented and based on HIPAA-relevant written security policies and procedures that include the appropriate whistle blower, breach reporting, and a specified breach incident recording and remediation process
- An incident report log
- Business associate agreements with any downstream subcontractors used to process PHI
If a data destruction service provider can check off these items, they should be, in theory, safe. Only time and actual audit results will determine if this is true. For now, this is my best guess.
Over the coming weeks, NAID will be some adding some features to NAID Certification that should cover all these bases. The goal is to have them in place by the end of the year. To be clear, of these few changes to the program, most are subtle and will not affect the actual certification specifications themselves. As for enforcement of the new HIPAA rule, it is a waiting game to see how HHS and its auditors will interpret the definition of compliance.