Security Basics mailing list archives
Re: Media Controls for HIPAA
From: "Mitchell Rowton" <mrowton () bdo com>
Date: Fri, 05 Dec 2003 10:00:15 -0500
Just as HIPAA doesn't say what level of encryption is acceptable it doesn't say what level of formatting is acceptable. You should have a procedure that outlines how you make a reasonable effort to destroy sensitive information. In this procedure you should spell out the method of destroying data (for example, write over with 1's and 0's seven times) In my opinion, much of the HIPAA frustration comes from consultants starting rumors about "acceptable" standards which HIPAA doesn't call for (elude to or intend to). HIPAA only wants you to document and follow your standards that outline making a reasonable effort and practicing due diligence to protect sensitive information. The specific definition you put in your procedure isn't quite as important, so long as its reasonable, communicated, and followed. Again, this is all personal opinion. Mitchell
"Sandra Weinman" <SWeinman () alegent org> 12/04/03 10:40AM >>>
In working with staff within the organization a lot of questions have come up regarding the cleansing of hard drives prior to re-locating to another location within the same building or a different facility. We are a large healthcare system and move equipment around on a regular basis but have a few questions. Your input would be greatly appreciated. Electronic Media Questions: 1). Is data presumed "destroyed" on the hard drive if the device is imaged using conventional disk imaging techniques? 2). To what level of destruction is considered "destroyed"? There is definitely a vast difference between what the government considers unretrievable and what the public sector considers destroyed. And, to what expense are organization willing to go to reach this comfort level? Thank-you, Sandra Weinman 402-717-1090 --------------------------------------------------------------------------- ---------------------------------------------------------------------------- NOTICE: The contents of this email and any attachments to it may contain privileged and confidential information from BDO Seidman, LLP. This information is only for the viewing or use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO Seidman, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately deleted from your computer without making any copies thereof. If you have received this e-mail in error, please notify BDO Seidman, LLP by e-mail immediately. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Media Controls for HIPAA Sandra Weinman (Dec 04)
- <Possible follow-ups>
- Re: Media Controls for HIPAA Mitchell Rowton (Dec 05)