Word is getting out about HIPAA to IT providers, but most are confused as to how to handle it. Case in point — we got a call today from an IT provider working with a dental vendor that had to remove a computer containing unencrypted PHI as part of the job. While talking with the contractor, they acknowledged this applied to them and they wanted to make sure they didn’t leave with data on the hard drive.
The problem? They didn’t know the proper way to sanitize a hard drive.
This is common, unfortunately. Now I know that not everyone can be HIPAA experts like ACS (ahem, yep we are awesome), but media sanitization has been documented by NIST and publicly available since 2010. It’s hard for me to believe that IT providers don’t want to embrace this, when it’s really not rocket science. Instead, I believe that IT providers are paralyzed, much like dentists and small private practitioners when it comes to HIPAA. It is like a 300b gorilla when you first start, but once you get your feet wet, it really isn’t that intimidating.
If your IT can’t or won’t do security in line with what HIPAA requires and expects, it’s time to look for someone who can.