Health Insurance Portability and Accountability Act of 1996 (HIPAA) is enforced by the Office of Civil Rights which is part of the US Department of Health & Human Services. From our point of view it is US regulation that enforces data security including data sanitization in the health industry.
There are significant fines and punishments for not complying with the mandated data security practices. Non-compliant organization may be fined up to $250,000 and responsible individuals imprisoned for up to 10 years.
Blancco provides products that help organizations comply with HIPAA. The elements of the regulation that Blancco erasure software cover are the ones dealing with removal and auditing of electronic protected health information. Specifically the following code from CFR 45 PART 164 clearly defines data erasure requirement:
§ 164.310 Physical safeguards.
(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
(2) Implementation specifications:
(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
The data erasure code of this requirement can be fulfilled by using Blancco software on all media that contains electronic protected health information. In addition to that, the reporting and auditing features in Blancco products give a solution for the accountability implementation as defined at least in §164.310(d)(2)(iii).
Blancco software can also be used to comply with requirements for data erasure as defined in these mandates:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- Payment Card Industry Data Security Standards (PCI DSS)
- EU data protection directive of 1995
- Sarbanes-Oxley Act (SOx)
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
Links for further reading: