ITAD for the Healthcare Industry

Healthcare Industry

Healthcare institutions collect vast amounts of personal data from patients, including medical histories, social security numbers, and credit card information. This information is stored on computers, servers, and other electronic devices, which are vulnerable to cyberattacks and data leaks, even after they have been decommissioned and discarded. This means that a data-bearing device could potentially fall into the wrong hands and compromise confidential information. 

To ensure responsible handling of electronic personal health information (e-PHI), there are various laws and regulations in place. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most relevant regulation when it comes to ensuring data security for end-of-life devices handled by ITAD firms. HIPAA-compliant healthcare providers must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit. They must also identify and protect against reasonably anticipated, impermissible uses or disclosures of e-PHI. In addition, HIPAA stipulates that healthcare providers must perform risk assessments and implement required administrative, physical, and technical safeguards in the handling of e-PHI. Non-compliance can result in costly penalties ranging from $100 to $50,000 per violation. The loss of a laptop containing records of 500 individuals may constitute 500 violations, and violations may also carry criminal charges that can result in jail time. 

The healthcare field is subject to an exceptional level of data security threats that must be navigated on a daily basis. To manage these risks, here are some recommendations for finding and sourcing an ITAD company to handle your retired hardware. 

The Business Associate Agreement: 

  • Healthcare organizations are required to have a current HIPAA business associate agreement (BAA) in place with each of their partners, including their ITAD partner. 
  • The BAA legally binds the ITAD partner to destroy all handled e-PHI, safeguard data from misuse, and help maintain HIPAA compliance. 
  • Healthcare organizations working with an ITAD partner without a BAA will be found non-compliant in an Office of Civil Rights (OCR) audit and could be punished. 
  • Healthcare organizations must also review and update their ITAD partner’s security policy, which should cover all data storage devices likely to contain PHI. 

ITAD Partner Certifications and Standards: 

The following certifications and standards can help pick the right ITAD partner: 

  • e-Stewards or R2 certified electronics recyclers have demonstrated through audits and other means that they continually meet specific high environmental standards and safely manage used electronics. 
  • ISO 9001 addresses the fundamentals of quality management systems based on seven quality management principles. 
  • ISO 14001 is related to environmental management and helps organizations minimize their negative impact on the environment. 
  • ISO 27001 requires a company to implement and maintain an Information Security Management System (ISMS) to protect sensitive information. 
  • OHSAS 18001 helps organizations monitor and improve occupational health and safety performance. 
  • NIST 800-88 provides guidance to assist organizations in making sanitization decisions to ensure the confidentiality of their information. 

Chain-of-Custody and Certificate of Destruction: 

  • ITAD partners must maintain fully documented chain-of-custody for all handled data-bearing devices, including custody transfers to subcontractors all the way down the supply chain until the electronic equipment has been destroyed or wiped and is no longer considered e-PHI. 
  • ITAD partners must also provide certificates of destruction (container device serial numbers) for each data-bearing device that the company destroys or data wipes. 
  • Both chain-of-custody and certificates of destruction must be available for review by the healthcare organization at short notice. 
  • The ideal ITAD partner would make this information available in real-time for complete transparency between the healthcare organization and the ITAD partner. 


  • Healthcare organizations should consider an ITAD partner that uses tamper-proof, secure containers made of metal with a locking mechanism. 
  • Logistics is considered a high-risk area for ITAD and should be thoroughly thought out and agreed upon by the healthcare organization and the ITAD partner. 
  • Logistics services to consider include company-employed drivers, tamper-proof, bar-coded seals on containers and trailers, GPS tracking units on containers and trailers, and in some circumstances, security teams that travel with the transport. 
  • It is highly recommended NOT to use a logistics company that will off-load assets at a hub and either leave them overnight or cross-dock the containers as this delays asset processing and gives access to those assets to other parties at that hub. 

In conclusion, healthcare institutions are responsible for managing vast amounts of sensitive personal data on a daily basis, making them particularly vulnerable to cyberattacks and data leaks. However, there are laws and regulations in place, such as HIPAA, to ensure responsible handling of electronic personal health information (e-PHI). To manage the risks involved, it is essential to work with IT Asset Disposition (ITAD) partners who understand the importance of confidentiality and data security. Recommendations include having a current HIPAA business associate agreement (BAA) in place, partnering with ITAD firms that meet specific certifications and standards, maintaining a fully documented chain-of-custody, and ensuring secure logistics. By following these recommendations, along with getting hipaa compliant storage for your data, healthcare institutions can effectively manage their risks and safeguard their patients’ confidential information. Find out more at

Leave a Reply

Your email address will not be published. Required fields are marked *