Home page logo

basics logo Security Basics mailing list archives

Re: Media Controls for HIPAA
From: "Mitchell Rowton" <mrowton () bdo com>
Date: Fri, 05 Dec 2003 10:00:15 -0500

Just as HIPAA doesn't say what level of encryption is acceptable it
doesn't say what level of formatting is acceptable.  You should have a
procedure that outlines how you make a reasonable effort to destroy
sensitive information.  In this procedure you should spell out the
method of destroying data (for example, write over with 1's and 0's
seven times)

In my opinion, much of the HIPAA frustration comes from consultants
starting rumors about "acceptable" standards which HIPAA doesn't call
for (elude to or intend to). 

HIPAA only wants you to document and follow your standards that outline
making a reasonable effort and practicing due diligence to protect
sensitive information.  The specific definition you put in your
procedure isn't quite as important, so long as its reasonable,
communicated, and followed.  Again, this is all personal opinion.


"Sandra Weinman" <SWeinman () alegent org> 12/04/03 10:40AM >>>
In working with staff within the organization a lot of questions have
come up regarding the cleansing of hard drives prior to re-locating to
another location within the same building or a different facility.  We
are a large healthcare system and move equipment around on a regular
basis but have a few questions.  Your input would be greatly

Electronic Media Questions:
1). Is data presumed "destroyed" on the hard drive if the device is
imaged using conventional disk imaging techniques?

2). To what level of destruction is considered "destroyed"?  There is
definitely a vast difference between what the government considers
unretrievable and what the public sector considers destroyed.  And, to
what expense are organization willing to go to reach this comfort

Sandra Weinman


The contents of this email and any attachments to it may contain privileged and confidential information from BDO 
Seidman, LLP.  This information is only for the viewing or use of the intended recipient.  If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution or use of, or the taking of any action in 
reliance upon, the information contained in this e-mail, or any of the attachments to this e-mail, is strictly 
prohibited and that this e-mail and all of the attachments to this e-mail, if any, must be immediately returned to BDO 
Seidman, LLP or destroyed and, in either case, this e-mail and all attachments to this e-mail must be immediately 
deleted from your computer without making any copies thereof.  If you have received this e-mail in error, please notify 
BDO Seidman, LLP by e-mail immediately.


  By Date           By Thread  

Current thread:
  • Media Controls for HIPAA Sandra Weinman (Dec 05)
    • <Possible follow-ups>
    • Re: Media Controls for HIPAA Mitchell Rowton (Dec 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]