Is BitRaser HIPAA Compliant?
BitRaser is a HIPAA-compliant vendor of data erasure products that support HIPAA compliance. BitRaser products can be used to securely and permanently erase electronic protected health information (ePHI) in accordance with the standards and implementations of the HIPAA Security Rule.
What is BitRaser?
BitRaser is a suite of data erasure & diagnostics software solutions developed by Stellar Data Recovery Inc., that can be used to permanently eradicate data from electronic storage devices to make reconstruction of the data impossible, without having to destroy the drives on which data are stored. Many data erasure products delete data but do not eliminate all data traces, which can allow some data to be recovered.
Stellar Data Recovery is an Indian corporation with North American headquarters in Metuchen, New Jersey. Stellar Data Recovery provides data recovery, data erasure, mailbox conversion, and file repair software and services in more than 190 countries and has more than 3 million customers including government entities such as the U.S. Department of State, Department of Public Safety & Correctional Services, and many Fortune 500 firms including HP, Zoom, Deloitte, Merck, and BNP Paribas.
The BitRaser product suite includes several software solutions that are of benefit to HIPAA-regulated entities:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Drive Erasure & Diagnostics Software for erasing HDDs and SSDs in desktops, laptops, Macs, and servers
- Bulk Drive Erasure Software for erasing data on loose/mounted drives and PCs, Macs, and servers over networks.
- Mobile Erasure & Diagnostics Software for erasing and diagnosing iOS & Android devices.
- File Erasure Software for erasing files, folders, and partitions from PCs, laptops, and servers.
BitRaser products support an extensive list of 24 international data erasure standards, including NIST 800-88, DoD 3 & 7 Passes & HMG, and have been tested and approved by the U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).
HIPAA and the Disposal of ePHI
45 CFR § 164.310 (d) of the HIPAA Security Rule requires physical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI and includes a required implementation specification regarding the disposal of ePHI.
- 164.310 (d)(i) – Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
- 164.310 (d)(ii) – Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
While the HIPAA text does not specify the methods that must be used to permanently erase ePHI when it is no longer required, the HHS’ Office for Civil Rights (OCR) has issued guidance confirming several methods can be used. OCR suggests “For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).”
While HIPAA states that PHI must be securely and permanently erased or destroyed when it is no longer required, simply destroying unneeded data does not ensure HIPAA compliance. If a vendor provides software to achieve that purpose, that software solution will come into contact with ePHI, and even though the software erases the data, the software vendor is classed as a business associate under HIPAA and that means it is necessary to enter into a business associate agreement with the vendor. HIPAA-regulated entities must also ensure that an audit trail is maintained for all ePHI, which includes confirmation of permanent erasure. Prior to disposing of any sensitive data, it is important to ensure that the data retention requirements have been satisfied, not just HIPAA retention requirements but also other federal and state laws.
Is Bitraser HIPAA Compliant?
Many companies claim to provide HIPAA-compliant software solutions and services; however, the reality is that a product or service may only support HIPAA compliance. A vendor can implement all the required safeguards to meet its responsibilities under the HIPAA Rules, but it is the responsibility of each HIPAA-covered entity to ensure that the product or service is used in a HIPAA-compliant way.
Bitraser software is clearly beneficial for HIPAA-regulated entities, which are required to ensure that protected health information is permanently destroyed when it is no longer required. BitRaser has implemented all appropriate privacy and security controls to ensure compliance with the HIPAA Security Rule and will enter into business associate agreements with HIPAA-regulated entities. Bitraser software solutions also generate secure and 100% tamperproof erasure certificates to meet HIPAA documentation requirements.
Additionally, BitRaser has partnered with Compliancy Group and used the company’s compliance software and methodology to ensure full compliance with all appropriate provisions of the HIPAA Rules and ensure that it has an effective HIPAA-compliance program in place to ensure future compliance. The company’s products have also been tested and approved by NIST and the DHS.
We can therefore conclude that BitRaser is HIPAA compliant and its products can be used by HIPAA-regulated entities to permanently and securely erase data protected under HIPAA. Provided HIPAA-regulated entities enter into a business associate agreement with BitRaser, the company’s data erasure and drive wiping solutions can be considered HIPAA compliant and can help HIPAA-regulated entities comply with their responsibilities under the HIPAA Privacy and Security Rules with respect to the disposal of ePHI.
