How to Dispose of Electronic Waste

May 04, 2011

 

Medical Office Today

By Daniel Casciato

 

Medical offices and practitioners need to be careful to properly dispose of electronic waste as a way to safeguard both the environment and their data. There are major data security implications, as their electronic devices often contain both patient healthcare records, as well as patient financial information.

"Consequently, any electronic device that may contain personally identifiable information, whether encrypted or not, must be properly destroyed," says Steve Suesens, a category manager for Staples Technology Solutions. "Failure to do so poses serious risks to patient privacy, and exposes you and your practice to liability."

Michael Profit, president of Intechra, an electronics recycling and ITAD service provider and subsidiary of Arrow Electronics Inc., agrees: "The disclosure of patient data, or the failure to comply with environmental laws and regulations, resulting from improper or the incomplete disposal of IT equipment and other electronic business tools, can create significant liabilities. The focus on data security continues to increase due to more people becoming aware of the risks of disclosing patient information as regulators are increasing related penalties."

Managing your e-waste disposal

Electronics, particularly computers, have toxic materials in them such as lead, cadmium, mercury and more.

"If not properly handled through these elements negatively impact human life and the environment," says Ed Stukane, chief marketing officer for PlanITROI, Inc., an IT asset disposition (ITAD) service provider in Danville, NJ. "By 2014, Gartner Research predicts there will be 2 billion PCs in the world. Where will they all end up?"

If being good stewards of the environment is not good enough, more stringent state environmental regulations are being passed. In fact, more than half the states now have some e-waste laws regulating disposal, Stukane notes.

"If data is released, this is a crime and the penalties are severe - money and jail time," Stukane warns. "If it's a matter of improperly dumping e-waste, there are fines. What may be worse is the negatively publicity and damage to professional reputations and brands."

Stukane recommends that medical offices have an IT asset end-of-life plan for all of their electronic equipment. "Be sure all data security has been addressed before it is released for processing," he says. "Not addressing the data issue is a HIPAA violation. If there is a larger volume of equipment, seek the services of an ITAD service provider. All the compliancy requirements will be met, reports tracking each asset by serial number will be provided and a check for the net ROI will be sent."

If you have just a few items, look into what recycling programs local cities, counties and their states offer. 

"The electronics, after all data sanitization has been completed, should move to a Responsible Recycling Standard (R2) or e-Stewards certified recycler that has met the standards for handling e-waste," Stukane recommends. "True e-waste, those electronics that cannot be restored and re-marketed, should be shredded and ground by material type. The end products are then used as raw material in new manufacturing processes - zero landfill and zero export."

Finding and evaluating a reputable service provider

Since data security is important and you don't want your electronic products ending up in a landfill, it may be best to work with a service provider to handle your e-waste disposal.

"If you can't properly dispose of the equipment yourself, then you should hire a company to take care of it," says Tom Fowler, vice president of sales for e-Waste LLC in Hudson, Ohio. "Many medical offices don't have computer managers to be able take care of this."

If you think storing the equipment somewhere on your property or even in an offsite storage facility is a viable alternative, forget that notion. "Having your equipment sitting in a closet somewhere is not the answer," Fowler contends. "If your office is broken into or an ex-employee takes the computer, that data is out there. If you plan to get rid of your equipment and replace it with a new one, you should immediately take care of the old."

As you would with any vendor, you should do your due diligence before selecting the service provider you want to work with. While price is always a consideration, if a company offers to dispose of your electronic waste at no charge, this should be an immediate red flag, warns Jim Cleveland, president and CEO of e-Waste.

"Free is not always the best answer in this business," Cleveland says. "There are a lot of companies that will want to dispose of your e-waste for free because they will get money on the scrap side. If the company strips your device for the parts they need and then throws the remaining pieces in a landfill, the EPA can track the serial number or manufacturer number back to the original owner and penalize you financially."

Suesens says to be sure to check out the references of any service provider to ensure they follow thorough and environmentally responsible practices. "Verify their liability insurance," he says. "Because of the high stakes, this is a task you want to entrust to only the most qualified and conscientious organizations."

Next, always ask for documentation on the process they will be utilizing. "It's a good idea to require a certificate of destruction," Suesens advises. "Reputable organizations will allow you to witness the destruction event, and it's a good idea to do so if possible. For compliance and audit reasons, you may want to have the organization videotape the destruction, just so you can verify completely that sensitive data was destroyed."

Suesens says it's also a good idea to look for a waste disposal vendor that can retrieve devices directly from your business, "so you don't have to spend time packing up and carting them around yourself."

Finally, make every attempt to work with a company that has a no-landfill policy, so you know the raw materials will not be going back into the earth. "After destroying the data on hard drives and putting the devices through large shredders, environmentally responsible vendors will then use different processes to pull out the plastics, metals and glass, which can be sold to brokers and recycled," Suesens adds.

Don't try this at the office


The typical pricing components for ITAD services include logistics-related expenses such as the cost to get the equipment from your office to the ITAD vendor's facility and processing fees per asset.

"In some instances, these expenses can be offset by the sale of your functioning equipment," says Intechra's Profit. "The actual costs can vary greatly depending on factors such as the number of assets in each location, the type of equipment and the remaining value of the equipment."

In all instances, Profit says that the fees paid to an ITAD vendor will be a fraction of the potential liabilities that can arise from improperly disposing of the equipment.

While some offices will attempt to take care of e-waste disposal internally, Suesens advises against that.

"This is a task you don't want to gamble with," Suesens warns. "We hear stories of organizations who take this in-house, collecting their hard drives and actually using a construction framing nailer to drive framing nails through hard drives. Even then, however, data is still not completely unrecoverable. Thus, it's important to partner with a professional from a data security and environmental perspective to ensure that data is properly destroyed and components are properly recycled."

In light of data privacy concerns, computer manufacturers are increasingly allowing customers to retain the hard drives in their machines after the machine's lease has expired.

"This lowers the risk of data loss if hard drives are in transit and not fully wiped clean by either the leasing vendor or end-user," Suesens explains. "This is an interesting trend the medical community can take advantage of to keep control of sensitive data while, at the same time, eliminating the possibility of data breaches by third parties."