The “Security Rule” of HIPAA, one of 5 HIPAA “Rules,” specifically covers the security of electronically recorded information. Recently, HHS has issue guidance on complying with the requirement to perform and annually evaluate “risk assessments.” Such risk assessments are a requirement under HIPAA.
One of the areas identified as an area to be assessed is vendors or consultants that “create, receive, maintain or transmit e-PHI.”
This would obviously include any vendor who receives electronic equipment retired from any healthcare environment.
Past HHS publications have also identified paper documents generated from electronically stored information (essentially meaning all paper) as being covered under the Security Rule. Even though the issue of paper documents is not specifically addressed in this guidance, there is no reason to believe HHS changed its stance that paper documents generated from electronic sources or that the vendors who receive it should escape the scrutiny of the “risk assessment” process.
Source: Helath and Human Services