When retired hospital equipment leaves the building, the drives inside carry protected health information — and the vendor taking custody of them is performing a function involving PHI. Under HIPAA, that makes them a business associate, and business associates require a Business Associate Agreement.
Health systems reliably execute BAAs with billing vendors, transcription services, and cloud providers — and then hand pallets of data-bearing equipment to a recycler on a handshake. If that recycler mishandles a drive, the breach notification, the OCR scrutiny, and the penalties land on the covered entity.
The fix is structural: put disposal under a BAA, demand NAID AAA-certified destruction with serialized certificates, and fold the whole engagement — destruction, recycling, remarketing — under one agreement with one accountable vendor.
CyberCrunch packages HIPAA-compliant destruction, R2v3 recycling, and remarketing under a single BAA for health systems nationwide.