AAISM · Question #202
How can an organization best remain compliant when decommissioning an AI system that recorded patient data?
The correct answer is D. Ensure a certificate of destruction is received and archived. Patient data is governed by strict regulations (e.g., HIPAA in the US, GDPR in the EU) that require verifiable proof of proper data destruction upon decommissioning. A certificate of destruction provides an auditable, legal record demonstrating that data was destroyed in complian
Question
How can an organization best remain compliant when decommissioning an AI system that recorded patient data?
Options
- APerform a post-destruction risk assessment
- BEnsure backups are tested and access controls are audited
- CUpdate governance policies based on lessons learned
- DEnsure a certificate of destruction is received and archived
How the community answered
(45 responses)- A13% (6)
- B4% (2)
- C9% (4)
- D73% (33)
Explanation
Patient data is governed by strict regulations (e.g., HIPAA in the US, GDPR in the EU) that require verifiable proof of proper data destruction upon decommissioning. A certificate of destruction provides an auditable, legal record demonstrating that data was destroyed in compliance with regulatory requirements - this is the definitive compliance artifact. A post-destruction risk assessment (A) comes too late to guide compliant destruction. Backup testing and access control audits (B) are operational controls, not decommissioning compliance. Updating governance policies (C) is a lesson-learned activity, not a compliance requirement for the decommissioning event itself.
Topics
Community Discussion
No community discussion yet for this question.