What is HIPAA Compliant Computer Disposal?

When an electronic device has contact with protected health information, and the device is no longer needed or is damaged, the device must be disposed of in a HIPAA compliant manner. There are certain requirements for HIPAA compliant computer disposal. These requirements are discussed below.

What is Required for HIPAA Compliant Computer Disposal?

Having policies and procedures for the disposal of protected health information (PHI) is a requirement of the HIPAA Privacy Rule as part of your obligation to prevent improper use or disclosure of PHI. As such, the first step to ensuring HIPAA compliant computer disposal is to develop policies and procedures for how your organization disposes of electronic media. 

When creating policies and procedures the Department of Health and Human Services (HHS) recommends the following:

HIPAA Compliant Computer Disposal
  1. Determine and document the appropriate methods to dispose of hardware, software, and the data itself.  
  2. Ensure that ePHI is properly destroyed and cannot be recreated.  
  3. Ensure that ePHI previously stored on hardware or electronic media is securely removed. 
  4. Identify removable media and their use. 
  5. Ensure that ePHI is removed from reusable media before they are used to record new information.

Before computers, or other electronic devices, can be disposed of, healthcare organizations must ensure that all electronic protected health information (ePHI) has been removed. To ensure that your organization is aware of all of the devices that touch ePHI, it is important to have a list of assets that includes what type of data is stored on the device. In addition to computers, other devices that are capable of storing ePHI may include mobile devices, tablets, portable hard drives, DVDs, CDs, zip drives, and backup tapes. Other equipment that have internal hard drives may also store ePHI including printers, photocopiers, and fax machines. All of these devices require the same methods of ePHI disposal as a computer.

Why Compliancy Group

HIPAA compliance is an important part of your business, so why not use someone you can trust? Become HIPAA compliant with the industry leader in simplifying compliance.

Learn More!
HIPAA Seal of Compliance

NIST Guidelines for HIPAA Compliant Computer Disposal

For HIPAA compliant computer disposal organizations must ensure that ePHI has been purged, cleared, or destroyed in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1, Guidelines for Media Sanitization

NIST defined sanitization methods include:

Clearing. Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).  

Purging. Applies physical or logical techniques that render Target Data recove