DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Covered entities and business associates should dispose of, destroy, or sanitize PHI in a HIPAA-compliant manner. Disposal, destruction, or sanitization may be performed by the entity itself. Alternatively, the entity may hire a HIPAA-compliant business associate for these purposes.
Examples of proper disposal, destruction, or sanitization methods of PHI include, but are not limited to:
Covered entities and business associates should dispose of, destroy, or sanitize PHI in a HIPAA-compliant manner. Disposal, destruction, or sanitization may be performed by the entity itself. Alternatively, the entity may hire a HIPAA-compliant business associate for these purposes.
Examples of proper disposal, destruction, or sanitization methods of PHI include, but are not limited to:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
NIST Special Publication 800-88, Guidelines for Media Sanitization, discusses shredding of paper documents on the page marked "27." (Table A-1).
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Whether a given method is appropriate depends on the circumstances. For example, while degaussing is a popular and effective data removal method for hard drives that are NOT solid state drives (SSDs), degaussing does not work on solid state drives. For information on when a given disposal, destruction, or sanitization method is appropriate, please consult this publication: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article