This entry is part 37 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Tell Me More:

The Disposal implementation specification requires covered entities and business associates to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which the health information is stored.  The Device and Media Controls standard must be met and addresses only such media and devices that contain electronic PHI; however, implementation of all specifications of the standard may not be necessary in every situation. For example, small providers would be unlikely to be involved in large-scale moves of equipment that would require systematic tracking, unlike, for example, large health care providers or health plans.

Each covered entity must ensure that electronic media are disposed of appropriately. Organizations should catalog all of the locations in which ePHI is retained. This includes all devices – workstations, laptops, PDAs, cell phones, medical devices, etc. – and all media – diskettes, CDs, DVDs, etc. All of the ePHI on all of these devices and media must be destroyed when they are no longer needed.

Industry best practices for disposal include: Degaussing magnetic devices to erase information; Overwriting data with random bits and bytes for multiple iterations (based on data sensitivity); and Destroying the most sensitive components through melting, chemical treatment, or grinding.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Have you identified the locations of all ePHI maintained by the covered entity, including temporary locations, e.g., a server through which ePHI passes? You should inventory the locations of ePHI.
  • Do you have methods for destroying the ePHI from each of these locations.  You may need a different approach or methodology to each type of media and each type of device.  Keep in mind that simple solutions may work just fine, e.g., scratching a diskette with a nail and snapping it in half. Also keep in mind that simply deleting a file does not destroy the information.
  • Have you verified that your methodology works and that the ePHI is not recoverable? Double check that the ePHI is actually destroyed.
  • If commercial software is being used to degauss (erase) ePHI, has the software been “certified” by recognized authority in destruction of electronic data?
  • If workforce members are allowed to process ePHI on personally owned computers, have they been trained on how to properly dispose of ePHI? This may be a particular problem for some covered entities.


Series Navigation<< 164.308(a)(5)(ii)(B) Standard: Security awareness and training – Protection from malicious software164.308(a)(5)(ii)(D) Standard: Security awareness and training – Password management >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.