HIPAA Media Disposal: Hard Drive Destruction

What is HIPAA compliant hard drive destruction? HIPAA Privacy and Security Rules require covered entities to implement “reasonable” safeguards to protect EPHI disclosure. When disposing of digital media containing EPHI, such as computer hard drive destruction, organizations must follow certain rules. We’ve summarized these rules and regulations to make it easier for you to comply with HIPAA when embarking on a data destruction project.  For HIPAA Media Control Guidelines.

E-Waste Security has created a comprehensive digital media destruction process to help you securely dispose of EPHI and computer hard drives and backup tapes – for HIPAA compliance. We provide our services in Los Angeles, Orange County and San Jose.

Summary of Computer Hard Drive Disposal Guidelines

1. Demand onsite data destruction – witnesses EPHI data destruction
2. Demand physical destruction – shredding is more “reasonable” than erasing
3. Require a Certificate of Destruction – with serial number report
4. Hire a NAID Certified data destruction company – fulfills due diligence requirement

HIPAA Compliant EPHI Data Destruction

Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI. The term “Reasonable” is ambiguous, so organizaDrilling a hole in a hard drivetions and covered entities should error on safe side for data destruction. For example, if physical hard drive shredding is available, erasing hard drives may no longer seem “reasonable” under HIPAA regulations.

Drilling a hole in a computer hard drive is not acceptable, efficient or secure way of destroying data.

Failing to implement “reasonable” safeguards in connection with EPHI could result in impermissible disclosure. The following is summary of HIPAA data disposal requirements under HIPAA Media Disposal Policy Device and Media Control 164.310(D)(1) and Disposal 164,310(D)(2)(I):

  • EPHI and electronic media such as computer hard drives should be rendered unusable and/or the data should be inaccessible
  • All digital media coming into or leaving the custody of the covered entity should be properly inventoried and reported
  • If hiring a business associate to perform data destruction services, the covered entity must enter into a written contract or agreement
  • EPHI should remain in the custody of or supervised by an authorized employee

Summary: HIPAA Requirements for Electronic Media Disposal

  1. Electronic media that contains EPHI should be rendered “unusable and/or inaccessible”
  2. One method is to “physically damage it [hard drive] beyond repair, making the data inaccessible”
  3. Document the “receipt and removal of hardware and electronic media that contains EPHI”

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.

If you need onsite hard drive destruction to comply with HIPAA regulations, please call our Irvine, CA office at 949-514-8090 or Los Angles at 323-677-2502.

2372 Morse Ave #339
Irvine, CA 92614
5404 Wilshire Blvd.
Los Angeles, CA 90036