HIPAA Compliant Hard Drive Destruction

HIPAA Security Rule Requirements

Free HIPAA Quote

Methods and Processes for ePHI Data Destruction

The HIPAA Security Rule is the established authority for the destruction of ePHI on hard drives and other digital media.  This rule describes best practices for healthcare organizations when disposing of ePHI and digital media such as computer hard drives.

HIPAA data destruction compliance can be broken down into planning, due diligence, destruction method and documention.  HITECH has greatly strengthed the enforcement of HIPAA rules.

data destruction for HIPAA Compliance

Acceptable Methods for Destroying PHI and ePHI



Prepare an inventory of all digital media in your possession.  This report, combined with a Certificate of Destruction will be critical for any audit.


Vendor Due Diligence / Employee Training

The HIPAA Security Rule requires healthcare organizations perform due-diligence when hiring a Business Associate.  This requirement can be met by doing your own research and vetting or by using a vendor that is certified by a recognized authority.

If you decide to complete the destruction project internally, all employees involved must be properly trained.  Proof of training will be required during an audit.


Physical Destruction or Erase Decision

According to NIST 800-88, hard drives no longer being used inside your organization  should be physically destroyed.  Erasing is acceptable only if they will be reused inside the organization.  Physically destroying digital media is the ultimate proof  of data destruction.

Certificate of Data Destruction

Chain-of-Custody & Witnessed Destruction

Maintain a secure Chain-of-Custody.  ePHI should remain in your custody up until the digital media is destroyed.  Sending hard drives out for destruction may be considered a data breach.


Certificate of Destruction

Proper documentation is a requirement under the HIPAA Security Rule.  All digital media leaving the organization needs to be inventoried and recorded to establish a proper chain-of-custody.  A Certificate of Destruction is the standard document required by auditors to establish the who, when and where hard drives and ePHI were destroyed.

department of Health and Human Services

“For practical information on how to handle the disposal of computers and digital media containing ePHI – consult NIST 800-88, Guidelines for Media Sanitization” –

Department of Health and Human Services.

HIPAA Security Rule & ePHI Data Destruction Summary

Covered entities must implement “reasonable” safeguards under HIPAA regulations to limit the disclosure of EPHI. The term “reasonable” is ambiguous, and covered entities should error on safe side for data destruction. For example, if physical hard drive shredding is available, erasing hard drives may no longer seem “reasonable” under HIPAA regulations. Also, if on-site data destruction is available, allowing a vendor remove PHI for off-site destruction may no longer be in compliance with HIPAA.

Full detail can be found within NIST 800-66 “Guide for Implementing HIPAA Security Rule”.


HIPAA Hard Drive Destruction in California

E-Waste Security is proud to offer on-site HIPAA compliant hard drive destruction services in San Diego, San Jose, Los Angeles, Orange County and surrounding areas.


HIPAA Compilant ePHI Data Destruction Service