How to dispose of storage devices containing PHI and other sensitive data

August 23, 2018 Laura Hale Brockway

Improper disposal of electronic devices and media puts the information stored on those devices at risk for a breach. And when devices contain protected health information (PHI), it puts your patient’s data at risk.

What can you do to protect PHI when you want to dispose of equipment such as desktops, laptops, tablets, copiers, servers, smartphones, hard drives, and USB drives? The Office for Civil Rights and the National Institute of Standards and Technology offer the following guidance. (1, 2)  

Paper
Destroy paper using cross-cut shredders that produce particles that are 1 x 5 millimeters in size or pulverize/disintegrate paper materials using disintegrator devices equipped with 3/32-inch security screen

Microforms
Destroy microforms (microfilm, microfiche, or other reduced image photo negatives) by burning. When material is burned, residue must be reduced to white ash.

Cell phones, personal digital assistants, and other hand-held devices
Shred, disintegrate, pulverize, or burn devices in a licensed incinerator.

Routers, copy machines, fax machines
Shred, disintegrate, pulverize, or burn devices in a licensed incinerator.

ATA hard drives, SCSI drives, flash drives, and USBs
Shred, disintegrate, pulverize, or burn devices in a licensed incinerator.

Floppy disks, zip disks
Shred, disintegrate, pulverize, or burn devices in a licensed incinerator.

CDs, DVDs
Destroy in order of recommendations:

  • Remove the Information-bearing layers of disc media using a commercial optical disk grinding device.
  • Incinerate optical disk media (reduce to ash) using a licensed facility.
  • Use optical disk media shredders or disintegrator devices

 

Sources
1. Office for Civil Rights. Guidance on disposing of electronic devices and media. July 2018 OCR Cybersecurity Newsletter. Available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-july-2018-Disposal.pdf . Accessed August 23, 2018.

2. National Institute of Standards and Technology. Guidelines for media sanitization. September 2006. Available at https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=50819 . Accessed August 23, 2018.

About the Author

Laura Hale Brockway is the Assistant Vice President of Marketing at TMLT. She has more than 20 years of marketing and management experience, and has worked for Seton Healthcare Family and the Texas Academy of Family Physicians. Laura holds an Editor in Life Science (ELS) certification from the Board of Editors in the Life Sciences.

Visit Website More Content by Laura Hale Brockway
Previous Article
Anthem pays $16 million HIPAA penalty
Anthem pays $16 million HIPAA penalty

Anthem will pay $16 million after cyber attacks exposed the ePHI of 79 million people

Next Video
Can physicians use their own mobile devices at work?
Can physicians use their own mobile devices at work?

Cathy Bryant, manager of product development & consulting services at TMLT, discusses the pros and cons of ...

New Webinar Series: HIPAA Compliance, Cyber Risks, and Cyber Security

Register Now
×

Subscribe to CYBER @TMLT for more resources and cyber news.

First Name
Last Name
Are you a physician?
Are you a TMLT policyholder?
Please list your specialty or occupation. - optional
Thank you for subscribing to CYBER @TMLT
Error - something went wrong!