• E-mail
• Print
• RSS

How should we dispose of ePHI?

Compliance Monitor, April 14, 2006

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

Q: How should we dispose of ePHI?

A: According to the security rule you must establish policies and procedures that address the final disposal of ePHI and the hardware or electronic media on which it is stored. Unauthorized users can easily recover ePHI off of hard drives, CD-ROMs, and other media storage devices if you do not properly erase or destroy them. Take steps to ensure the digital bits and bytes are inaccessible before destroying, selling, or throwing them out.

Many people believe that simply deleting files or formatting drives is sufficient to keep ePHI out of the hands of criminals-this is simply not the case. You must properly sanitize any type of storage media. There are just a handful of ways to do this, including the following:

• Overwrite the disk media with multiple passes as specified in the Department of Defense 5220.22-M standard for hard drive sanitization
• Perform a hardware reinitialization of the storage space (if possible)
• Physically break, burn, or destroy the storage device

Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive