HIPAA Data Destruction : Hardware and PHI

Whether you are just starting out or have 15 years of HIPAA covered data, the proper handling and disposal of electronic patient information is something that every private health care practice can benefit from. Especially if you are in the middle of your Windows 7 End of Life migration. A few things that everyone should know,

  1. Deleting a file from the operating system does not destroy it.
  2. Formatting a computer does not destroy the data files.
  3. Destroying files is a game of chance.

Anything that contains memory, solid-state drives, conventional hard drives, USB drives and smartphones all present the possibility of accidentally retaining protected health information (PHI). Few people realize the threat because what visually happens on the desktop and the reality underneath a memory device are quite different. Equating a word document to a piece of paper in a HIPAA context couldn’t be farther from the truth.

Here is an example of a hard drive recovery in process. These files were gone from the operating system but not from the hard drive. A file recovery tool is capable of manually scanning the drive to find what looks like the start and end of files. It then returns an INDEX to the file which can be used to preview and fully restore a file. Here we can see a deleted document with someone’s email in it.

Simply Explained: How Memory Works

Hard drives hold all the data for your computer and that is a lot. To cope with the information demands hard drives have a trick, since the beginning of their invention. Write speed is write speed, that depends on the technology, but once you have the files what about moving, copying, and deleting? Logically, to move a file on the physical disk would take longer than creating as it both reads and writes. Deleting a file would normally take the exact amount of time it took to create the file as it zeros each bit.

To solve this hard drives simply do not move or delete files, ever! They maintain an index of the files, pointers which tell the disk where to find the information it needs. When you move or delete a file on your computer, you only changed the index, the file is still there – It hasn’t moved, a bit!

HIPAA Data Destruction How To

  1. Secure the data device immediately, preferably in a locked room and in a locked box. Protected health information (PHI) should be rendered unusable and inaccessible.
  2. Find a Data Destruction company who will enter into a written Business Associate contract or agreement.
  3. Your Data Destruction provider should document the receipt and removal of hardware and electronic media that contains PHI. Serial numbers and device identifications will be used to track these devices.
  4. Your office should properly inventory and document the PHI leaving the custody of your office.
  5. The Data Destruction company will maintain a secure premise to remove the device’s memory and destroy the device after 30 days. You have until that time to reclaim your hardware, but the memory remains.
  6. PHI will remain in the custody of the data destruction company for 90 days from the first receipt. During those 90 days you may reclaim your data should the need arise.
  7. After 90 days the data will be magnetically removed and/or physically destroyed in a secure and healthy environment. Your office will receive a HIPAA Data Certificate of destruction indicating the specific devices destroyed.


HIPAA has helped the industry and patient health by setting standards for the proper disposal of old data devices. It is now very easy to securely dispose of old hardware with the help of HIPAA focused Data Destruction companies.

HIPAA Safe Data DestructionGet started with HIPAA Safe Data Destruction
Infinite Computing Technologies

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *