Electronic PHI Disposal: 3 Essential Elements to Consider

Mar 16, 2023

If your facility handles sensitive patient information, you are required by federal law to take reasonable safeguards to protect that information from public disclosure. These measures include an understanding of how that information is stored and disposed of. Failure to adhere to such standards can result in fines and significant reputational damage while also placing your patients at risk and violating their trust.

HIPAA regulations apply to paper files as well as digital records. While they may seem overwhelming at first, there are a variety of resources available that offer comprehensive guidance on how to safely dispose of protected health information (PHI) in compliance with HIPAA regulations.

The information below will delve into some of the essential elements to consider when disposing of electronic PHI.


HIPAA rules state that any company that handles PHI must take reasonable precautions to ensure that the information is properly disposed of in a manner that protects the privacy of the patient.

The Privacy Rule

According to the Department of Health and Human Services (HHS), companies that are responsible for handling PHI have to use appropriate protection methods so that they can prevent incidental or prohibited disclosures of protected information, even when disposing of said materials.

The Security Rule

Another consideration that must be taken into account is the HIPAA security rule, which states that facilities handling PHI must implement policies to securely dispose of any sensitive electronic data relating to patent information prior to reusing the drive that information is stored on.

When determining how you are going to dispose of PHI, you need to evaluate the specifics of your facility and make the proper determination based on your specific circumstances. Obviously, tossing the hard drive in the dumpster out back is out of the question.

Disposing of Electronic PHI

If you have PHI stored on electronic media, HHS recommends using approved software or hardware solutions to wipe the drive before reusing it. These programs and devices will overwrite the sensitive files on the drive with nonsensitive files, rendering the previous metadata useless. Additionally, shredding or exposure to a robust magnetic field will do the trick.

If you have questions, there is a wealth of information available on the NIST Special Publication 800-88, Guidelines for Media Sanitization. These guidelines specifically recommend safeguarding electronic media storage devices in addition to the media itself, and they apply regardless of whether the data has already been wiped from the device, as hackers and thieves can use a variety of methods to reconstruct the data if it is not properly erased.

PHI on Computers

If you have PHI stored on a workplace computer, HHS states that you are only able to reuse or dispose of that computer if any PHI is wiped from it. Therefore, you might need to hold off on donating the computer, for instance, until you can ensure that all of its PHI has been removed.

In-House vs. Experts

Hiring a certified third-party service for disposing of protected health information (PHI) is essential for your facility’s compliance with HIPAA. The complex rules demand proper protection and disposal methods to avoid fines, reputational damage, and breaches of patient trust. Opting for experts ensures secure data destruction for electronic media and workplace computers, adhering to guidelines like NIST Special Publication 800-88.

For businesses in North and South Dakota, the experts at Secure Enterprise Asset Management (SEAM) are here to help. Whether you need secure data destruction, value recovery, or electronic recycling, our team is standing by. Contact us today for more information.

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.