Ask the Expert

How to destroy data on a hard drive to comply with HIPAA regulations

For my small medical practice, how do I comply with HIPAA regulations if I want to destroy patient data that has been stored on hard drives?

Requires Free Membership to View

There are two options for the destruction of electronic data. The company can do it internally or hire someone to do it. If you are going the in-house route, necessary items will include an industrial-strength degausser or a high-end shredder. In addition, it will be necessary to document the processes and procedures of how the data was destroyed and when it was done.

Alternately, there are third-party providers that destroy hard drives as a service. In this situation, the providers become a "business associate" (which under HITECH, the recent update to HIPAA, means they need to be HIPAA compliant as well). This means the provider must sign a contract that states it will follow appropriate procedures to protect the data until it is destroyed and then follow documented processes and procedures for the destruction of the data. Finally, they must also provide you with documented proof of the destruction of the data . Generally a third-party provider is the route I recommend. It outsources some of the risk and lets the company focus on other issues.

More on this topic



This was first published in November 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: