How to destroy data on a hard drive to comply with HIPAA regulations

Looking to destroy HIPAA data on a hard drive? Learn the best way to destroy a hard drive to comply with HIPAA regulations in this expert response from David Mortman.

David Mortman, Dell

For my small medical practice, how do I comply with HIPAA regulations if I want to destroy patient data that has...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

been stored on hard drives?

There are two options for the destruction of electronic data. The company can do it internally or hire someone to do it. If you are going the in-house route, necessary items will include an industrial-strength degausser or a high-end shredder. In addition, it will be necessary to document the processes and procedures of how the data was destroyed and when it was done.

Alternately, there are third-party providers that destroy hard drives as a service. In this situation, the providers become a "business associate" (which under HITECH, the recent update to HIPAA, means they need to be HIPAA compliant as well). This means the provider must sign a contract that states it will follow appropriate procedures to protect the data until it is destroyed and then follow documented processes and procedures for the destruction of the data. Finally, they must also provide you with documented proof of the destruction of the data . Generally a third-party provider is the route I recommend. It outsources some of the risk and lets the company focus on other issues.

More on this topic

HIPAA business associate agreement (BAA)

Is destroying a decryption key a strong enough security practice?

HIPAA and HITECH compliance: Who should perform assessments?

Does ISO 27001 certification mean HIPAA and HITECH compliance?

Please create a username to comment.

Choosing between proxy vs. API CASB deployment modes

How to use the Mitre ATT&CK framework for cloud security

How to build a cloud security operations center

Network pros share Cisco DevNet certification advice

Cloud automation use cases for managing and troubleshooting

A look inside the official Cisco DEVASC 200-901 guidebook

5 ways to keep developers happy so they deliver great CX

Link software development to measured business value creation

5 digital transformation success factors for 2021

11 tips to improve Windows 10 performance

Microsoft Pluton chip will secure future Windows PCs

How does Microsoft 365 extend Windows 7 support?

A conference guide to AWS re:Invent 2020

Cognito user pools vs. identity pools -- what AWS users should know

How to containerize legacy applications in an Azure migration

Three cyber criminals arrested in Nigerian BEC investigation

Scottish government unveils strategy for digital planning

Government’s infrastructure strategy says technology is key

More on this topic

Related Resources

Dig Deeper on HIPAA

HIPAA business associate agreement (BAA)

Is destroying a decryption key a strong enough security practice?

HIPAA and HITECH compliance: Who should perform assessments?

Does ISO 27001 certification mean HIPAA and HITECH compliance?

Related Q&A from David Mortman

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.