The U.S. Department of Health and Human Services Office for Civil Rights has guidance on disposing of electronic devices. Employers should make sure they properly dispose of desktops, laptops, copiers, servers, smart phones, hard drives, etc. (“electronic devices”) so that sensitive information on those devices does not cause a data breach.
Electronic devices that need to be replaced should be decommissioned and disposed of securely.
Decommissioning involves taking the hardware out of service. This includes the following steps:
- Ensuring devices are securely erased and then either securely destroyed or recycled;
- Ensuring that inventories are updated to reflect the current status of the device
- Ensuring that data privacy is protected by proper migration to another system or total destruction of the data.
For electronic devices with protected health information under HIPAA, proper disposal is when the media on which the PHI is stored or recorded has been destroyed in one of the following ways
- Paper, film or other hard copy media is shredded or destroyed such that the PHI cannot be read or reconstructed (redaction is not data destruction);
- Electronic media is cleared, purged or destroyed consistent with NIST requirements.
