How to Dispose of Electronic Devices if You Are Dealing With Electronic Protected Health Information

People get rid of electronic devices all the time. There’s always a newer, stronger, more sophisticated version of your laptop, smartphone, or tablet. If you’re dealing with PHI (protected health information), however, you must ensure that each and every electronic device that stores sensitive information is accounted for and disposed of properly.

It sounds easy enough, but it’s important to consider all the aspects of proper electronic device disposal. If you get rid of a device that still has sensitive information stored on it, that information could be the source of a breach and you could be fined, putting your reputation at risk. Health and Human Services Office for Civil Rights devoted their July 2018 newsletter to disposing of electronic devices. This week, our blog summarizes their helpful advice. We will guide you through the process of proper devices disposal for both rented and owned equipment.

Devices That Could Cause a Breach

First, let’s review the types of electronic devices you may have in your office that could cause a breach. Laptops, desktops, smartphones, printers, copiers, USB (thumb) drives, and servers are the most likely culprits. HIPAA law requires you to document your organization’s disposal policy in your Security Policies and Procedures. List each type of electronic media you use, along with the device’s serial number. This list will likely be generated when you complete your company’s Risk Assessment. Remember to include all electronic storage devices1.

Disposing of Digital Media + Electronic Devices

HHS and the US Computer Emergency Readiness Team recommend the following three techniques for removing sensitive information from workplace electronic devices. Remember, several types of office equipment have hard drives (not just laptops and desktops!) These procedures for safely disposing of ePHI must also be applied to discarded printers, copiers, and servers2.

Clearing

This method, which is also referred to as overwriting, relies on the use of software or hardware to replace PHI with random, non-sensitive data. This should be done a minimum of seven times so that ePHI is completely irretrievable.  

Purging

Degaussing refers to a method of clearing an electronic device through the use of magnets. Because hard drives rely on magnetic fields to store information, a strong magnetic field has the power to disrupt the equipment’s function and render the data unreadable.

Physical Destruction

This is the most surefire way to prevent leakage of any ePHI, however, this is not always feasible. Of course, you cannot destroy rented equipment or devices that you would like to clear and reuse. Pulverizing, burning/melting, shredding, and disintegrating are all acceptable methods of physical destruction.  

Clearing data from mobile phones or tablets is a slightly different process. Follow these steps to erase sensitive information from mobile devices3:

    1. Remove the memory/SIM card.
    1. Go to the devices setting and select Erase All Settings, Factory Reset, Memory Wipe, etc. The language differs from model to model but all devices should have some version of this option.
    1. Destroy the memory/SIM card so that it cannot be used again.
  1. Deactivate the storage account (Apple ID for iPhones and iPads) associated with the device.

Storing Media Before Destruction

Where will each type of media be located while it awaits destruction? It is important to designate a secure storage place for media and devices containing PHI. For example, a locked closet is an adequate holding place for media before pickup.

Training Employees on Electronic Device Disposal

Under HIPAA 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i), any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes all employees and volunteers. As part of training, ensure your employees know about secure depositories or bins where media sits while it awaits destruction.

You must keep a log of the devices in storage. You need to check the log before final action so that you can determine if any of the devices are missing1.

Requirements for Keeping PHI

Make sure you have backed up on another device any PHI that you need to retain. HIPAA requires businesses to store PHI for six years. However, some states require seven years. Make sure you check your state regulations to know the specific guidelines for your business before erasing or destroying stored information.

Ignoring HIPAA rules about proper PHI disposal puts you at risk for hefty fines, potential lawsuits, and bad publicity. Your reputation depends on how well you serve your clients. Make sure the protected health information they’ve trusted you with is never compromised by careless or improper disposal.

1 https://www.totalhipaa.com/proper-disposal-of-phi/

https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html

https://www.us-cert.gov/sites/default/files/publications/DisposeDevicesSafely.pdf

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)