Page 3 of 4 Frequently Asked Questions About the
Disposal of Protected Health Information
• In justifiable cases, based on the size and the type of the covered entity, and the nature of the
PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as
appropriate refuse workers.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media
with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in
order to disrupt the recorded magnetic domains), or destroying the media (disintegration,
pulverization, melting, incinerating, or shredding).
For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series
3: Security Standards – Physical Safeguards. In addition, for practical information on how to
handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP
800-88, Guidelines for Media Sanitization.
3. May a covered entity hire a business associate to dispose of protected health information?
Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of
protected health information (PHI) on its behalf. In doing so, the covered entity must enter into a
contract or other agreement with the business associate that requires the business associate, among other
things, to appropriately safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a),
164.502(e), and 164.504(e). Thus, for example, a covered entity may hire an outside vendor to pick up
PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or
purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other
appropriate area.
4. May a covered entity reuse or dispose of computers or other electronic media that store electronic
protected health information?
Yes, but only if certain steps have been taken to remove the electronic protected health information
(ePHI) stored on the computers or other media before its disposal or reuse, or if the media itself is
destroyed before its disposal. The HIPAA Security Rule requires that covered entities implement
policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media
on which it is stored, as well as to implement procedures for removal of ePHI from electronic media
before the media are made available for reuse. See 45 CFR 164.310(d)(2)(i) and (ii). Depending on the
circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal
may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or
purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded
magnetic domains) the information from the electronic media. If circumstances warrant the destruction
of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing,
melting, incinerating, or shredding the media. Covered entities may contract with business associates to
perform these services for them.
For more information on proper disposal of ePHI and reuse of electronic media, see the HHS HIPAA
Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on
how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP
800-88, Guidelines for Media Sanitization.