This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Device & Media Controls Disposal Policy

Reference: §164.310(d)(2)(i)
Last Updated: April 24, 2024


The purpose of the Device and Media Control Disposal Policy is to establish guidelines for appropriately dispose of information systems and electronic media containing ePHI when it is no longer needed.



  • Device: For the purposes of this policy devices are considered to be electronic hardware (including but not limited to workstations, personal computers, servers, laptops, copiers, fax machines, and handheld units) with storage capability to record and save ePHI.
  • Storage Media: Including but not limited to disk drives, tapes, floppy disks, CD’s, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.
  • Data sanitization: Data sanitization refers to the process of permanently and irreversibly removing or destroying data that is stored in a system or a component of the same such as memory device. Data Sanitization may also be used on standalone storage devices.


Covered Entities and Business Associates must remove storage devices from all systems prior to their disposal (or return upon the end of their lease) and either sanitized of data or destroyed. Whenever possible storage devices should be removed from any systems that must be sent out for repair or replacement and reinstalled when the system is returned. If removal is not possible these systems must be given to Business Associate with the capabilities to remove, sanitize or destroy the data or the actual physical components to ensure that the data previously housed is inaccessible.

All ePHI on decommissioned devices and storage media must be irretrievably destroyed, in order to protect the confidentiality of the data contained. If the device or media contains ePHI that is not required or needed, and is not a unique copy, a data destruction tool must be used to destroy the data on the device or media prior to disposal.

For the purposes of this policy reformatting shall not be considered a reliable option as the same may does not overwrite the data. If the device or media contains the only copy of ePHI that is required or needed, a retrievable copy of the ePHI must be made prior to disposal. As a rule, team members should consider the source and the information provided below in terms of guidance and actions to follow:

  • Removable magnetic "disks" (floppies, ZIP disks, and the like) and magnetic tapes (reels, cartridges) can be "degaussed" by an appropriately-sized and -powered degasser or physically destroyed.
  • Fixed internal magnetic storage (such as computer hard drives), as well as removable storage, can be cleansed by a re-writing process. Software is used to over-write all the usable storage locations of a medium. The simplest method is a single over-write; additional security is provided by multiple over-writes with variations of all 0s, all 1s, complements (opposite of recorded character), and/or random characters.
  • Optical media (such as CD-RWs) may be processed via an overwrite method. This is not the case for the vast majority of "write-once" optical media in use (notably the CD-R) because such media are optical rather than magnetic, they cannot be degaussed. For the write-once variety, only physical destruction will do.
  • Removable "solid state" storage devices such as “flash memory" devices are solid state and are non-volatile (the memory maintains data even after all power sources have been disconnected). Examples include CompactFlash, Memory Stick, Secure Digital, SmartMedia and other types of plug-ins, and a range of "mini-" and "micro-drive" flash devices that use USB or FireWire ports. Secure overwrites (following manufacturer specifications) are possible for these media as well. Neither degaussing nor over-writing offers absolute guarantees. Unless, of course, one is willing to disintegrate, incinerate, pulverize, shred, or smelt. As with paper, the method of disposal depends on the perceived risks of discovery, and estimates of the type of threat.
  • Paper containing sensitive information should be shredded. Strip cut shredders (also called straight cut or spaghetti cut) render paper into thin, long strips. Cross-cut shredders (also called confetti cut) provide both length-wise and width-wise dismemberment – generating from a few to many hundreds of pieces per shredded page.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram