HIPAA gets mentioned in every conversation about healthcare data, but when it comes to IT equipment disposal, most organizations don't actually know what the law requires. They know they need to "destroy the data" — but the specifics matter, especially when an auditor shows up.
Here's what HIPAA actually says about disposing of equipment that contains protected health information (PHI).
The HIPAA Security Rule (45 CFR § 164.310(d)(2)(i)) requires covered entities and business associates to implement policies and procedures for the "final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored." The companion implementation specification requires "procedures for removal of electronic protected health information from electronic media before the media are made available for re-use."
In plain language: before any device that held patient data leaves your control — whether it's being sold, recycled, donated, or thrown away — the data must be destroyed, and you need to be able to prove it.
What auditors look for:
A defined media sanitization policy. You need a written policy that specifies how your organization destroys data on end-of-life equipment. Pointing to NIST 800-88 Rev. 1 is the standard approach and the one auditors expect to see.
Per-device documentation. "We wiped the servers" isn't sufficient. Auditors want to see that every device was tracked by serial number, with the destruction method, date, verification result, and technician name documented. A Certificate of Destruction should cover each device individually, not just summarize the batch.
Chain of custody. From the moment a device is decommissioned to its final disposition, there should be an unbroken record of who had custody. This includes internal handoffs (IT to facilities), third-party handoffs (your organization to your ITAD vendor), and final disposition (remarketed, recycled, or destroyed).
Business Associate Agreements. If you're using a third-party vendor for data destruction or equipment removal, HIPAA requires a Business Associate Agreement (BAA) with that vendor. The BAA establishes that the vendor is obligated to protect PHI to the same standard you are.
Common mistakes:
Forgetting about copiers and printers. Modern networked copiers have internal hard drives that store images of every document scanned, printed, or faxed. These are data-bearing devices under HIPAA and require the same sanitization as a server.
Assuming "delete" or "format" is sufficient. Deleting files or formatting a drive does not destroy the data. It removes the index — the data itself remains on the disk and is trivially recoverable with free software. NIST 800-88 exists specifically because deletion is not destruction.
No documentation on physical destruction. If drives are physically shredded or crushed, you still need documentation — what was destroyed, when, serial numbers, who performed it, and photographic evidence if possible. "We threw them in the dumpster" is a compliance violation, not a disposition method.
Losing track of devices during facility moves. When a hospital or clinic relocates, merges, or closes, equipment gets shuffled. Devices end up in storage closets, loading docks, and trailers. Every device that goes unaccounted for is a potential breach — and a definite audit finding.
The bottom line: HIPAA compliance for IT equipment disposal comes down to three things — a defined standard (NIST 800-88), per-device documentation, and an unbroken chain of custody. If you can produce those three things when your auditor asks, you're in good shape. If you can't, you have a gap that needs to be closed before it becomes a finding — or worse, a breach notification.
Sentinel Data Solutions builds its entire documentation package around these requirements. If you're not sure whether your current disposal process would survive a HIPAA audit, we're happy to talk through it.