Skip to main content

Compliance Resources

HIPAA & IT Asset Disposal

HIPAA does not stop applying when a computer is retired. Devices that touched patient scheduling, billing, imaging exports, or email can carry protected health information (PHI) into the disposal stream — and disposal is one of the classic ways PHI ends up where it should not.

What HIPAA expects at disposal

HIPAA's Security Rule requires covered entities and business associates to implement policies for the final disposition of electronic PHI and the media it lives on, and to make that media unusable or inaccessible before disposal or reuse. Federal guidance points to NIST Special Publication 800-88 — the media sanitization standard — as the reference practice for doing that.

In plain terms: a practice that hands PHI-bearing computers to a hauler with no sanitization process and no record has a disposal problem, even if nothing bad ever surfaces. The obligation is to handle the media appropriately and to be able to show that you did.

What that means for retired healthcare IT

Exam-room workstations, front-desk PCs, nurse-station machines, back-office laptops, and the server closet behind the practice all potentially hold PHI — in applications, cached files, local exports, and email archives. So do the drives inside retired copiers of EHR-adjacent systems and the storage in old backup appliances.

A defensible retirement process is boring on purpose: inventory the devices, track data-bearing media by serial number, sanitize following NIST 800-88 guidelines (or physically destroy where policy requires it), and file the documentation with the project record.

How our process supports HIPAA-conscious disposal

We are not your compliance counsel and we do not certify HIPAA compliance — no disposal vendor can. What we provide is the handling model and the paper: storage media sanitized following NIST 800-88 guidelines, certificates of data sanitization per project, serialized manifests on request, and onsite hard drive shredding as a paid add-on where your policies call for physical destruction.

Healthcare pickups across DFW are scheduled around patient hours and facility rules, and the documentation is structured so your practice manager, compliance lead, or MSP can file it without translation.

This page is general information, not legal advice. Regulations change and their application depends on your situation — confirm your obligations with your counsel or compliance advisor. What we provide is documented disposal: sanitization following NIST 800-88 guidelines, certificates, and manifests that support the procedures your advisors design.

Common Questions

Does HIPAA require physical destruction of hard drives?

No single method is mandated. Federal guidance references NIST 800-88 media sanitization, which includes both sanitization and destruction paths depending on the media and its sensitivity. Many organizations sanitize as the default and reserve physical destruction for specific media classes — our onsite shredding add-on exists for exactly that case.

We are a business associate, not a provider. Does this still apply?

Business associates carry HIPAA obligations for the PHI they handle, including at disposal. Billing companies, MSPs supporting clinics, and similar organizations retire equipment under the same expectations.

What documentation should we keep after disposal?

At minimum: what devices left (ideally by serial number), when, who handled them, and how data-bearing media was sanitized or destroyed. We provide pickup receipts, certificates of data sanitization, and serialized manifests on request so that record exists without extra work on your side.

Retiring Equipment With Data On It?

Free pickup for qualifying business IT equipment across DFW — with the sanitization certificates and manifests your records need.

Schedule a Documented Pickup