How to Dispose of PHI Properly: A HIPAA-Compliant Guide for Paper and Electronic Records

HIPAA Disposal Requirements

To dispose of PHI properly under HIPAA, you must render information unreadable, indecipherable, and incapable of reconstruction before final discard or reuse. This applies to both paper and electronic records throughout storage, transport, destruction, and verification.

Safeguards you must implement

• Administrative safeguards: written policies, retention and destruction schedules, vendor oversight, workforce training, and incident response.
• Physical safeguards: locked consoles and rooms, controlled transport, supervised destruction areas, and secure staging zones.
• Technical safeguards: encryption, access controls, audit logs, and media sanitization methods aligned to data type and risk.

You should also account for state record-retention mandates and litigation holds, apply the minimum necessary principle, and maintain PHI destruction documentation that proves what you destroyed, how, and when.

Disposal of Paper Records

Paper PHI must be destroyed so text, barcodes, images, and identifiers cannot be reconstructed. Use secure collection consoles, restrict access, and employ destruction methods that defeat manual reassembly.

Approved destruction methods

• Cross-cut shredding to small, confetti-like particles (avoid strip-cut shredders for routine PHI).
• Pulping, pulverizing, or incineration through a vetted destruction provider.
• Onsite, witnessed shredding for high-risk or high-volume purges.

Process controls

• Stage materials in locked bins; prohibit public or curbside placement.
• Seal containers for transport, maintain chain-of-custody, and supervise until destruction.
• Verify the output size/quality after shredding or pulping and record results.
• Obtain a certificate of destruction and retain it with your PHI destruction documentation.

Remember that labels, wristbands, prescription vials, and microforms also contain PHI and require the same secure handling and cross-cut shredding or equivalent destruction.

Disposal of Electronic Records

Electronic PHI (ePHI) resides on servers, laptops, mobile devices, removable media, copiers, and cloud backups. Select a sanitization method appropriate to the medium and sensitivity, and verify the result before reuse or disposal.

Sanitization methods (NIST Special Publication 800-88)

• Clearing: overwrite storage with validated tools, suitable for many HDDs; verify by sampling or full-pass confirmation.
• Purging: degaussing or firmware-supported sanitize commands to defeat advanced recovery; not effective for most SSDs.
• Destruction: shred, pulverize, melt, or incinerate media when clearing/purging is insufficient or impractical.
• Cryptographic erasure (crypto-shredding): securely delete or rotate keys on properly encrypted media, then verify inaccessibility.

Controls and verification

• Maintain an asset inventory with device IDs, data classification, and selected sanitization method.
• Use technical safeguards: full-disk encryption, secure boot, and logged sanitization commands.
• Document who performed sanitization, the tool/version, success evidence (logs, photos of destroyed media), and witness signatures.
• Sanitize caches and residual stores (NVRAM, device logs) and remove or revoke cloud snapshots and keys.

For multifunction printers and medical devices, coordinate with the vendor for secure wipe procedures or certified destruction when reuse is not possible.

Public Access Restrictions

PHI must never be placed where the public can access it. Locked consoles, supervised staging rooms, and controlled pickup points prevent unauthorized viewing, theft, or mixing with general trash.

• Prohibit disposal of PHI in public dumpsters, recycling bins, or open lobbies at any time.
• Route pickups through secure corridors; escort vendors; and avoid after-hours staging in publicly accessible areas.
• Post clear signage, restrict keys/badges, and monitor with cameras where appropriate.
• Immediately report and remediate any container tampering or chain-of-custody breaks.

Reuse of Electronic Media

Before reissuing, donating, or reselling devices that housed ePHI, sanitize them thoroughly and verify results. Reuse without proper sanitization risks unauthorized disclosure.

• Remove from management systems; back up business data; then perform an approved wipe based on NIST Special Publication 800-88.
• Reimage with a known-good build; confirm no residual ePHI; and label the asset as sanitized with date and method.
• For encrypted devices, perform cryptographic erasure plus a rapid validation wipe when feasible.
• Store sanitized media in secured areas until redeployment; restrict reactivation rights to authorized staff.

Business Associate Agreements

Any vendor that handles PHI for destruction or device sanitization must sign a Business Associate Agreement. The BAA makes your vendor contractually bound to protect PHI and report incidents.

Key BAA elements for disposal

• Permitted uses/disclosures limited to destruction and logistics necessary to perform services.
• Administrative, physical, and technical safeguards, including background checks and secure facilities.
• Subcontractor flow-down obligations to meet the same standards.
• Incident and breach reporting timeframes and cooperation duties.
• Destruction and media sanitization standards referencing NIST Special Publication 800-88 where applicable.
• PHI destruction documentation: certificate contents, retention periods, and audit rights.
• Termination terms requiring return or destruction of PHI and proof of completion.

Documentation and Training Procedures

Strong documentation proves compliance and strengthens your program. Keep records long enough to meet HIPAA and state requirements, and ensure they are retrievable during audits.

What to record

• Destruction log entries: date/time, location, container or device ID, PHI type/volume, method used, and responsible personnel.
• Verification evidence: wipe logs, screen captures, or photos of physically destroyed media.
• Vendor chain-of-custody forms and certificates of destruction for each pickup or project.
• Policy approvals, retention schedules, and risk assessments that justify chosen methods.

Training and oversight

• Provide role-based training at hire and annually on administrative safeguards, physical safeguards, and technical safeguards.
• Run spot checks of consoles, device decommissioning, and vendor pickups; correct issues immediately.
• Test incident response with tabletop exercises focused on disposal and media loss scenarios.

Conclusion

When you align paper and electronic destruction with NIST Special Publication 800-88, apply layered safeguards, restrict public access, bind vendors with a strong Business Associate Agreement, and maintain thorough PHI destruction documentation, you dispose of PHI properly and confidently meet HIPAA’s expectations.

FAQs.

What are the HIPAA requirements for PHI disposal?

HIPAA requires you to use reasonable and appropriate administrative, physical, and technical safeguards so PHI is unreadable, indecipherable, and cannot be reconstructed at disposal or when media are reused. You must document methods, maintain chain-of-custody, and verify results.

How should paper records containing PHI be destroyed?

Use cross-cut shredding to small particles, pulping, pulverizing, or incineration. Stage in locked consoles, supervise transport, and obtain a certificate of destruction. Verify destruction quality and record the event in your destruction log.

What methods ensure electronic PHI cannot be reconstructed?

Follow NIST Special Publication 800-88: clear (overwrite), purge (e.g., sanitize commands or degauss where appropriate), or physically destroy media. For encrypted devices, cryptographic erasure combined with verification is effective.

Can PHI be disposed of in public dumpsters?

No. PHI must never be placed in public dumpsters, curbside bins, or other publicly accessible containers. Use locked consoles and controlled pickup points, and maintain chain-of-custody until confirmed destruction.

What documentation is required for PHI disposal?

Maintain PHI destruction documentation that includes date/time, container or device ID, PHI type/volume, chosen method, personnel or vendor involved, verification evidence, and certificates of destruction. Retain records per policy and applicable law.