Data Disposal and Sanitization

HICP Practice 4.6 requires you to securely dispose of PHI across all media types (electronic, paper, removable media) once it is no longer needed, and to use NIST SP 800-88–aligned sanitization methods for electronic media plus secure destruction for physical records ¹. To operationalize it fast, set a disposal standard, build an asset-to-disposal workflow, control third-party destruction, and keep destruction evidence.

Key takeaways:

• Cover every PHI-bearing medium, not just servers: paper, endpoints, backup media, and removable storage count.
• Standardize electronic sanitization to NIST SP 800-88 methods and document decision criteria ¹.
• Audits hinge on proof: chain-of-custody, destruction certificates, and tickets that tie disposal to the asset and data classification.

“Data disposal and sanitization” fails in practice for one reason: the organization can’t prove that PHI left the environment safely and on purpose. HICP Practice 4.6 is a requirement to implement secure disposal procedures for PHI on all media types, including electronic, paper, and removable storage ¹. That means you need a repeatable operational process that starts with knowing where PHI resides, continues through retention decisions, and ends with validated destruction or sanitization that is appropriate for the medium.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to turn disposal into a controlled workflow: (1) define what “secure disposal” means per medium, (2) assign roles (IT, Privacy, Records, Facilities, and third parties), (3) enforce chain-of-custody, (4) require evidence, and (5) test it. This page gives requirement-level guidance you can put into policy and procedures, plus the audit artifacts and common examiner questions that determine whether your program passes review.

Regulatory text

Requirement (HICP Practice 4.6): “Implement secure data disposal procedures for PHI on all media types including electronic, paper, and removable storage.” ¹

Operator interpretation: You must have documented, implemented procedures to dispose of PHI securely wherever it exists. For electronic media, your sanitization approach should align to NIST SP 800-88 methods; for physical records, you need secure destruction methods appropriate to the medium ¹. “Procedures” means more than a policy statement: it includes who does what, how requests are triggered, how custody is controlled, and what proof is retained.

Plain-English interpretation (what the requirement really expects)

You are expected to:

• Prevent PHI exposure at end-of-life for assets, paper records, and removable media.
• Make disposal repeatable and provable. If you cannot show evidence that a specific PHI-bearing asset or box of records was destroyed or sanitized, auditors will treat it as a control gap.
• Match the method to the media. “Delete” is not a disposal method; it’s a user action. Disposal must be a controlled sanitization/destruction method appropriate to the storage type ¹.

Who it applies to

Entity types: Healthcare organizations and health IT vendors ¹.

Operational contexts where this becomes urgent:

• Asset refresh cycles (laptops, servers, mobile devices, network gear with storage)
• Data center moves, cloud migrations, and decommissioning legacy apps
• Backup media rotation and offsite storage
• Copier/MFP returns and lease end (often overlooked local storage)
• Records management (paper charts, printed patient lists, intake forms)
• Third-party repair, RMA, and disposal services

What you actually need to do (step-by-step)

1) Define scope: what counts as “PHI on media”

Build a scoped inventory list of media types and systems that may store PHI, including:

• Endpoints (workstations, laptops)
• Mobile devices and tablets used clinically
• Servers and storage arrays
• Backup systems and backup media
• Removable media (USB drives, external HDD/SSD)
• Printers/copiers/MFPs with internal storage
• Paper records and printouts

Practical control: Maintain a simple “PHI media register” that lists each medium type, owner team, and approved disposal method.

2) Set a disposal and sanitization standard by medium

Create a standard that maps medium → approved method → evidence required. For electronic media, specify that sanitization methods align to NIST SP 800-88 ¹. For physical records, specify secure destruction ¹.

Example decision matrix (keep it in your procedure):

Medium	Typical scenario	Approved method (example)	Minimum evidence
Laptops/endpoints	Refresh or termination return	NIST SP 800-88–aligned sanitize prior to redeploy/dispose 1	Asset ID, wipe log or tool report, disposition ticket
Servers/storage	Decommission	NIST SP 800-88–aligned sanitize or destroy drives based on risk 1	Change record, drive serials, destruction/sanitize report
Removable media	Lost-and-found, lab use	Prohibit where possible; otherwise sanitize per standard 1	Media ID where feasible, incident/ticket, sanitize proof
Paper	Records past retention	Secure shredding/destruction 1	Box log, chain-of-custody, certificate of destruction

Keep methods technology-neutral in policy, but concrete in procedure (tool names can live in SOPs).

3) Build the workflow triggers (so disposal happens on time)

Disposal fails when it relies on memory. Tie disposal to events:

• Asset lifecycle: procurement → assignment → return → sanitize → redeploy/dispose
• Offboarding: termination checklist requires return and sanitization confirmation
• App decommissioning: change management requires “data disposition plan” sign-off
• Records lifecycle: records management triggers secure destruction after approved retention period

Control point: Require a ticket or change record for each disposal event that includes who approved it and what method was used.

4) Control custody and segregation of duties

Auditors look for mishandling risk between “collection” and “destruction.”

• Use locked bins/containers for paper destined for shredding.
• Restrict who can move drives/media to a destruction staging area.
• Separate requester/approver from the person performing destruction where practical.

5) Manage third parties performing destruction

If a third party handles shredding, degaussing, drive destruction, or ITAD:

• Contractually require secure disposal procedures for PHI across media types ¹.
• Require chain-of-custody and certificates of destruction.
• Define how exceptions are handled (missed pickups, damaged bins, partial loads).

Daydream fit (earned mention): Many teams track these obligations and artifacts in email and shared drives. Daydream can centralize third-party due diligence artifacts (contracts, destruction certificates, pickup logs) and map them to the disposal control so audit evidence is complete and searchable.

6) Validate and test (prove it works)

Testing turns a policy into an operational control:

• Sample disposed assets and verify wipe logs match serial numbers.
• Sample boxes from records destruction and trace custody from department to destruction certificate.
• Run a decommission tabletop: confirm the system owner can produce a data disposition plan and evidence.

7) Handle exceptions explicitly

Common exceptions: litigation holds, investigation holds, or equipment that cannot be sanitized due to failure. Your procedure should require:

• Written approval for exception
• Compensating controls (secure storage, restricted access)
• Final disposition plan and date

Required evidence and artifacts to retain

Maintain evidence that links (a) the asset/media, (b) the method, (c) the date, (d) the responsible party:

• Data disposal and sanitization policy and SOPs aligned to HICP Practice 4.6 ¹
• Asset inventory records with unique identifiers (asset tags, serial numbers where available)
• Disposal tickets/change records for decommissioning events
• Wipe/sanitization logs or tool-generated reports for electronic media
• Certificates of destruction (paper and electronic media)
• Chain-of-custody logs (pickup logs, bin seals, transfer forms)
• Third-party contracts/SOWs that specify secure disposal requirements ¹
• Exception approvals and litigation/records hold documentation
• Training records for staff who handle PHI disposal

Common exam/audit questions and hangups

Expect reviewers to probe:

• “Show me your approved sanitization methods for endpoints, servers, and removable media.” ¹
• “How do you prove a specific device was sanitized before redeployment or disposal?”
• “How do you handle copier/MFP hard drives at lease return?”
• “What controls prevent staff from throwing PHI into regular trash or recycling?”
• “Which third parties destroy media, and where is chain-of-custody plus certificates of destruction?”
• “How do you ensure decommissioned applications don’t leave PHI in backups or exports?”

Hangups often come down to traceability: you have a destruction certificate, but it’s not tied to a specific asset list; or you have a wipe report, but it doesn’t match the CMDB.

Frequent implementation mistakes (and how to avoid them)

1. Relying on “delete” or “factory reset.” Treat user deletion as irrelevant for compliance; require controlled sanitization aligned to NIST SP 800-88 for electronic media ¹.
2. Forgetting non-obvious storage. Copiers, label printers, medical devices with local storage, and lab instruments often get missed. Add them to the PHI media register.
3. No chain-of-custody for paper. Locked bins and documented transfers close the gap between “collected” and “destroyed.”
4. Third-party destruction without contract controls. If the contract doesn’t require secure destruction and evidence, you will scramble during audit.
5. Unowned process. Assign a single process owner (often Records Management or Security) with clear RACI across IT, Privacy, and Facilities.

Enforcement context and risk implications

HICP is a cybersecurity practices publication for the health sector ¹. Regardless of enforcement posture, disposal failures create direct breach risk: lost drives, resold devices, misrouted shredding, or retained backups can expose PHI. Operationally, the most costly failures are the ones you cannot bound because you lack inventories and destruction evidence.

Practical 30/60/90-day execution plan

First 30 days (stabilize and close obvious gaps)

• Assign an owner and publish a disposal/sanitization standard covering electronic, paper, removable media ¹.
• Inventory PHI media types and identify third parties involved in shredding/ITAD.
• Implement locked shred bins where PHI paper is generated.
• Require tickets for all device disposals and app decommissions starting now.

By 60 days (operationalize and make it auditable)

• Implement NIST SP 800-88–aligned sanitization procedures for endpoints and servers ¹.
• Add disposal evidence fields to ITSM workflows (asset ID, method, approver, evidence attachment).
• Update third-party contracts/SOWs to require chain-of-custody and certificates of destruction.
• Train frontline staff: what goes in shred bins, how to handle removable media, who to call.

By 90 days (prove control effectiveness)

• Run a disposal audit drill: sample assets and paper destructions end-to-end.
• Fix traceability breaks (missing serial numbers, incomplete certificates, inconsistent logs).
• Add disposal checks to internal audit or compliance monitoring.
• Formalize exception handling and hold processes for records and systems.

Frequently Asked Questions

Do we need to sanitize encrypted drives before disposal?

HICP Practice 4.6 still expects secure disposal procedures for PHI on electronic media ¹. Treat encryption as a risk-reducer, not a disposal method; document your chosen NIST SP 800-88–aligned approach and apply it consistently ¹.

What about cloud data and decommissioned SaaS applications?

The requirement is about disposing of PHI when no longer needed across media types ¹. Operationally, add a decommission checklist that covers exports, archives, backups, and confirmation from the third party that PHI was deleted or rendered unrecoverable per your contract terms.

Are certificates of destruction mandatory?

HICP Practice 4.6 requires secure disposal procedures ¹. In audits, certificates and chain-of-custody are the simplest way to prove destruction occurred; if you do in-house destruction, keep equivalent internal logs and sign-offs.

How do we control paper disposal in clinics where staff print patient schedules?

Put shredding containers where printing happens, restrict access to the bins, and train staff on what must be shredded versus recycled. Then keep pickup logs and destruction certificates that can be traced back to the site and date ¹.

Can we allow USB drives for PHI if we have a policy?

If you allow removable media, you need a lifecycle: issuance, tracking, encryption expectations, and an approved sanitization/disposal method ¹. Most teams reduce risk by restricting removable media and requiring documented exceptions.

What evidence should we show an auditor for a decommissioned server?

Provide the decommission change record, the drive serial list, the sanitization or destruction report aligned to your NIST SP 800-88–based procedure, and proof of final disposition ¹. Auditors will also ask how you handled backups associated with that server.

Footnotes

1. HICP 2023 - 405(d) Health Industry Cybersecurity Practices