In 2024, the U.S. Department of Health and Human Services settled with a healthcare provider for $1.19 million after an investigation revealed the organization had disposed of electronic media containing patient records without properly erasing the data. The drives ended up at a resale shop with electronic protected health information (ePHI) still intact. HIPAA's data disposal requirements are not optional — they carry real financial consequences. This guide explains exactly what the regulation requires and how to comply.
Key Takeaways:
- HIPAA requires that ePHI be rendered unreadable, indecipherable, and unable to be reconstructed before any electronic media is disposed of or reused
- The HIPAA Security Rule does not name a specific erasure method — but HHS points to NIST 800-88 as the authoritative guide for media sanitization
- Certificates of data erasure and disposal records must be retained for at least six years
- Both covered entities and business associates are liable for improper ePHI disposal, even when destruction is outsourced
- Penalties range from $141 per violation up to $2.13 million, with criminal penalties including imprisonment for willful violations
What HIPAA Says About Data Destruction
HIPAA's data destruction requirements live in the Security Rule, specifically within the Device and Media Controls standard. Two implementation specifications address disposal directly.
Section 164.310(d)(2)(i) — Disposal (Required)
The exact regulatory text states that a covered entity must:
"Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored."
In plain English: you need a written policy that covers what happens to ePHI when you are done with it. This is a required implementation specification, not an addressable one. There is no option to skip it or substitute an alternative measure. Every covered entity and business associate must have a disposal policy.
Section 164.310(d)(2)(ii) — Media Re-use (Required)
The regulation also states that a covered entity must:
"Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use."
This second specification targets a different scenario: drives and devices that stay in service but change hands within or outside the organization. Before a laptop gets reassigned to a new employee, before a server drive gets repurposed, before leased equipment goes back to the vendor — the ePHI must be removed.
What the Regulation Does Not Say
HIPAA does not prescribe a specific erasure method. It does not say "overwrite three times" or "use DoD 5220.22-M" or even name NIST 800-88 directly in the regulatory text. The regulation is intentionally technology-neutral, recognizing that specific methods evolve over time.
What HIPAA does require is a result: ePHI must be rendered unreadable, indecipherable, and unable to be reconstructed. How you get there is left to the covered entity, guided by the Breach Notification Rule's safe harbor language in 45 CFR 164.402. That provision defines what makes ePHI "unsecured" — and by implication, what makes it "secured" (and therefore exempt from breach notification). The HHS guidance document for rendering ePHI unusable specifically references NIST 800-88 as the appropriate standard for electronic media.
What This Means in Practice
The regulatory language is deliberately general, but practical compliance comes down to specific actions.
You Need a Written Policy
The regulation says "implement policies and procedures." That means a documented, written media sanitization policy that covers:
- Which roles are responsible for data destruction
- Which sanitization method applies to which type of media
- How the process is verified after completion
- How destruction is documented and where records are kept
- How third-party destruction vendors are managed
- How the policy is communicated to workforce members
A verbal understanding or informal practice is not sufficient. When HHS Office for Civil Rights (OCR) investigators show up after a breach, they ask for documentation first.
Every Drive That Leaves Your Control Must Be Wiped
"Leaves your control" includes selling, donating, recycling, returning leased equipment, sending for repair by a third party, or simply throwing away. Any transition where someone outside your organization could access the drive triggers the disposal requirement.
Internal Transfers Still Require Erasure
When a workstation moves from a nurse to a billing clerk, or from one department to another, the media re-use specification applies. The ePHI from the previous user must be removed before the new user takes possession.
Business Associates Are Equally Liable
The 2013 HIPAA Omnibus Rule made business associates directly subject to the Security Rule. If you are an IT managed service provider, a cloud hosting company, an IT asset disposition (ITAD) vendor, or any entity that handles ePHI on behalf of a covered entity, the disposal requirements apply to you. A Business Associate Agreement (BAA) must be in place, but the BAA does not transfer liability — both parties can face penalties if disposal is mishandled.
Sanitization Methods That Satisfy HIPAA
Since HIPAA points to NIST 800-88 through HHS guidance, the three-tier NIST sanitization model is the practical framework for compliance. Here is how each level maps to HIPAA requirements.
Clear
Clear-level sanitization protects against data recovery using standard software tools. For HDDs, this means a single verified overwrite pass. For SSDs, a software overwrite may meet Clear but cannot reach all data due to wear leveling and over-provisioning.
HIPAA applicability: Clear may be acceptable for internal media re-use scenarios where the drive stays within your organization and the data sensitivity is moderate. However, for any drive leaving your organization, Clear alone is likely insufficient to demonstrate that ePHI is "unable to be reconstructed."
Purge
Purge protects against laboratory-level recovery using specialized equipment. For HDDs, this means firmware-level ATA Secure Erase. For SSDs, it requires firmware commands such as ATA Secure Erase, NVMe Sanitize (Block Erase or Crypto Erase), or cryptographic erase on self-encrypting drives.
HIPAA applicability: Purge is the recommended minimum for any drive containing ePHI that is leaving your organization. It satisfies the "unreadable, indecipherable, and unable to be reconstructed" threshold referenced in HHS guidance and provides strong evidence of compliance in the event of an audit.
Destroy
Destroy renders media physically unusable through shredding, disintegration, incineration, or degaussing (for magnetic media only — degaussing has no effect on SSDs). Physical destruction of SSDs must address individual NAND flash chips, not just the circuit board.
HIPAA applicability: Destroy is appropriate for drives that have failed and cannot be software-erased, for highly sensitive ePHI, or when organizational policy mandates physical destruction. Many large healthcare systems and ITAD vendors use certified shredding as their default method.
Methods That Do NOT Satisfy HIPAA
The following actions do not render ePHI "unreadable, indecipherable, and unable to be reconstructed" and therefore fail to meet HIPAA requirements:
- Formatting (quick or full) — removes the file system index but leaves data recoverable
- Deleting files — marks space as available but does not overwrite the data
- Windows Reset — reinstalls the operating system but does not securely overwrite all sectors
- Removing the drive and keeping it — unless the drive itself is properly sanitized or destroyed, it remains a liability sitting in a drawer
Bottom Line: For HIPAA compliance, target Purge-level sanitization per NIST 800-88 for any drive containing ePHI that leaves your control. Use tools that generate certificates of erasure. Keep those certificates for six years. The cost of professional erasure software is negligible compared to a single HIPAA penalty.
How to Wipe Hard Drives for HIPAA Compliance
Here is a practical, step-by-step process for HIPAA-compliant drive erasure. For detailed technical instructions, see our complete guide to wiping a hard drive.
Step 1: Inventory and Identify
Before erasing anything, document what you have. Record the device type (laptop, desktop, server), drive type (HDD or SSD), drive model and serial number, interface (SATA, NVMe), and the department or system it came from. This inventory becomes part of your audit trail.
Step 2: Determine the Sanitization Level
Apply your organization's media sanitization policy. For most healthcare scenarios:
- Drives staying within the organization (re-use): Clear minimum, Purge recommended
- Drives leaving the organization (disposal, donation, resale, lease return): Purge minimum
- Failed or damaged drives: Destroy (physical destruction)
Step 3: Choose the Right Method for the Drive Type
For HDDs:
- A verified single-pass overwrite satisfies Clear per NIST 800-88
- ATA Secure Erase satisfies Purge
- Either method works — Purge provides a stronger compliance position
For SSDs (SATA):
- Do not rely on overwriting alone — wear leveling prevents complete coverage
- Use ATA Secure Erase or Enhanced Secure Erase for Purge-level sanitization
For SSDs (NVMe):
- Use NVMe Sanitize (Block Erase or Crypto Erase)
- NVMe Format may qualify as Clear but not Purge
Step 4: Execute the Erasure
Use software that supports your chosen sanitization level and generates documentation. Boot from a USB drive running BitRaser Drive Eraser or a similar NIST 800-88-compliant tool. Select the appropriate erasure standard (NIST 800-88 Clear or Purge). Start the erasure process and allow it to complete without interruption.
Step 5: Verify
Verification is not optional. NIST 800-88 Rev. 2 requires verification at every sanitization level. Professional erasure tools perform verification automatically — reading back sectors to confirm the overwrite pattern or confirming that firmware-level commands completed successfully. If using a tool that does not auto-verify, you must manually sample sectors.
Step 6: Generate and Store the Certificate
A certificate of data erasure should document:
- Date and time of erasure
- Drive make, model, and serial number
- Erasure method and standard applied
- Verification result (pass/fail)
- Name of the technician who performed the erasure
- Software tool and version used
Store these certificates according to your retention policy — HIPAA requires six years minimum for Security Rule documentation.
Documentation and Certificates of Erasure
HIPAA's documentation requirements under 45 CFR 164.316(b)(1) state that a covered entity must "maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form" and "if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment."
For data destruction, this translates to three types of documentation:
1. The Media Sanitization Policy
Your written policy describing how your organization handles media disposal and re-use. This should reference NIST 800-88, specify which sanitization levels apply to which scenarios, and assign responsibilities.
2. Individual Certificates of Erasure
A per-drive record documenting the specific erasure performed. Professional tools like BitRaser generate these automatically with tamper-proof formatting. If you use free tools, you will need to create these records manually — a spreadsheet with the required fields (date, serial number, method, verification result, technician) at minimum.
3. Disposal Logs
An organizational record tracking all media dispositions over time. This gives auditors a complete picture: how many drives were sanitized, when, by whom, and using what method. Patterns in disposal logs can also reveal gaps in your process — for example, drives that were decommissioned but never appear in the erasure records.
All three types of documentation must be retained for a minimum of six years from the date of creation or the date they were last in effect, whichever is later.
HIPAA Penalties for Improper Data Destruction
The HHS Office for Civil Rights (OCR) enforces HIPAA through investigations and penalties. Improper disposal of ePHI falls under the Security Rule's Device and Media Controls standard, and violations carry the same penalty structure as any other HIPAA Security Rule violation.
Penalty Tiers (as adjusted for inflation)
| Tier | Knowledge Level | Per Violation | Annual Maximum |
|---|---|---|---|
| 1 | Did not know (and could not reasonably have known) | $141 - $71,162 | $71,162 |
| 2 | Reasonable cause (not willful neglect) | $1,424 - $71,162 | $71,162 |
| 3 | Willful neglect, corrected within 30 days | $14,232 - $71,162 | $71,162 |
| 4 | Willful neglect, not corrected | $71,162 - $2,134,831 | $2,134,831 |
Criminal penalties, enforced by the Department of Justice, can result in fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use individually identifiable health information.
Real Enforcement Examples
OCR has pursued multiple enforcement actions specifically involving improper media disposal:
- Affinity Health Plan (2013) — $1.2 million settlement after photocopier hard drives containing ePHI of up to 344,579 individuals were returned to a leasing company without being wiped
- FileFax (2016) — closure of a medical records storage company that left patient records accessible after ceasing operations without properly disposing of media
- New England Dermatology (2022) — $300,640 penalty for improper disposal of specimen containers with PHI, demonstrating OCR's willingness to enforce disposal requirements broadly
The common thread: organizations that had no documented disposal process. An OCR investigation after a breach will ask for your media sanitization policy, your disposal records, and your training documentation. If any of those are missing, the penalty tier escalates.
Recommended Software for HIPAA-Compliant Erasure
For healthcare organizations that need to demonstrate HIPAA compliance, the choice of erasure software matters. You need a tool that meets NIST 800-88 requirements and generates the documentation that auditors expect.
BitRaser Drive Eraser
BitRaser Drive Eraser is the strongest option for HIPAA-regulated organizations. It supports both Clear and Purge-level sanitization across HDDs, SSDs (SATA and NVMe), and a range of other media types. It generates tamper-proof certificates of erasure that include drive serial numbers, erasure method, verification results, and timestamps — exactly what OCR investigators look for during an audit.
BitRaser also maintains a cloud-based audit trail, so certificates are not lost if local records are damaged or misplaced. Pricing starts at $39 per drive for single-use licenses, with volume pricing available for healthcare systems that process large numbers of devices.
KillDisk
KillDisk supports multiple erasure standards including NIST 800-88 and provides certificates of erasure. It is available as both a bootable USB tool and a Windows/Linux application. The professional version supports SSD-specific firmware commands. KillDisk can be a cost-effective alternative for organizations with moderate volumes and internal IT staff capable of managing the process.
Free Tools: Limitations for HIPAA
Free tools like DBAN and ShredOS can perform verified overwrites on HDDs, but they have significant limitations for HIPAA compliance. They do not generate formal certificates of erasure. They do not support SSD firmware-level commands. They do not maintain an audit trail. You can use them, but you will need to create all documentation manually and accept the risk that your records may not satisfy an OCR auditor.
For a complete comparison of erasure tools with features, pricing, and compliance capabilities, see our best data erasure software roundup.
Frequently Asked Questions
Does HIPAA require hard drives to be wiped?
Yes. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures for the disposal of electronic protected health information (ePHI). While HIPAA does not mandate a specific erasure method, it requires that ePHI be rendered unreadable, indecipherable, and unable to be reconstructed before disposal or reuse of any electronic media.
What data erasure standard satisfies HIPAA?
HIPAA does not name a specific erasure standard, but the Department of Health and Human Services (HHS) points to NIST 800-88 as the authoritative reference. Following NIST 800-88 Rev. 2 at the Purge level or higher is the most widely accepted way to demonstrate HIPAA-compliant data destruction for drives leaving your organization.
Do I need a certificate of data erasure for HIPAA?
HIPAA requires documentation of your disposal process, and a certificate of data erasure is the most practical way to provide it. The certificate should record the device serial number, erasure method, date, technician name, and verification result. These records must be retained for at least six years per HIPAA documentation requirements.
What are the penalties for improper ePHI disposal under HIPAA?
HIPAA penalties for improper disposal range from $141 to $2,134,831 per violation depending on the level of negligence. The four penalty tiers are: Tier 1 (unaware, $141-$71,162), Tier 2 (reasonable cause, $1,424-$71,162), Tier 3 (willful neglect corrected, $14,232-$71,162), and Tier 4 (willful neglect not corrected, $71,162-$2,134,831). Criminal penalties can include up to 10 years imprisonment.
Can I just format a hard drive to comply with HIPAA?
No. Formatting a hard drive — whether quick format or full format — does not satisfy HIPAA disposal requirements. Formatting removes the file system index but leaves the underlying data intact and recoverable with freely available software. HIPAA requires that ePHI be rendered unreadable and unable to be reconstructed, which formatting does not achieve.
Does HIPAA apply to SSDs differently than HDDs?
HIPAA itself does not distinguish between drive types, but the practical methods differ significantly. SSDs use wear leveling and over-provisioning, which means overwriting alone cannot reach all stored data. For SSDs containing ePHI, you should use firmware-level commands like ATA Secure Erase or NVMe Sanitize to achieve Purge-level sanitization per NIST 800-88.
Who is responsible for wiping drives under HIPAA?
Both covered entities (healthcare providers, health plans, clearinghouses) and their business associates are responsible. If you outsource IT asset disposition to a third party, you must have a Business Associate Agreement (BAA) in place, and you remain liable for ensuring proper disposal. The covered entity cannot transfer responsibility by handing drives to a vendor.
How long must HIPAA data destruction records be retained?
HIPAA requires that documentation related to Security Rule compliance be retained for six years from the date of creation or the date it was last in effect, whichever is later. This includes records of media disposal and destruction. Certificates of data erasure, disposal logs, and related policies should all be kept for a minimum of six years.
Is physical destruction of hard drives required by HIPAA?
No. HIPAA does not require physical destruction. Software-based erasure that renders ePHI unreadable and unable to be reconstructed is acceptable. However, physical destruction (shredding, degaussing for HDDs, or disintegration) is an alternative that some organizations prefer for drives that have failed or contain highly sensitive data. Both approaches can satisfy the regulation when properly documented.
Do business associates need their own data destruction policies under HIPAA?
Yes. Under the HITECH Act and the HIPAA Omnibus Rule, business associates are directly subject to the HIPAA Security Rule, including the disposal requirements. Every business associate that handles ePHI must have its own documented media sanitization policy, train its workforce on proper disposal procedures, and maintain records of all data destruction activities.
The Bottom Line
HIPAA does not tell you exactly how to wipe a hard drive, but it is clear about the result: ePHI must be unreadable and unable to be reconstructed. Follow NIST 800-88 Purge-level sanitization, use software that generates certificates of erasure, and keep records for six years. Whether you run a two-physician clinic or a major hospital system, the requirements are the same. Educational institutions handling student health records should also review our FERPA data destruction guide. Start with our data erasure standards overview to understand the methods, then choose a compliant tool.
Last updated: February 2026. We regularly review and update our guides to ensure accuracy.
Sources:
- HIPAA Security Rule, 45 CFR 164.310(d)(2). https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
- HHS Guidance on Rendering Unsecured PHI Unusable, Unreadable, or Indecipherable. https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
- NIST Special Publication 800-88 Rev. 2, "Guidelines for Media Sanitization." https://csrc.nist.gov/publications/detail/sp/800-88/rev-2/final
- HIPAA Administrative Requirements, 45 CFR 164.316(b) — Documentation. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
- HHS HIPAA Enforcement Highlights. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
- HIPAA Breach Notification Rule, 45 CFR 164.402. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402