If you are subject to HIPAA (either as a Covered Entity or as a Business Associate), you may have heard that you have Media Sanitization obligations. Anytime you take a storage device (like a laptop with a hard drive) and dispose of it, sell it, or otherwise transfer it, you need to pause briefly to make sure you follow your media sanitization obligations. We find much of the material on this to be written in a way that is extremely hard for anyone but an IT / HIPAA specialist to understand, so we're writing this article in plain language to cover some of the key points.
So, without further ado, let's dive into what techniques you should consider when you need to part ways with a storage device that has Protected Health Information (PHI) on it. If you go a few clicks into some of the hhs.gov resources about media sanitization, you'll find yourself at this document: NIST Special Publication 800-88. And, a couple dozen pages of fine print into that document, you'll finally get to the "Summary of Sanitization Methods" that (we'll spare you the details) apply to HIPAA. Here's what you need to know about these sanitization methods, at a high level.
Suppose that you have a laptop, whose hard drive is filled with blood test results (or x-rays, or MRIs, or patient billing information, or any other PHI). If you want to "clear" that information off of the laptop's hard drive, is it adequate to drag all of those documents/images to the Trash / Recycle Bin in the Windows / Mac interface? No. That's not good enough.
The most popular media sanitization techniques that use the "Clear" method, involve overwriting everything on the hard drive with other unrelated / arbitrary data. You could think of it as overwriting everything on your hard drive with copy after copy of Don Quixote. Or copy after copy of the Abbey Road album by The Beatles. Or copy after copy of satellite imagery of your home town. Usually it's something more mundane, though, like an arbitrary sequence of ones and zeros, but you get the idea. The point is, don't just use the Windows / Mac way of "deleting" files -- you also need to then overwrite the entirety of the storage device's capacity with other (probably arbitrary) data.
Pro tip: it's not worth doing on your own manually, there are readily available software programs that will do this thoroughly for you.
Purging a storage device is a more severe approach than clearing. See, the way that Windows or Macs access their storage devices, involve certain "guard rails" and ground rules about how the storage device is conventionally used by modern operating systems.
But, forgetting about Windows and Mac for now, what a storage device like a hard drive does -- is to store ones and zeros... a LOT of them. The "Purge" method of media sanitization doesn't honor the guard rails that your operating system might use about how the storage device is managed. It goes straight down to the ones and zeros and overwrites all of them... without regard to what parts of the storage device the operating system was using for any particular purpose.
It's a little more technical than the "Clear" approach, but is more thorough.
This one is is the most invasive of all, and it sometimes involves crushers, shredders, or incinerators. After a physical destruction of storage media, not only will you have destroyed the data, but in most cases you'll end up with a totally unrecognizable handful of shreds or scraps that bear no visual similarity to the storage device that you started with. This is the most precautious of all media sanitization techniques, and candidly, isn't often necessary. We'd recommend it primarily for situations where a storage device malfunctioned and has no future potential to be used again.
We hope we've made this topic more approachable. You are always welcome to peruse the 56 page NIST publication, or the lengthy texts on the hhs.gov website -- but we thought a better starting point on the topic of media sanitization might be a plain language explanation of some of the key concepts. Hope you've found it helpful -- feel free to get in touch if you have a particular situation you'd like a hand with.