One of the most overlooked but critical aspects of HIPAA compliance is medical equipment management and decommissioning equipment and media that contains electronic protected health information (ePHI).
An organization may have many types of equipment that contain ePHI, including computers, servers, laptops, workstations, printers, fax machines, copiers, smartphones, tablets, USB drives, thumb drives, CDs, or DVDs. When this equipment will no longer be used for ePHI, either in or out of the organization, it must be decommissioned or destroyed.
If the equipment will be used by another organization all ePHI must be removed. If the equipment will be used internally by an area of the organization that does not need access to ePHI, all ePHI must still be removed. Removing the ePHI during decommissioning requires more than just deleting the files. The equipment must be sanitized and all ePHI must be rendered irretrievable. There are varying types of sanitization software which can be deployed. Regardless of which method you choose for sanitization, ensure that once complete the decommission of the equipment has been documented.
If the equipment will be taken out of service rather than repurposed, it should be destroyed to ensure the ePHI it irretrievable. You can be creative in how you do this, as long as the ePHI cannot be recovered. Again, be sure to keep a log of each piece of equipment that is destroyed.