If you haven’t yet had to replace a computer…you will soon.

When replacing any computer OR any device that has (or may have) PHI stored on it, you must dispose of it according to HIPAA requirements.

Additionally, you must have a policy in place that details this exact process.

We have done all of the hard work for you in our HIPAA compliant Computer Disposal Policy.

So…before you dispose of a computer from your office whether you plan to:
throw away the computer
give the computer to charity
give the computer to an employee
give the computer to anyone

You must ensure all PHI is removed from the computer…and DELETING does not do it!

The Regulations require that you ensure all PHI is removed from any storage device (computer) before disposing of it.

Even if you have an IT company who says they’ll take care of it, you need to have a policy and procedure in place…and you need to make sure they are doing it correctly. Give them this policy to follow.

Like everything else we do, we’ve made this as easy as possible.

Simple checklists to follow.

Clear and concise policies and procedures to follow.

CFR 164.310 (a)(2)(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

CFR 164.310 (d)(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.