What is HIPAA Compliance?

HIPAA, the Health Insurance Portability and Accountability Act, sets national standards for protecting sensitive patient health information (PHI). While most people associate HIPAA with medical records and data sharing, the regulation also covers the disposal of electronic devices that have stored, processed, or transmitted PHI.

Under HIPAA's Security Rule, covered entities and their business associates must implement policies for the proper disposal of electronic media containing PHI. This means hospitals, clinics, dental offices, insurance companies, and their IT service providers must ensure that hard drives, backup tapes, mobile devices, and any other media are properly sanitized before disposal or reuse.

HIPAA violations related to improper disposal can result in significant fines — up to $1.5 million per violation category per year. Working with a certified ITAD provider that follows NIST 800-88 guidelines and provides certificates of destruction helps healthcare organizations demonstrate compliance. Many providers also sign Business Associate Agreements (BAAs) to formalize their HIPAA obligations.