Back to all insights

How to Dispose of Old Computers and Devices in a Medical Practice

The Closet Nobody Wants to Open

Almost every practice has one: a closet, a bottom drawer, or a stack under the break-room table holding the hardware that got replaced but never left. A dead front-desk PC. Two laptops from a provider who retired. A box of USB drives. The old copier the leasing company keeps asking about. Every one of those devices may still hold electronic protected health information (ePHI) — and figuring out how to dispose of old computers with patient data is one of the most quietly important, and most frequently botched, tasks in a small healthcare office.

It gets mishandled because the intuition is wrong. People assume that dragging files to the trash, or reformatting a drive, or doing a factory reset, erases what was there. Usually it does not. The good news is that doing this correctly is usually neither costly nor especially technical — it is a matter of knowing which method fits which device, keeping a short record, and building the habit into how your practice already tracks its equipment.

The dangerous device is the one that leaves your control still readable. Disposal is not about getting hardware out the door — it is about making sure the patient data on it is no longer recoverable when it does.

Why Deleting Files and Reformatting Don’t Remove ePHI

Start with the misconception, because it is the root of most disposal failures. When you delete a file, the operating system does not scrub the data off the disk. It simply marks that space as available and removes the file’s entry from the index — the digital equivalent of tearing a chapter out of a book’s table of contents while leaving the pages in place. Until something else happens to overwrite that exact space, the underlying data is often recoverable with free tools. A “quick format” does much the same thing: it rebuilds the index, not the contents.

Solid-state drives (SSDs), in almost every recent computer, add their own twist. They constantly move data around internally to spread out wear, so a simple overwrite can’t reliably reach every copy of a file the drive has quietly stashed. That is why the right approach for an SSD differs from an old spinning hard drive — a distinction the decision table below makes concrete.

The practical lesson: “I deleted everything” and “I reset it” are not the same as “the data is gone.” Treat any device that is leaving your custody — sold, donated, returned to a leasing company, recycled, or thrown away — as if a stranger will try to read it, because eventually one might.

What HIPAA Requires: Device and Media Controls

Secure disposal is not a best-practice nicety layered on top of the rules. It is written into them. The HIPAA Security Rule’s physical safeguards include a standard at 45 CFR 164.310(d)(1) called Device and Media Controls, which requires policies and procedures governing “the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”

Underneath that standard sit four implementation specifications, and it is worth knowing which are which:

  • Disposal (Required). Implement policies and procedures “to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
  • Media re-use (Required). Implement procedures “for removal of electronic protected health information from electronic media before the media are made available for re-use.” This is the one that catches the practice re-issuing a departed employee’s laptop to a new hire without a wipe.
  • Accountability (Addressable). Keep a record of hardware and media movements and the person responsible.
  • Data backup and storage (Addressable). Create a retrievable, exact copy of ePHI, when needed, before moving equipment.

A quick but important clarification, because it trips up so many small practices: “Addressable” does not mean “optional.” Under the Security Rule, an addressable specification means you assess whether it is reasonable and appropriate for your environment and, if it is, you implement it — or, if it genuinely isn’t, you document why and adopt an equivalent alternative where that is reasonable and appropriate. For nearly every practice, keeping a simple record of hardware and media movements (Accountability) is both reasonable and cheap, which is why we treat it as a default, not a maybe.

The takeaway is that disposal is a genuine, standing obligation that belongs in your written policies and your risk analysis — not an afterthought at the recycling bin.

What Actually Counts as “Media” in a Small Practice

When people hear “dispose of old computers,” they picture desktops and laptops. Those matter, but the ePHI in a practice hides in a wider set of places — the forgotten ones especially. Walk your office with this list in mind:

  • Computers and their drives — desktops, laptops, and any loose internal hard drives or SSDs pulled during upgrades.
  • Portable media — USB flash drives, SD cards, external backup drives, and the CD/DVD burns nobody remembers making.
  • Backup tapes — still in use in some practices, and often holding years of data.
  • Smartphones and tablets — personal or practice-owned devices that accessed email, imaging apps, or the patient portal.
  • Copiers and multifunction printers. This is the classic blind spot. Many office copiers and multifunction printers contain an internal hard drive that can store images of the documents they scan, fax, copy, or print — including patient records. A leased copier returned without wiping that drive can carry ePHI straight out the door, and returned-copier hard drives have been the subject of past HHS enforcement.
  • Networking and specialty gear — some firewalls, imaging machines, and dental or diagnostic equipment cache patient data locally too.

You cannot sanitize what you have not accounted for, which is why disposal works best when it is tied to the asset and data inventory you should already maintain. The inventory tells you what exists; disposal closes the loop when a line item reaches end of life.

How to Sanitize a Drive: Clear, Purge, or Destroy

The widely used reference for wiping data is the National Institute of Standards and Technology’s guidance in NIST Special Publication 800-88, Revision 2 (2025), “Guidelines for Media Sanitization.” It describes three sanitization methods, so you can match effort to risk:

  1. Clear — Overwrite or reset the media using standard read/write commands so data can’t be recovered with ordinary tools. Adequate when the device will stay inside your organization — for example, re-issuing a wiped laptop to another staff member.
  2. Purge — Apply a stronger, media-specific technique the device itself supports, such as a built-in secure-erase or sanitize command, a cryptographic erase, or degaussing a magnetic (not solid-state) drive, so the data is far harder to reconstruct even in a lab. Appropriate when a device leaves your control but the media is kept intact — sold, donated, or returned to a lessor.
  3. Destroy — Physically shred, disintegrate, incinerate, or pulverize the media so it can no longer be read or reused. The right call for failed drives you can’t verify or cheap media like USB sticks. NIST cautions that physical destruction still has to use a method suited to the media, since dense modern drives can survive careless shredding.

A plain overwrite counts as Clear; the device’s own secure-erase command is what makes it Purge — and NIST 800-88 Rev. 2 advises choosing Purge over Clear where the media supports it. The practical choice comes down to two questions: is the media leaving your control, and can you verify the result? When in doubt, escalate. Destroying an inexpensive drive is far cheaper than explaining why that drive left the building readable.

The Device and Media Disposal Decision Table

Here is the core, reusable asset of this guide — a table any practice can pin next to the equipment closet. Match the item to the row, apply the method, and log the record.

Media or deviceTypical methodVerify / record
Laptop/desktop with an encrypted driveCryptographic erase (destroy the encryption keys) or the drive’s built-in secure-eraseConfirm the drive was encrypted before wiping; log serial, date, method, person
Unencrypted hard drive (HDD)Overwrite (Clear) for internal reuse; secure-erase or degauss (Purge), or destroy, when it leaves your controlLog wipe confirmation or a destruction record
SSD / NVMe drive (unencrypted)The device’s own secure-erase or cryptographic erase; physically destroy if you can’t verifyKeep the tool’s completion report
USB flash drive / SD cardCryptographic erase if encrypted; otherwise physically destroyNote destruction in the log
External backup drive / NAS diskSecure-erase (Purge) or destroyConfirm it isn’t the last copy of needed data first
Backup tapesDegauss (matched to the tape) or destroyCertificate or log entry
Smartphone / tabletOn a modern encrypted device, a factory reset is designed to crypto-erase it — verify the manufacturer’s procedure for the model; remove SIM and SD cardConfirm encryption; log device ID
Copier / multifunction printerUse the vendor’s data-wipe or drive-return option before the lease endsGet written confirmation the drive was wiped or surrendered
Failed / unverifiable drive of any typePhysically destroy rather than trust a wipe you can’t confirmDestruction record or photo log

Method names above follow NIST SP 800-88 Rev. 2; the underlying obligations follow 45 CFR 164.310(d). Paper records aren’t “electronic media” and fall under the Privacy Rule rather than 164.310, but the instinct is the same: cross-cut shred anything with PHI rather than tossing it whole.

Encryption Changes the Cleanup

Notice how often “encrypted” appears in that table. That is not a coincidence, and it is the single best reason to encrypt your devices before you ever need to retire them. When a drive has been fully encrypted from the start — as every practice’s laptops and phones should be — sanitizing it can be as quick as destroying the encryption keys, a technique called cryptographic erase. Its reliability isn’t magic: it depends on the whole drive having been encrypted with strong encryption and on every copy of the key being destroyed. Done right, though, it leaves the remaining data as unreadable noise.

A practice that takes encryption at rest and in transit seriously has already done most of the disposal work in advance: a lost, stolen, or retired device that was properly encrypted is a far smaller problem than an unencrypted one. Encryption doesn’t replace verification — you still confirm and log — but it turns a laborious wipe into a quick, low-risk step and reduces the stakes if a device slips through the cracks.

Using a Disposal Vendor: BAAs and Certificates of Destruction

Many practices, sensibly, hand this off to an IT asset disposition (ITAD) or shredding vendor rather than buying a drive shredder. That is a fine choice — with two conditions.

First, if a vendor will handle media that still contains ePHI, that vendor is a business associate, and you need a signed business associate agreement with them before the devices leave your building. A recycler who wipes or shreds drives with patient data on them is squarely handling PHI on your behalf, so handing those drives over without a BAA is itself a compliance gap.

Second, ask for a certificate of destruction or sanitization that lists what was destroyed, by serial number where possible, along with the method and date. HIPAA doesn’t name that certificate as a line-item requirement, but it is exactly the kind of documentation that supports your Accountability record-keeping and lets you show what happened to a device you didn’t wipe yourself. A vendor that can’t or won’t provide one is telling you something. Chain of custody matters too: sealed containers, a manifest of what went in, and confirmation of what was destroyed close the loop between “we sent it off” and “we can account for where it went.”

Repair is a related but distinct case: a device sent out for service may stay under your control through the vendor’s contract, and wiping it can defeat the repair. Rather than sanitize by reflex, weigh whether the storage media can be removed and kept, and make sure any servicer that can access ePHI is covered by a BAA.

A Pre-Disposal Checklist

Before any device leaves your practice — for recycling, resale, donation, or the dumpster — run it through these steps. Print it and tape it inside the equipment closet.

  1. Identify. Does this device store or access ePHI? When unsure, assume yes.
  2. Back up what you still need. Confirm nothing on it is the last remaining copy of required data.
  3. Choose the method. Use the decision table above to pick Clear, Purge, or Destroy based on the media type and whether it’s leaving your control.
  4. Sanitize. Perform the wipe or destruction — or hand it to a BAA-covered vendor.
  5. Verify. Confirm the wipe completed or the destruction occurred, rather than assuming it did.
  6. Record it. Log the device, serial number, date, method, and the person responsible; file any certificate of destruction.
  7. Release. Only now does the device leave your custody.

That is a quick routine per device once it’s a habit, and it is the difference between disposal that protects patients and disposal that just moves risk down the road.

Building It Into the Asset Lifecycle

The practices that avoid disposal problems are not the ones with the fanciest shredder. They treat retirement as the last stage of an asset’s life: a device gets encrypted when it’s deployed, tracked while it’s in service, and sanitized-and-logged when it’s retired — one continuous chain. Tie that final step to your existing inventory and your annual risk analysis, and disposal stops being a closet full of dread and becomes a routine checkbox that helps strengthen your security posture and support your HIPAA Security Rule efforts.

For a small practice, the whole program fits on one page: a decision table, a checklist, a disposal log, and a BAA with any vendor you use. No enterprise software, no security team — just the discipline to finish what every retired device starts.

Byzantine takeaway: The data on a device outlives the device. Deleting and reformatting don’t remove ePHI; matching the right method — Clear, Purge, or Destroy — to each kind of media does. Encrypt everything up front so cleanup is easy, keep a signed BAA and a certificate of destruction whenever a vendor touches your drives, and log every disposal so you can show each device was properly handled. Open the closet, work the list, and close the loop.