HIPAA Media Destruction SOP (Step-by-Step)

Records: Retain forms, logs, approvals for 6 years.

(Printable Checklist)

HIPAA Media Destruction SOP

Purpose: Ensure compliant sanitization/destruction of media with ePHI (HIPAA 45 CFR §164.310(d); NIST SP 800-88).

Section A: Authorization
[ ] Complete Media Destruction Form; obtain required approvals.

Section B: Method Selection
[ ] Determine Clear/Purge/Destroy based on media type and reuse.

Section C: Execution
[ ] Perform selected method (e.g., crypto erase, degauss, shred).
[ ] Document tool, serials, operator, witness, timestamps.

Section D: Verification
[ ] Validate results (hash/visual/certification) and record certificate #.

Section E: Disposal & Recycling
[ ] Use vetted vendor; maintain BAA if applicable.
[ ] Ensure environmental compliance and documentation.

Section F: Records & Review
[ ] Update asset records; store forms and certificates 6 years.
[ ] Review failures and implement corrective actions.

Sign-Off
- Performed By (print/sign/date): ______________________________________________
- Witness (print/sign/date): _________________________________________________
- Security/Privacy Review (print/sign/date): ___________________________________

HIPAA_Media_Destruction_Form

HIPAA Media Destruction Verification & Chain of Custody Form

Instructions: Complete for any media/device containing ePHI. Retain for 6 years.

Section 1: Media Details
- Media Type (HDD/SSD/Tape/USB/Optical/Mobile): _______________________________________
- Asset Tag / Serial #: _______________________________________
- Capacity: _______________________________________
- Location (site/room): _______________________________________
- Custodian/Department: _______________________________________
- Data Classification (ePHI/PII/etc.): _______________________________________

Section 2: Authorization
- Ticket/Change/Incident #: _______________________________________
- System Owner Approval (name/sign/date): _______________________________________
- Security/Privacy Approval (name/sign/date): _______________________________________

Section 3: Sanitization/Destruction Method
- Method (NIST 800-88 Clear/Purge/Destroy): _______________________________________
- Tool/Procedure Used (e.g., crypto erase, degauss, shred): _______________________________________
- Standard/Ref (e.g., NIST SP 800-88 Rev.1): _______________________________________
- Performed By (name/sign/date): _______________________________________
- Witness (name/sign/date): _______________________________________

Section 4: Validation
- Verification Method (hash match/visual inspection/cert #:): _______________________________________
- Result: _______________________________________
- Certificate of Destruction/Work Order #: _______________________________________

Chain of Custody Log
  | Date/Time       | From          | To            | Signature      | Notes             |
  |_________________|_______________|_______________|________________|___________________|
  |                 |               |               |                |                   |
  |                 |               |               |                |                   |
  |                 |               |               |                |                   |