# HIPAA Media Destruction SOP (Step-by-Step) Records: Retain forms, logs, approvals for 6 years. (Printable Checklist) # HIPAA Media Destruction SOP Purpose: Ensure compliant sanitization/destruction of media with ePHI (HIPAA 45 CFR ยง164.310(d); NIST SP 800-88). Section A: Authorization \[ \] Complete Media Destruction Form; obtain required approvals. Section B: Method Selection \[ \] Determine Clear/Purge/Destroy based on media type and reuse. Section C: Execution \[ \] Perform selected method (e.g., crypto erase, degauss, shred). \[ \] Document tool, serials, operator, witness, timestamps. Section D: Verification \[ \] Validate results (hash/visual/certification) and record certificate #. Section E: Disposal & Recycling \[ \] Use vetted vendor; maintain BAA if applicable. \[ \] Ensure environmental compliance and documentation. Section F: Records & Review \[ \] Update asset records; store forms and certificates 6 years. \[ \] Review failures and implement corrective actions. Sign-Off \- Performed By (print/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Witness (print/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Security/Privacy Review (print/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ # HIPAA_Media_Destruction_Form HIPAA Media Destruction Verification & Chain of Custody Form Instructions: Complete for any media/device containing ePHI. Retain for 6 years. Section 1: Media Details \- Media Type (HDD/SSD/Tape/USB/Optical/Mobile): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Asset Tag / Serial #: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Capacity: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Location (site/room): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Custodian/Department: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Data Classification (ePHI/PII/etc.): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Section 2: Authorization \- Ticket/Change/Incident #: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- System Owner Approval (name/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Security/Privacy Approval (name/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Section 3: Sanitization/Destruction Method \- Method (NIST 800-88 Clear/Purge/Destroy): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Tool/Procedure Used (e.g., crypto erase, degauss, shred): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Standard/Ref (e.g., NIST SP 800-88 Rev.1): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Performed By (name/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Witness (name/sign/date): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Section 4: Validation \- Verification Method (hash match/visual inspection/cert #:): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Result: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \- Certificate of Destruction/Work Order #: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Chain of Custody Log | Date/Time | From | To | Signature | Notes | |\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_|\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_|\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_|\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_|\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_| | | | | | | | | | | | | | | | | | |