HIPAA Media Destruction SOP (Step-by-Step) Records: Retain forms, logs, approvals for 6 years. (Printable Checklist) HIPAA Media Destruction SOP Purpose: Ensure compliant sanitization/destruction of media with ePHI (HIPAA 45 CFR §164.310(d); NIST SP 800-88). Section A: Authorization [ ] Complete Media Destruction Form; obtain required approvals. Section B: Method Selection [ ] Determine Clear/Purge/Destroy based on media type and reuse. Section C: Execution [ ] Perform selected method (e.g., crypto erase, degauss, shred). [ ] Document tool, serials, operator, witness, timestamps. Section D: Verification [ ] Validate results (hash/visual/certification) and record certificate #. Section E: Disposal & Recycling [ ] Use vetted vendor; maintain BAA if applicable. [ ] Ensure environmental compliance and documentation. Section F: Records & Review [ ] Update asset records; store forms and certificates 6 years. [ ] Review failures and implement corrective actions. Sign-Off - Performed By (print/sign/date): ______________________________________________ - Witness (print/sign/date): _________________________________________________ - Security/Privacy Review (print/sign/date): ___________________________________ HIPAA_Media_Destruction_Form HIPAA Media Destruction Verification & Chain of Custody Form Instructions: Complete for any media/device containing ePHI. Retain for 6 years. Section 1: Media Details - Media Type (HDD/SSD/Tape/USB/Optical/Mobile): _______________________________________ - Asset Tag / Serial #: _______________________________________ - Capacity: _______________________________________ - Location (site/room): _______________________________________ - Custodian/Department: _______________________________________ - Data Classification (ePHI/PII/etc.): _______________________________________ Section 2: Authorization - Ticket/Change/Incident #: _______________________________________ - System Owner Approval (name/sign/date): _______________________________________ - Security/Privacy Approval (name/sign/date): _______________________________________ Section 3: Sanitization/Destruction Method - Method (NIST 800-88 Clear/Purge/Destroy): _______________________________________ - Tool/Procedure Used (e.g., crypto erase, degauss, shred): _______________________________________ - Standard/Ref (e.g., NIST SP 800-88 Rev.1): _______________________________________ - Performed By (name/sign/date): _______________________________________ - Witness (name/sign/date): _______________________________________ Section 4: Validation - Verification Method (hash match/visual inspection/cert #:): _______________________________________ - Result: _______________________________________ - Certificate of Destruction/Work Order #: _______________________________________ Chain of Custody Log   | Date/Time       | From          | To            | Signature      | Notes             |   |_________________|_______________|_______________|________________|___________________|   |                 |               |               |                |                   |   |                 |               |               |                |                   |   |                 |               |               |                |                   |