Review your existing policies for re-use and disposal of computer resources, paper documents, film, etc. to ascertain if they adequately account for the re-use and disposal of electronic protected health information. The following considerations should be included in your policies, at least as to electronic protected health information.

  1. Describe who makes the decision to re-use and dispose of electronic protected health information and other sensitive electronic information.
  2. Describe, if applicable, who approves the procedures for re-use and disposal.
  3. Describe how outdated computer equipment, other electronic devices, and electronic media are discarded. Note that dumpsters and trash containers should not be the disposal method unless all information has been completely removed and is not retrievable.
  4. Describe how electronic protected health information and other sensitive electronic information is removed from the outdated computer resources and who has the responsibility for assuring such removal.
  5. Describe the methods used to erase and assure nonrecoverability of electronic protected health information contained on tapes, hard drives, diskettes, etc., and when removal of such information is required. Methods may include overwriting, physical destruction, magnetic erasure, etc.
  6. Describe, if applicable, the recycling program and what types of electronic media are subject to recycling.
  7. If vendors have responsibility for re-use or disposal, describe the systems in place to assure complete and appropriate re-use or disposal so that electronic protected health information is not inadvertently retrievable.