Can you reuse or dispose of a mobile device that has stored health information on it?

Yes, but only after removing the electronic protected health information (ePHI) stored on the mobile device, or destroying the mobile device itself before disposing of it. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. Covered entities may contract with business associates for this.

HHS OCR has issued guidance on destroying protected health information in electronic form to make such information unusable, unreadable or indecipherable to unauthorized persons. Proper destruction methods may include, but are not limited to:

Clearing (using software or hardware products to overwrite media with non-sensitive data)
Purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains)
Destroying the media (disintegration, pulverization, melting, incinerating, or shredding)

Read HHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

Read more about the proper disposal of electronic protected health information [PDF - 148 KB].

Consult NIST SP 800-88, Guidelines for Media Sanitization [PDF - 415 KB], for information on sanitizing protected health information throughout the information life cycle.

Certification of Health IT

Health Information Technology Advisory Committee (HITAC)

Health Equity

HTI-1 Final Rule

Information Blocking

Interoperability

Patient Access to Health Records

Clinical Quality and Safety

Health IT and Health Information Exchange Basics

Health IT in Health Care Settings

Health IT Resources

Laws, Regulation, and Policy

ONC Funding Opportunities

ONC HITECH Programs

Privacy, Security, and HIPAA

Scientific Initiatives

Standards & Technology

Usability and Provider Burden

Connect with us: