Can you reuse or dispose of a mobile device that has stored health information on it?
Yes, but only after removing the electronic protected health information (ePHI) stored on the mobile device, or destroying the mobile device itself before disposing of it. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored. Covered entities may contract with business associates for this.
HHS OCR has issued guidance on destroying protected health information in electronic form to make such information unusable, unreadable or indecipherable to unauthorized persons. Proper destruction methods may include, but are not limited to:
- Clearing (using software or hardware products to overwrite media with non-sensitive data)
- Purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains)
- Destroying the media (disintegration, pulverization, melting, incinerating, or shredding)
Read more about the proper disposal of electronic protected health information [PDF - 148 KB].
Consult NIST SP 800-88, Guidelines for Media Sanitization [PDF - 415 KB], for information on sanitizing protected health information throughout the information life cycle.