Skip to Content

HIPAA - Media Re-use 164.310(d)(2)(ii)

472  Matthew Burdick September 29, 2022  Physical Safeguards

Overview:
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.


Action Items:
1) Obtain and review procedures related to media re-usage. Evaluate the content in relation to the specified performance criteria for removing EPHI from electronic media before they are issued for reuse. Elements to review may include but are not limited to: Workforce members’ roles and responsibilities in the media re-use process; How the removal of ePHI from electronic media is verified; How ePHI will be removed from electronic media before external and internal re-use
2) Obtain documentation demonstrating media re-use procedures being implemented and how EPHI has been removed from electronic media. Evaluate and determine if the process used for the reuse of electronic media is appropriate; that EPHI is properly removed from electronic media prior to reuse; that EPHI that is removed is unusable, inaccessible, and indecipherable; and that removal of EPHI from electronic media has been verified prior to reuse of electronic media.


Related Documents:
1) Procedures related to media re-usage.
2) Documentation demonstrating media re-use procedures being implemented and how ePHI has been removed from electronic media.


Additional Guidance:
In addition to appropriate disposal, covered entities must appropriately reuse electronic media, whether for internal or external use. Internal re-use may include re-deployment of PCs or sharing floppy disks. External re-use may include donation of electronic media to charity organizations or local schools. In either of these instances, it is important to remove all EPHI previously stored on the media to prevent unauthorized access to the information.


Sample questions for covered entities to consider:
- Are procedures developed and implemented for removal of EPHI from electronic media before re-use?
- Do the procedures specify situations when all EPHI must be permanently deleted or situations when the electronic media should only be reformatted so that no files are accessible?
Not Rated
Secure Code