...

Purpose

This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing ePHI (electronic Personal Health Information) covered by HIPAA.

...

Wiping is done on a dedicated workstation by a method approved by the Security Office.

Anyone in the covered entity may initiate the process to remove media from the facility, but it follows the following process.

1. A request with the reason for removal is sent to the building manager HIPAA Liaison who approves or rejects. If necessary, they fill out the RMA paperwork now.

2. The

   HIPAA Liaison approves or rejects the request.

   An authorized HIPAA covered employee will log the identifying information for each device and transfer to a secure container for transport out of the Covered Entityrequestor will place the media in the provided secure container.

3. Container shall be locked with a key kept in the secure area.

4. Container will be transported to the designated site of Security team will transport secure container for wiping / destruction.

5. HIPPA covered employee The security team will unlock with second key kept at wiping / destruction station.

6. Each device will be wiped or destroyed per Security Office policy

7. Employee will generate a certificate of wiping/destruction for each storage device and The person wiping the media will electronically record the details of the wiped media and when it was sanitized. Then they will return the secure container and certificates of destruction to the Covered Entity secure area area.

8. The media is given to the building manager who closes the workflow and sends the drive on.

...

1.   If necessary, they have the original requestor fill out the RMA paperwork.