Media Sanitization
Process to render ePHI on storage media unreadable, indecipherable, or otherwise inaccessible before disposal or reuse.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
NIST SP 800-88 Rev. 1 defines three categories of media sanitization: clear, purge, and destroy. The HHS Breach Notification safe harbor lists destruction (paper) and NIST-aligned media sanitization (electronic) as the methods that render PHI "secured."
How it shows up in your practice
Maintain a chain-of-custody log for any device leaving the practice and a certificate of destruction from any disposal vendor.
Sources
- NIST SP 800-88 — Guidelines for Media Sanitizationhttps://csrc.nist.gov/pubs/sp/800/88/r1/final
- HHS — Breach Notification Rulehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Track device disposal in the Compliance Binder
Open compliance binder →Related terms
- SecurityPhysical SafeguardsPhysical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
- SecurityEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- HIPAA & PrivacyHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- GlossaryPhysical SafeguardsPhysical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA Device and Media Controls (45 CFR 164.310(d))Required specifications for disposal of hardware and electronic media containing ePHI, and media re-use procedures.
- GlossaryEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
- GlossaryBreach of Unsecured PHIAn impermissible use or disclosure of PHI that is presumed to be a breach unless a four-factor risk assessment shows a low probability that PHI was compromised.
- GlossaryFour-Factor Breach Risk AssessmentThe four-factor analysis at 45 CFR 164.402 used to determine whether an impermissible use or disclosure of PHI is a reportable breach.
- RegulationHIPAA Breach Notification Rule Overview (45 CFR 164.400-414)When unsecured PHI is accessed, used, or disclosed in a manner not permitted, the entity must follow individual, HHS, and (in some cases) media notification requirements within defined timelines.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.