NIST SP 800-88 Revision 1: Guidelines for Media Sanitization
Federal reference for sanitizing electronic media — Clear, Purge, and Destroy categories — with method selection based on media type and confidentiality of the data.
Primary source
NIST SP 800-88 Revision 1 →https://csrc.nist.gov/pubs/sp/800/88/r1/final
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
NIST SP 800-88 Revision 1 ("Guidelines for Media Sanitization", December 2014) is the authoritative federal reference for sanitizing electronic media. It is the standard NIST source cited in the OCR Disposal and Media Re-use specifications under 45 CFR 164.310(d)).
Three sanitization categories:
- Clear: logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery (e.g., overwriting hard drives, factory reset for many flash devices). Protects against keyboard-level attacks.
- Purge: applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques (e.g., NIST-approved cryptographic erase, degaussing for magnetic media).
- Destroy: physical destruction to a state where data cannot be recovered (shredding, disintegration, incineration, melting, pulverization).
Method selection drivers: media type (HDD, SSD, flash, tape, optical, paper), confidentiality of data (low/moderate/high), and whether the media will leave organizational control.
For ePHI-bearing media leaving organizational control (disposal, donation, end-of-lease return), Purge or Destroy is the defensible level. Documented sanitization certificates from disposal vendors (with serial numbers, dates, method used) are the auditable artifact.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationHIPAA Device and Media Controls (45 CFR 164.310(d))Required specifications for disposal of hardware and electronic media containing ePHI, and media re-use procedures.
- RegulationHIPAA Physical Safeguards (45 CFR 164.310)Four standards covering facility access controls, workstation use and security, and device and media controls including disposal and re-use.
- RegulationNIST SP 800-66 Revision 2: HIPAA Security Rule Cybersecurity Resource GuideNIST's 2024 update to the implementation guide for the HIPAA Security Rule, mapping the rule's standards to NIST Cybersecurity Framework subcategories and current cybersecurity practices.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- SRAThe HHS SRA Tool vs Paid HIPAA Risk Analysis OptionsWhat the free HHS/ONC Security Risk Assessment Tool actually does, where it stops, and how to evaluate paid alternatives without overpaying for what the free tool already covers.
- ComplianceHIPAA Mobile Device & BYOD Policy Template (45 CFR § 164.310(d) + 164.308(a)(1)(ii)(B))2026 HIPAA mobile and BYOD policy template — 45 CFR § 164.310(d), § 164.308(a)(1)(ii)(B), NIST SP 800-124r2, enrollment and offboarding workflow.
- GlossaryMedia SanitizationProcess to render ePHI on storage media unreadable, indecipherable, or otherwise inaccessible before disposal or reuse.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.