A small medical clinic is retiring several solid-state drives (SSDs) that once stored patients' electronic medical records. The compliance officer states that the drives must be sanitized so that no protected health information (PHI) can ever be recovered. Which action should the PC technician take to meet HIPAA requirements and NIST SP 800-88 guidelines with the least risk of residual data?
Delete the existing partitions and perform a quick format from Windows Disk Management.
Degauss the drives with an NSA-approved degausser.
Physically destroy the SSDs (e.g., shred, pulverize, or disintegrate them) and obtain a certificate of destruction.
Store the drives in an offline cabinet for seven years before disposal.
HIPAA allows electronic PHI to be cleared, purged, or destroyed as long as the data is rendered unreadable and irretrievable. NIST SP 800-88 notes that degaussing works only on magnetic media and is ineffective on flash-based SSDs. Deleting partitions or performing a quick format merely clears directory entries and does not prevent forensic recovery. Retaining the drives for seven years does not sanitize them. Physically destroying the SSDs-such as shredding, pulverizing, or disintegrating them-and obtaining a certificate of destruction ensures the data cannot be reconstructed, fully satisfying the regulatory requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the legal and regulatory standards for handling patient medical records?
Open an interactive chat with Bash
What methods exist for physically destroying storage media, and which is the most effective?
Open an interactive chat with Bash
What is the difference between physical destruction and data wiping?