Destroy the records so there is no possibility of reconstruction of information.

• Appropriate methods for destroying paper records include burning, shredding, pulping, and pulverizing.
• Methods for destroying microfilm or microfiche include recycling and pulverizing. 
• The laser disks used in write once-read many (WORM) document imaging applications cannot be altered or reused, making pulverization an appropriate means of destruction. 
• The preferred method for destroying computerized data is magnetic degaussing. (Data are stored in magnetic media by making very small areas called magnetic domains change their magnetic alignment to be in the direction of an applied magnetic field. Degaussing leaves the domains in random patterns with no preference to orientation, rendering previous data unrecoverable.) Proper degaussing ensures that there is insufficient magnetic remanence to reconstruct the data. Overwriting can also be used to destroy computerized data. (To overwrite, cover the data with a pattern, its complement, and then another pattern, e.g. 00110101, followed by 11001010, and then 10010111.) In theory, however, files that have been overwritten as many as six times can be recovered. Total data destruction does not occur until the original data and all backup information have been destroyed. 
• Although magnetic tapes can be overwritten, it is a time-consuming process and there can be areas on a tape that are unresponsive to overwriting. Degaussing is considered preferable. 

Document the destruction, including: 

• date of destruction 
• method of destruction 
• description of the disposed records 
• inclusive dates covered 
• a statement that the records were destroyed in the normal course of business 
• the signatures of the individuals supervising and witnessing the destruction 

Maintain destruction documents permanently. (Such certificates may be required as evidence to show records were destroyed in the regular course of business. If facilities fail to apply destruction policies uniformly or where destruction is contrary to policy, courts may allow a jury to infer in a negligence suit that if records were available, they would show the facility acted improperly in treating the patient. See “Sample Certificate of Destruction,” below.) 

• If destruction services are contracted, the contract must meet the requirements of the HIPAA privacy rule. 

In addition, the contract should:

• indemnify the healthcare facility from loss due to unauthorized disclosure 
• require the business associate maintain liability insurance in specified amounts at all times the contract is in effect 
• provide proof of destruction 

It should also specify the:

• method of destruction 
• time that will elapse between acquisition and destruction of data