Skip Navigation

Particle Size Related to HITECH and NIST Specification Causing Confusion and Concern

Bookmark and Share

In 2009, the Department of Health and Human Services (HHS) issued guidance related to safe harbors for healthcare providers to avoid mandatory data breach notification. 

That guidance states that computer hard drives disposed after sanitization which met National Institute for Standards and Testing (NIST) specification SP 800-88 were not required to send data breach notification.  It also states that that destroying paper media in a manner that it “cannot be read or otherwise cannot be reconstructed” provides that same safe harbor.

The NIST SP 800-88 specification reference in the HHS Guidance DOES NOT APPLY to paper media within the HHS Safe Harbor Guidance, HIPAA, HITECH or Data Breach Notification.

Unfortunately, because NIST SP 800-88 also contains specifications for paper destruction, which is very small, some HIPAA/HITECH Covered Entities are misinterpreting the HHS Guidance to mandate that destruction specification extends to paper as well. Again, NIST SP 800-88 does not extend to paper media, only to sanitization.

Here is the language as it reads in the Federal Register:

(b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

(i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.

(ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

It is also important to note that NONE of this is actually a requirement of HIPAA or HITECH.  It is simply advice regarding safe harbors for avoiding possible data breach notification events.

Read the Federal Register Reference