For Florida Healthcare Organizations
Healthcare-grade ITAD for hospitals, medical practices, and Business Associates across Florida. HIPAA-trained technicians, NIST 800-88 destruction, signed BAAs, and complete chain-of-custody documentation.
Florida healthcare organizations face a specific risk when retired computers, servers, and storage media leave the facility: a single hard drive containing PHI in the wrong hands becomes a reportable breach under 45 CFR 164.402. Excess IT Hardware provides HIPAA compliant IT disposal across Florida — performed by HIPAA-trained technicians, documented to NIST 800-88 standards, and backed by Business Associate Agreements. The result is retired IT assets disposed of in a way your compliance officer can defend in an audit.
Schedule HIPAA Pickup
Under 45 CFR 164.310(d)(2), Covered Entities and Business Associates must implement policies and procedures for the final disposition of electronic Protected Health Information (ePHI) and the hardware or media on which it is stored. Specifically:
Retired IT assets that leave a healthcare facility without documented sanitization or destruction are a breach risk under 45 CFR 164.402. The failure point is almost never the deletion itself — it is the absence of documentation proving the deletion occurred.
HIPAA compliance for an IT disposal vendor is not a single certificate hanging on a wall. It is the combination of trained personnel, documented procedures, and contractual accountability. Here is how Excess IT Hardware delivers each element:
Every Excess IT Hardware employee who handles client equipment completes formal HIPAA training, which includes a HIPAA education course covering the Privacy Rule and Security Rule, and a HIPAA Security course covering the technical, administrative, and physical safeguards for ePHI under 45 CFR 164.308 through 164.312. Individual certificates of completion are kept on file and available on request. This is what makes Excess IT Hardware a HIPAA compliant vendor — the personnel handling your equipment are personally trained and personally certified.
Excess IT Hardware executes a Business Associate Agreement with each Covered Entity client, as required under 45 CFR 164.308(b) and 164.314(a). The BAA establishes our contractual obligations to protect ePHI, defines permitted uses, requires breach notification, and specifies the safeguards we apply. BAAs are reviewed annually and updated to match current OCR guidance.
Every device leaving a client facility is logged at the point of pickup with serial number, asset tag, location, and the name of the receiving Excess IT Hardware technician. The chain of custody is maintained through transport, intake at our facility, sanitization or destruction, and final disposition. This documentation is what closes the audit trail under 45 CFR 164.310(d)(2)(iii).
All data-bearing media is sanitized following NIST Special Publication 800-88 — the methodology HHS references as the standard for media disposal. Hard drives are physically shredded to particle sizes that prevent reconstruction. SSDs are destroyed using methods validated for flash media. Tapes are degaussed and shredded. The destruction method is matched to the media type, not applied generically.
After destruction is complete, a serialized Certificate of Destruction is issued. The certificate lists each asset by serial number, the destruction method applied, the date, the technician who performed the work, and is signed under the BAA. This is the document your compliance officer or auditor will request.
Six steps, every time, regardless of asset volume:
Before the first asset is touched, Excess IT Hardware and the Covered Entity execute a Business Associate Agreement. This establishes the legal framework for the engagement and is required under 45 CFR 164.308(b).
A pickup is scheduled at the client’s site. Each asset is logged at pickup with serial number, location, and condition. The HIPAA-trained technician handling the pickup signs for the inventory.
Equipment is transported in vehicles operated by HIPAA-trained personnel. Transport is documented from pickup to facility intake.
At the Excess IT Hardware facility, every data-bearing media is sanitized or destroyed following NIST 800-88. Hard drives are shredded. SSDs are destroyed using flash-appropriate methods. Tapes are degaussed and shredded.
A certificate is issued listing each asset, the destruction method, the date, and the signature of the responsible technician under the BAA.
Non-data-bearing components are processed through environmentally responsible recycling channels. A final disposition report closes the engagement.
The following table shows how Excess IT Hardware’s process maps to the specific HIPAA and NIST 800-88 requirements your auditor will review:
Requirement | Source | How We Address It |
Final disposition policy for ePHI media | 45 CFR 164.310(d)(2)(i) | Documented disposal procedure executed under BAA |
Media reuse — ePHI removal | 45 CFR 164.310(d)(2)(ii) | NIST 800-88 sanitization before any reuse path |
Accountability for media movement | 45 CFR 164.310(d)(2)(iii) | Serialized chain of custody from pickup to destruction |
Data backup and storage during transport | 45 CFR 164.310(d)(2)(iv) | Documented transport with HIPAA-trained personnel |
Workforce training | 45 CFR 164.308(a)(5) | All technicians complete HIPAA education + HIPAA Security training |
Business Associate contract | 45 CFR 164.308(b), 164.314(a) | BAA executed before engagement begins |
Sanitization methodology | NIST SP 800-88 Rev. 1 | Method matched to media type — Clear, Purge, or Destroy as appropriate |
Verification and documentation | NIST SP 800-88 §4.7 | Serialized Certificate of Destruction issued post-process |
Excess IT Hardware works with the full range of healthcare organizations operating in Florida:
Hospitals and Health Systems
Multi-site decommissioning, server room cleanouts, end-of-life clinical workstations, imaging system retirements.
Medical and Dental Practices
Single-location refresh cycles, retired front-office computers, decommissioned EHR servers, replacement of practice management hardware.
Behavioral Health and Long-Term Care
Workstation refreshes across multiple resident-facing locations with strict ePHI access controls.
Health Plans and Payers
Member services workstation refreshes, claims processing infrastructure decommissioning.
Business Associates
IT vendors, MSPs, billing companies, transcription services, and other Business Associates handling ePHI on behalf of Covered Entities.
Healthcare Real Estate and Facilities
Tenant move-outs, suite turnovers, and facility-wide IT clearings where ePHI may be present on residual equipment.
Industrial shredding of HDDs and SSDs at NIST 800-88 Destroy level for the highest assurance of data destruction. Required when drives cannot be verified erased or when security policy mandates physical destruction. Review our hard drive shredding services for particle size specifications and media types covered.
For healthcare organizations whose security policy prohibits PHI-bearing media from leaving the facility, we bring mobile destruction equipment to your site. Your team witnesses destruction and receives certificates before our truck departs. Learn more about on-site hard drive crushing.
Software-based sanitization for drives being remarketed rather than destroyed. Cryptographic erasure plus multi-pass overwriting at NIST 800-88 Purge level, producing verified wipe certificates. Useful when drives retain resale value. See our data erasure service for compliance details.
Healthcare organizations with legacy backup tapes face a particular PHI risk: tapes accumulate years of patient data. We provide degaussing followed by physical shredding for LTO, DLT, DAT, and all magnetic tape formats. Full details on our tape shredding and degaussing page.
Full managed ITAD for healthcare organizations retiring equipment at scale. Covers BAA execution, asset inventory, data destruction, value recovery on remarketable equipment, environmentally compliant recycling, and complete compliance documentation. Learn more about our IT asset disposition services.
Hospital system consolidations, EHR platform migrations, and facility closures often produce large-scale hardware disposition requirements. Our data center decommissioning services handle end-to-end project management including phased removal, secure destruction, and full audit documentation.
Excess IT Hardware provides HIPAA compliant IT disposal services throughout Florida with free pickup across our primary service areas and nationwide service for multi-state healthcare systems. Our South Florida coverage includes Miami, Fort Lauderdale, Boca Raton, West Palm Beach, Boynton Beach, Delray Beach, Palm Beach Gardens, Jupiter, Hollywood, Pompano Beach, and Port St. Lucie. Outside our direct service footprint, we coordinate nationwide pickup for healthcare systems with Florida and out-of-state locations.
View our complete South Florida service area coverage or learn more about nationwide pickup services for multi-state operations.
No company is HIPAA Certified. The Department of Health and Human Services does not issue HIPAA certifications to organizations — there is no federal HIPAA certification program for companies. What exists is HIPAA training and certification for individual employees. Excess IT Hardware’s employees complete a formal HIPAA education course and a HIPAA Security course, which makes them HIPAA certified individually. Because our HIPAA-certified employees handle every step of the disposal process under a Business Associate Agreement, Excess IT Hardware is HIPAA compliant. Any vendor who claims their company is ‘HIPAA Certified’ is using inaccurate compliance language.
Yes. We execute a Business Associate Agreement with every Covered Entity client before the engagement begins. The BAA is required under 45 CFR 164.308(b) and 164.314(a) and establishes our contractual obligations to protect ePHI, the permitted uses, breach notification requirements, and the safeguards we apply throughout the disposal process.
Every Excess IT Hardware employee who handles client equipment completes a HIPAA education course covering the Privacy Rule and Security Rule, and a HIPAA Security course covering the technical, administrative, and physical safeguards under 45 CFR 164.308 through 164.312. Individual certificates of completion are kept on file and available on request as part of due diligence documentation.
NIST Special Publication 800-88 (Guidelines for Media Sanitization). HHS references NIST 800-88 as the methodology that satisfies the disposal requirement under 45 CFR 164.310(d)(2). The destruction method is matched to the media type — hard drives are physically shredded, SSDs are destroyed using flash-appropriate methods, tapes are degaussed and shredded.
Yes. After destruction is complete, a serialized Certificate of Destruction is issued listing each asset by serial number, the destruction method applied, the date of destruction, the technician responsible, and a signature under the BAA. This is the document your compliance officer or auditor will request as proof of disposition.
Once data has been destroyed under NIST 800-88 standards, the residual hardware components — chassis, memory, motherboards, non-data components — are processed through environmentally responsible recycling channels. A final disposition report closes the engagement and accompanies the Certificate of Destruction.
Yes. We coordinate multi-location pickups across Florida and document each location’s pickup with its own chain of custody. The same BAA governs the entire engagement; each location’s assets are tracked separately by serial number through to destruction.
A ‘HIPAA Certified company’ is not a real designation — HHS does not certify companies. A HIPAA compliant company is one whose policies, procedures, and personnel meet the requirements of HIPAA. For an IT disposal vendor, HIPAA compliance means: (1) employees are individually HIPAA certified through formal training, (2) the company executes BAAs with Covered Entity clients, (3) data destruction follows NIST 800-88, and (4) the chain of custody is documented end to end. This is what Excess IT Hardware delivers.
If your organization is planning an IT refresh, facility closure, EHR migration, or simply needs to close a compliance gap in your current disposal process, our team can walk you through exactly how our process maps to your HIPAA obligations. Consultations are complimentary and typically run 20 to 30 minutes.
We will cover your current disposal workflow, identify compliance gaps, explain the BAA process, and provide a written scope of work if you choose to proceed. No obligation.