Meanwhile, the hard disks are stacking up. I was sure we could find a low-cost solution, get the necessary approvals and solve the problem.

Plenty of commercial companies could provide the service we need. I found one called PC Disposal that has a program appropriately named Secure Plus Risk Management Disposal. The company will ship you "secure packing equipment," and then it will pick up your equipment, wipe your hard drives with Department of Defense -standardized methods and dispose of them according to state and federal guidelines. If you want to prep your equipment for resale or donation, it will help you do that. Importantly for us, the service is guaranteed to be HIPAA-compliant.

But here's what caught my eye: The company has a US$1 million service guarantee that says, "If we fail to complete the services listed on your certificate of disposal and your hard drive is discovered with recoverable data still on it, your company will receive a check for $1,000,000." Great marketing.

Still, I had to chuckle because I know that $1 million in no way would make up for having protected health data end up in the wrong hands. Besides, I realized that we could handle the problem internally without spending a ton of money. The key to data disposal is proper disk sanitization.

I happened to be downloading material from the National Institute of Standards and Technology 's Web site on an unrelated matter when I ran across a publication titled "Guidelines for Media Sanitization" (NIST Special Publication 800-88). A quick glance through the 33-page document showed me that it contained pretty high-level stuff. The guidelines include a decision matrix for determining how to destroy various media and components. For example, data has to be manually deleted from handhelds, then you have to perform a manufacturer's hard reset, and finally you must incinerate, shred and pulverize the unit. That's kind of what we had in mind for our hard disks.