If you’ve heard “HIPAA changed this year,” you’re not alone. The truth is that most of the 2026 HIPAA conversation is being driven by cybersecurity, especially HHS and OCR’s proposed updates to the HIPAA Security Rule, not a brand-new disposal rule that suddenly rewrites how you recycle old computers.
But that still matters a lot for end-of-life (EOL) equipment, because the fastest way to fail a risk analysis is to ignore two realities:
- Old, unsupported systems are high-risk systems.
- Retired equipment is still a data breach waiting to happen if disposal is vague, inconsistent, or undocumented.
This post breaks down what’s actually changing (and what’s not), and gives you a practical checklist to tighten your EOL process.
First: HIPAA didn’t “add a new disposal method requirement”
HIPAA’s Privacy and Security Rules have long required “reasonable safeguards” for PHI through disposal. OCR has been very clear that covered entities can’t just abandon PHI (including PHI on electronic media) in places accessible to unauthorized people, but HIPAA also doesn’t mandate one specific disposal method.
So what’s different in 2026?
The difference is expectations around cybersecurity controls, inventories, and documentation, which naturally pulls EOL equipment into the spotlight.
The 2026 driver: proposed HIPAA Security Rule changes (cybersecurity focus)
HHS and OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule, aimed at making security controls more specific and consistent across healthcare.
Even though it’s “proposed,” it’s shaping 2026 compliance priorities because it aligns with what OCR has been pushing for years: stronger, provable cybersecurity fundamentals.
Why this affects end-of-life gear
EOL equipment is where organizations get burned because it often lives in the gray zone:
- “It’s off network, but still in a closet.”
- “It was wiped, but we don’t have proof.”
- “It’s a copier or printer, does it even have storage?”
- “IT gave it to facilities to ‘get rid of.’”
The proposed Security Rule changes emphasize clearer expectations around things like inventories, risk management, and technology oversight, exactly the areas where EOL devices fall through cracks.
Don’t miss the quiet but huge change: NIST media sanitization guidance was updated
If your disposal policy references NIST SP 800-88, that’s still the right idea, but note that NIST released a new revision (SP 800-88r2) in 2025, superseding the older Rev. 1 guidance many organizations cite.
Why that matters: when healthcare compliance teams ask “what’s best practice for sanitization,” NIST guidance is often the backbone of a defensible process.
Practical takeaway: If your policy or vendor documentation says “we follow NIST 800-88,” it’s worth ensuring your internal references and vendor language are current and consistent with the latest revision.
The real-world EOL risks that cause HIPAA headaches
Here are the most common end-of-life scenarios that create exposure:
1) “We wiped it” but can’t prove it
A wipe without documentation often turns into “trust me,” and trust is not a control. If an incident happens, you’ll want:
- device identifiers (serial or asset tag)
- method used (clear, purge, or destroy concept)
- chain of custody (who had it, when)
- final disposition record
HIPAA doesn’t demand one exact format, but it does require reasonable safeguards, and documentation is what makes “reasonable” defendable.
2) Forgotten storage: copiers, printers, phones, network gear
EOL programs often focus on laptops, desktops, and servers and miss:
- MFPs, copiers, and printers with internal drives
- VoIP phones and conferencing devices
- firewalls and switches with configs and logs
- medical devices with embedded storage (case-by-case)
These aren’t always “PHI devices,” but they’re frequently “PHI-adjacent devices,” and they often bypass formal ITAD controls.
3) Unsupported systems kept online “until next budget cycle”
From a Security Rule perspective, an unsupported OS or unpatchable application is hard to justify in a risk analysis. The NPRM’s overall direction reinforces that outdated software and weak controls are no longer treated as edge cases.
A practical 2026 EOL playbook for HIPAA-covered environments
Use this as your internal checklist (or as criteria when evaluating an ITAD partner).
Step 1: Inventory what’s being retired (and what touched ePHI)
At minimum:
- Device type (laptop, desktop, server, MFP, network, or medical)
- Serial number or asset tag
- Department or owner
- Whether it stored or accessed ePHI (yes, no, or unknown)
If “unknown,” treat it as yes unless you have strong reason not to.
Step 2: Decide the required outcome: reuse vs destruction
A clean framework is:
- Reuse candidate: purge to a high standard + verify + document
- Not a reuse candidate or high sensitivity: destroy storage media (shred)
HIPAA doesn’t force shredding, but shredding is often the simplest way to reduce risk for older drives, unknown history devices, or high-sensitivity environments.
Step 3: Build chain of custody into the process
Chain of custody should start at pickup:
- sealed containers or locked carts (where practical)
- who released equipment
- who received it
- where it went next
This is especially important for multi-site systems, clinics, and satellite offices.
Step 4: Use a defensible sanitization standard and record it
If you reference NIST, be explicit about aligning to NIST SP 800-88 (current revision) in your policy language.
Step 5: Close the loop with final reporting
At minimum:
- list of assets processed
- disposition (reuse, recycle, destroy)
- date and time
- certificate of destruction (when applicable)
What to tell leadership in one sentence
If leadership asks “what’s the impact of HIPAA updates on retirement and disposal?”:
Healthcare organizations should treat end-of-life equipment as part of cybersecurity: tight inventories, provable sanitization and destruction, and documented custody reduce HIPAA exposure.
Common questions
Does HIPAA require shredding hard drives? No. HIPAA requires reasonable safeguards, not one mandated method, but shredding is often a simple, defensible way to prevent data exposure when risk is high or device history is unclear.
Is wiping enough for HIPAA? It can be, if it’s done properly and you can prove it. The risk is less about the idea of wiping and more about inconsistent execution and missing documentation.
Do copiers and printers matter? Often, yes. Many have internal storage, and they frequently skip standard IT retirement workflows.
If you’re updating your 2026 policies, the simplest improvement is to make EOL disposition repeatable and auditable: inventory → custody → sanitize or destroy → report. That’s the difference between “we think we handled it” and “we can prove we handled it.”
If you are tightening your 2026 policies, Data Recycling of New England helps healthcare organizations across New England retire equipment securely and on the record. Contact us to get started.