
When a shredding company leaves your parking lot or returns your hard drives after a destruction event, the job is not quite finished. One thing still needs to change hands before your organization can consider its compliance obligations met: a certificate of destruction.
A certificate of destruction is a formal document issued by a destruction vendor that provides written confirmation that specific records or media were destroyed on a given date, using a specified method, by a named and authorized service provider. It functions as the legal paper trail connecting your organization’s records to their permanent disposal, and it is the primary evidence you will produce if your destruction practices are ever questioned by a regulator, auditor, or opposing counsel.
This article explains what a certificate of destruction is, what it must include to be useful for compliance purposes, how it differs for paper documents versus electronic media, how long you should keep it, and what red flags to watch for when reviewing one.
Why a Certificate of Destruction Is Not Optional
Many businesses treat the certificate of destruction as a routine formality, something to file away and forget. For organizations subject to federal or state data protection requirements, it is considerably more significant than that.
Several major regulatory frameworks either explicitly require documentation of destruction or make it a practical necessity for demonstrating compliance:
- HIPAA requires covered entities and business associates to document the destruction of protected health information (PHI) as part of their overall privacy and security program. The destruction event and method must be recorded and retained.
- FACTA’s Disposal Rule, enforced by the Federal Trade Commission, requires businesses to take reasonable measures to dispose of consumer information derived from credit reports and to be able to demonstrate that they did so properly.
- GLBA (Gramm-Leach-Bliley Act) requires financial institutions to protect customer financial information through its disposal, and documentation of that disposal is part of a defensible compliance program.
- SOX (Sarbanes-Oxley Act) requires that certain financial records be retained and eventually disposed of appropriately, with the disposal process subject to audit.
- State privacy laws, including those in California, New York, and others with specific data disposal requirements, increasingly require documented destruction of personally identifiable information.
Beyond specific regulations, a certificate of destruction protects your organization in litigation. If a data breach or records dispute arises and the question is whether certain records were properly destroyed, the certificate is the evidence that answers that question. Without it, you are left relying on memory and the goodwill of a vendor.
What a Certificate of Destruction Should Include
Not all certificates of destruction are created equal. A legitimate, compliance-grade certificate should contain enough specific information to independently verify what was destroyed, when, how, and by whom. The following elements should be present in any certificate of destruction your organization accepts:
- Date and time of destruction. The specific date when the destruction took place, and ideally the time window during which the event occurred.
- Description of materials destroyed. This should identify the type of records (paper documents, hard drives, backup tapes, x-rays, etc.), the quantity (number of boxes, number of drives, weight in pounds, or number of cartons), and where possible a description of the content categories being destroyed.
- Method of destruction. Paper records should specify shredding (and ideally the shred size, such as cross-cut or micro-cut). Electronic media should specify degaussing, physical shredding, or disintegration. Incineration should be noted if used.
- Your organization’s name and address. The certificate should clearly identify whose records were destroyed and at what location they were collected or destroyed.
- Destruction vendor name, address, and contact information. The vendor issuing the certificate should be fully identified.
- Unique job or transaction number. A reference number ties the certificate to the vendor’s internal records, which can be important if you need to verify or audit the event later.
- Name and signature of the authorized representative. An individual at the destruction company should sign the certificate, taking responsibility for the accuracy of the information it contains.
- Certification statement. The certificate should include a declaration that the materials listed were destroyed in accordance with applicable laws and industry standards.
- NAID AAA Certification number, if applicable. NAID (now part of i-SIGMA) is the primary certification body for the secure destruction industry. If your vendor holds this certification, their certificate number should appear on the document and can be verified independently.
If a certificate of destruction arrives without most of these elements, it is worth asking the vendor to provide a corrected version. A reputable provider will have no issue doing so.
Certificates of Destruction for Different Types of Records
The core elements above apply broadly, but certain types of records carry additional requirements or considerations.
Paper Documents
For routine paper shredding, a standard certificate of destruction covering the elements listed above is typically sufficient. Where healthcare records are involved, the certificate should be accompanied by a signed Business Associate Agreement (BAA) between your organization and the shredding vendor, as required under HIPAA before any PHI is transferred to a third party for destruction.
For large backfile purges or scheduled destruction events involving high volumes of sensitive records, some organizations request that the vendor log the specific box barcodes or container identifiers included in the destruction event, providing document-level accountability rather than just a volume count.
Hard Drives and Electronic Media
Destruction of hard drives, SSDs, backup tapes, USB drives, and other electronic media requires additional specificity in the certificate. In addition to the standard elements, a certificate for media destruction should include:
- The serial numbers of each hard drive or device destroyed
- The make and model of the devices where available
- The specific destruction method used (degaussing, shredding, or disintegration)
- Confirmation that the method used meets the standard specified by NIST SP 800-88, the federal guideline for media sanitization that many regulated industries reference
Without serial numbers, there is no way to verify after the fact that a specific device was actually destroyed. This matters most when a specific drive is the subject of a legal hold, a breach investigation, or an audit.
Healthcare Records and PHI
For any destruction event involving protected health information, the certificate of destruction should be retained as part of your organization’s HIPAA documentation records. Healthcare providers should verify that the destruction vendor has signed a Business Associate Agreement before any records leave the facility, and the certificate itself should reference the BAA or include a statement that the destruction was performed in compliance with HIPAA requirements.
Medical practices that use a medical records custodian to manage and eventually destroy records after a closure or retirement should confirm that the custodian maintains its own certificate of destruction process and can provide documentation of every destruction event to the practice or its successors.
How Long Should You Keep a Certificate of Destruction?
The answer depends on the type of records that were destroyed and the regulations that governed them.
As a general baseline, most compliance professionals recommend retaining certificates of destruction for at least as long as the underlying records would have been required to be kept, or for the duration of any applicable statute of limitations. For many business records, that means six to seven years. For HIPAA-related destruction events, the HIPAA Privacy Rule requires that documentation of destruction be retained for six years from the date of the destruction event.
A practical approach is to store certificates of destruction alongside your organization’s retention schedule documentation, so the two can be reconciled during an audit. If your organization uses a document management system, creating a specific category for destruction certificates with a defined retention period prevents them from being filed inconsistently or lost.
Red Flags to Watch For in a Certificate of Destruction
A certificate of destruction is only as useful as the information it contains. These are signs that a certificate may be incomplete or that the vendor’s practices may not meet compliance standards:
- No specific date or only a date range. Destruction events should be documented to the specific day. A certificate covering “the month of March” provides limited audit value.
- No description of materials. A certificate that says “documents” without specifying quantity, type, or content category is not specific enough for compliance purposes.
- No method of destruction specified. “Destroyed” is not a method. The certificate should identify exactly how destruction was carried out.
- No signature or no named individual. An unsigned certificate or one signed only by “management” without a named individual is harder to verify and raises questions about accountability.
- No vendor certification or license information. Reputable destruction vendors carry certifications and, in some states, operate under specific licensing requirements. Their credentials should be verifiable.
- No unique job number. Without a reference number, there is no way to connect the certificate to the vendor’s internal destruction records if a dispute arises.
If a shredding vendor cannot provide a certificate that meets these standards, that is important information about the quality of their compliance program overall.
Frequently Asked Questions
What is a certificate of destruction?
A certificate of destruction is a written document issued by a shredding or destruction vendor confirming that specific records or media were permanently destroyed on a specified date using a specified method. It provides the legal documentation that connects an organization’s records to their permanent disposal and serves as the primary evidence of compliant destruction practices.
Is a certificate of destruction required by law?
No single federal law universally requires a certificate of destruction by name, but several major regulations, including HIPAA, FACTA’s Disposal Rule, GLBA, and various state privacy laws, require organizations to document the proper disposal of sensitive information. A certificate of destruction is the standard mechanism for meeting that documentation requirement, and it is the document auditors and regulators typically request as proof of compliant disposal.
How long should I keep a certificate of destruction?
Most compliance guidance recommends retaining certificates of destruction for at least as long as the underlying records would have been required to be kept, which is often six to seven years for general business records. Under HIPAA, documentation of PHI destruction must be retained for six years. When in doubt, retaining certificates of destruction permanently is a low-cost way to maintain a complete compliance record.
What is the difference between a certificate of destruction for paper records and one for hard drives?
Both should include the standard elements covering date, method, quantity, vendor information, and a signature. A certificate for hard drive destruction adds serial numbers for each device destroyed and specifies whether the method used meets NIST SP 800-88 standards for media sanitization. Without serial numbers, there is no way to verify that a specific device was included in the destruction event.
What is NAID AAA Certification and why does it matter on a certificate of destruction?
NAID, now part of i-SIGMA, is the primary industry certification body for secure destruction vendors. NAID AAA Certification indicates that a vendor has been independently audited and meets defined standards for security, employee screening, chain of custody procedures, and destruction methods. When a certificate of destruction includes a vendor’s NAID certification number, it can be independently verified, adding credibility to the certificate and the underlying destruction event.
Can my organization create its own certificate of destruction if we shred documents in-house?
Yes, organizations that handle destruction internally should document each destruction event with an internal record that captures the same core elements: date, description of materials, method, quantity, and the name of the employee responsible. While this does not carry the third-party verification of a vendor-issued certificate, it establishes an internal audit trail. For regulated industries, however, using a certified third-party vendor and receiving their certificate of destruction is generally the more defensible approach.
Emerald Document Imaging provides secure document shredding and media destruction services with full chain of custody documentation and a certificate of destruction for every event. Whether you need a scheduled shredding program, a one-time purge, or hard drive destruction with serial number documentation, our team ensures your records are destroyed compliantly and completely.
Learn more about our Document Destruction services and request a quote.
