From my perspective, the "attack surface" - the part that poses the greatest opportunity for attack or error – is computer recycling. Why?
Many employees charged with computer disposal approach the process as a recycling event; data destruction is viewed only as a function of electronic recycling. The employee allows an electronic recycler to remove old computers from his/her custody with hard drives intact. The promise is "full erasure" when they get back to their warehouse. The hard drive will, most likely, be resold on the secondary market.
If the computer disposal project is approached as a data destruction event, the employee has many questions to answer. Should we erase, degauss or shred hard drives? Do our computers have one or two hard drives? Does our printer/copier have a hard drive? Onsite data destruction is the safest but, is offsite acceptable?
Staying compliant with HIPAA & HITECH is very difficult, especially if you don't understand how digital data is stored and properly destroyed...
Hire a NAID Certified vendor that will: 1) physically shred computer hard drives, 2) perform the service onsite (at your location), give you a Certificate of Destruction with a Serial Number report, and 3) show proof of Professional Liability Insurance specific to data destruction.