Hi Joe,
Fortunately, HIPAA does not require any specific algorithm or pattern, but rather defers to NIST SP 800-88, which only requires a single pass (true-random or pseudo-random). That said, I’ve seen a higher concentration of healthcare organizations with internal policy that dictates 3 or even 7 pass processes than any other vertical market, as arbitrary as it seems. Regardless, I’ve worked with many organizations that fall under HIPAA who determined that a single pass “NIST” wipe is sufficient for compliance, and have yet to encounter any interpretation of HIPAA that suggests otherwise.
I hope this helps.
-Mike C.
E-Reuse Services, Inc.