Retention and Destruction/Disposal of Private and Confidential Information: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
(Created page with "POLICY NO :6056<br /> EFFECTIVE DATE: 03/17/03<br /> <br /> <big>'''Retention and Destruction/Disposal of Private and Confidential Information Policy'''</big> NOTE: T...")
 
 
(33 intermediate revisions by 2 users not shown)
Line 1: Line 1:
POLICY NO :6056<br />
<table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0">
 
<tr>
EFFECTIVE DATE: 03/17/03<br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Human Resources]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Safety/Security]] </td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Research Compliance]] </td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Compliance]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Privacy/Information Security]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Business Operations]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</table>
<br />
<br />
 
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
 
<br /><br />
Policy No.: '''6056'''<br />
 
Effective Date: '''03/17/03'''<br />
Revised Date: '''10/28/22 draft''' <br />
Reviewed Date: ''' '''
<br /><br />
<big>'''Retention and Destruction/Disposal of Private and Confidential Information Policy'''</big>
<big>'''Retention and Destruction/Disposal of Private and Confidential Information Policy'''</big>
== Basis for Policy ==
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access.  [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls. 
==Policy==
#It is the policy of the UNMC/Nebraska Medicine and its affiliated entities to ensure the privacy and security of confidential information in the maintenance, retention and eventual destruction/disposal of such media. All destruction/disposal of confidential information media will be done in accordance with federal and state law and pursuant to the [http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule]. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
#Records involved in any open investigation, audit or litigation should not be disposed of/destroyed. If a preservation notice is received the record retention schedule shall be suspended for these records until the preservation notice terminates.
#Records scheduled for destruction/disposal should be secured against unauthorized or inappropriate access until the destruction/disposal of the information is complete.
#Private and confidential information shall be destroyed/disposed of using a method that ensures the information cannot be reconstructed or read.
#Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to the respective supervisor or to the Human Resources Department. Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.
==Procedures==
#If destruction/disposal services are contracted, the contract must provide that the contactor (Business Associate) will establish the permitted and required uses and disclosures of information as set forth in the federal and state law (in accordance with UNMC Policy No. 8009, [[Contracts]], ''' “Contract Management Policy”). Does Nebraska Medicine also have a policy to reference? If so, need policy #''') and include the following elements:
##Specify the method of destruction/disposal
##Specify the time that will elapse between acquisition and destruction of data/media
##Establish safeguards against breaches in confidentiality
##Indemnify the organization from loss due to unauthorized disclosure
##Require that the contractor (Business Associate) maintain liability insurance in specified amounts at all times the contract is in effect
##Provide proof of destruction/disposal
#Confidential information shall be disposed of according to the table below:
{| class="wikitable"
|-
|'''Medium'''||'''Destruction Procedure(s)'''
|-
| Paper|| All paper should be disposed of in the desk-side recycling bins, the recycling carts or shredded in a shredding machine. All paper is considered confidential in the recycling process.
Food waste and toiletry products are excluded and should not be placed in recycling bins.
|-
| Audiotapes/Videotapes  || Tape over the information or forward the audiotape/videotape to Environmental Services (DOC 0647; zip 9030) in a sealed package for destruction. Place a "Please Destroy" label on the tape.
|-
| CD ROMs/DVDs || Cut in two and dispose of in trash.
Large volumes of CDs may be forwarded to Environment Services.
|-
| Cell Phones || Cell phones which are no longer in use shall be returned to Information Technology which will dispose of the equipment.
|-
| Computerized Data/Hard Disk Drives
'''(NOTE:'''  This includes hard drives in any devices, including copy machines or devices with non-removable hard drives)
|| This section includes tablet devices (such as iPads, Samsung Tablets, etc.) as well as laptops with non-removable hard drives (such as MacBooks or Surface computers).


Requestor will enter a Service Request containing the following information:<br />
NOTE: These guidelines are provided to assist UNMC workforce, including those in the patient treatment areas of the Munroe-Meyer Institute, the College of Medicine Optical Shop, the Lions Eye Bank and the College of Dentistry, as applicable, comply with HIPAA regulations. Those departments and clinics which fall under the jurisdiction of  The Nebraska Medical Center and/or University Medical Associates should consult the policies and procedures of those entities for authoritative guidance.<br />
1. Request to decommission a data/hard disk storage device<br />
<br />
2. A statement that records are being destroyed in the normal course of business pursuant to Nebraska Medicine Record Retention Policy ('''is there a policy number?''')/[http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule] <br />
 
3. Name of the department representative authorizing data destruction<br />
 
4. Phone number of representative authorizing destruction<br />
5. Requestor will then arrange secure delivery of devices to North Doctors Building, Ground Floor, to PC Support. <br />
=== Basis for Policy ===
6. PC Support will receive and will securely store the devices until physically destroyed.<br />
<br />
7. Final destruction and salvage take place in IT. <br />
<br />
8. Questions regarding this process can be directed to PC Support Dispatch at 402-552-7777.<br />
 
'''NOTE:'''  In the circumstances where a copier is being traded out, PC Support will ensure that the hard drive is secured by following their internal procedures.<br />
'''NOTE 2:'''  PC Support may, at its discretion, use data wiping tools to enable reuse of certain hard drives.  PC Support will follow [https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization] which authorizes using the DOD certified standard 5022.22, 3X for wiping
 
|-
Retention and subsequent destruction/disposal of proprietary and protected health information are governed by federal and state regulations and University policies and procedures. These regulations and guidelines include, but may not be limited to:
| Cassette Tapes/Magnetic Media|| Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
 
|-
   
| Computer Diskettes/Floppy Disks || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
* Health Insurance Portability and Accountability Act of 1996 (HIPAA)
|-
*    Executive Memorandum No. 27, HIPAA Compliance Policy
| Laser Disks|| Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the disks.
*    Board of Regents Bylaws
|-
*    Board of Regents Policies
| Microfilm/Microfiche || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the microfilm/microfiche.
*    Privacy, Confidentiality and Information Security Policy
|-
*    Institutional Review Board Guidelines, Retention of Research Records for Non-Exempt Research
| Photographs || Photographs should be shredded or cut in multiple pieces. Photographs should not be placed in recycling containers.
*    Information Technology Services Procedures
|-
*    UNMC Record Retention Schedule<br />
| Radiology Films || Refer to Radiology Dept. Policy, LR - 6.12, "Retention/Disposal of Radiology Images" '''is this a Nebraska Medicine or UNMC policy?'''
<br />
|-
 
| Printer Ribbons || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the container.
 
|-
=== Policy ===
| Other || Follow federal/state requirements; contact the Director, Environmental Services, at 402-559-6118, '''(do you have a better number for them?)''' or [mailto:debrbishop@nebraskamed.com Privacy Officer] for further information.
<br />
|}
 
===Destruction of Paper===
 
#Handling and Security Procedures
'''Retention'''
##Departmental management and Environmental Services should jointly develop a plan for the security, transport and storage of confidential materials from customer departments to the secured locked containers. The placement of the secured locked containers will be jointly developed between departmental management, [mailto:rhboldt@unmc.edu Recycling Coordinator] and Environmental Services.
 
##Locked containers should not be tampered with by unauthorized UNMC/Nebraska Medicine employees.
   
##Environmental Services will be responsible for issuing and logging the keys for unlocking these containers.
 
#Documentation of Secure Disposal
It is the policy of the University of Nebraska Medical Center (UNMC) and its affiliated entities to ensure the privacy and security of proprietary and protected health information in the maintenance, retention, and eventual destruction/disposal of such media. All destruction/disposal of patient health information media will be done in accordance with federal and state law and pursuant to the UNMC Record Retention Schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
The Certificate of Destruction for all recycled UNMC/Nebraska Medicine confidential material will be kept on file in the Recycling Coordinator’s office.
 
==Definitions==
===Affiliated Covered Entity (ACE)===
 
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.   
The retention schedule for destruction/disposal shall be suspended for records involved in any open investigation, audit, or litigation. Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to the respective supervisor or administrator or to the Human Resources Department. Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.
===Business Associate===
 
A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
===Confidential Information===
 
Protected Health Information and proprietary information, including contracts, business plans and practices, financial information, employee records and meeting minutes.
'''Disposal/Destruction'''
===Protected Health Information (PHI)===
 
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*is created or received by UNMC/ACE; and
 
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
Department administration shall determine what information entrusted to their department is private and/or confidential and shall communicate methods of protecting that information through the destruction/disposal process to appropriate persons associated with their department.  
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
 
*an Individual’s genetic tests; 
*the genetic tests of an Individual’s family members; or
 
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
All paper waste must be placed in a recycling container. Environmental Services (EVS)is responsible for the security, transport and storage of confidential paper waste from internal customer locations.  EVS will secure the confidential waste in locked containers provided by the UNMC Recycling Center.  All confidential waste containers will be secured on the dock areas or at the collection points designated by department policy. As recycling containers are transported on the trucks to the Recycling Center, they will be the responsibility of the UNMC Recycling Center staff. The UNMC Recycling Center will be responsible for disposing of the recycled material in a secure manner and ensuring that all documentation necessary for demonstrating compliance with regulations is maintained.Failure to appropriately dispose of/destroy private or confidential information may result in sanctions, civil or criminal prosecution and penalties, scholastic or employment corrective action which could lead to dismissal or, as it relates to health care professionals or others outside of UNMC, suspension or revocation of all access privileges.
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
 
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
 
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and  
'''Definitions'''
*employment records held by UNMC in its role as employer.
 
==Additional Information==
*Contact the [mailto:infosecurity@unmc.edu Information Security Office]
 
*Contact Director, Environmental Services, at 402-559-6118, '''(do you have a better number for them?)'''
Information is data presented in readily comprehensible form.  (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.)  Information may be stored or transmitted via electronic media, on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and belongs to the University.
*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations
 
*Contact [mailto:rhboldt@unmc.edu Recycling Coordinator]
   
*Contact [mailto:debrbishop@nebraskamed.com Privacy Officer]
 
*Contact PC Support Dispatch at 402-552-7777 ('''is there an email address for this dept?''')
Proprietary information refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records and student records:
*Procedure No. 6056, [https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information]
 
*UNMC Policy No. 8009, [[Contracts]]
   
*[http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule]
* Employee records refers to all information, records and documents pertaining to any person who is an applicant or nominee for any University personnel position described in the Board of Regents Bylaws, § 3.1, regardless of whether any such person is ever actually employed by the University, and all information, records and documents pertaining to any person employed by the University.
*Nebraska Medicine Record Retention Policy ('''is there a policy number?''')
*    Student education records means any information recorded in any way which directly relates to a student and is maintained by or on behalf of UNMC (education agency/institution). Student education record does not include a (i) sole possession record, (ii) law enforcement record, (iii) employee record of a person other than a student who is employed by UNMC by virtue of his or her status as a student at UNMC, (iv) alumni record and (v) medical record that is part of the common medical record shared by UNMC, The Nebraska Medical Center, UMA and UDA.  (NOTE: The HIPAA privacy regulation does not apply to education records covered by FERPA.)<br />
*Radiology Dept. Policy, LR - 6.12, Retention/Disposal of Radiology Images
 
*Contract Management Policy '''(policy number needed)'''
 
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
Protected Health Information (PHI) is individually identifiable health information.  Health information means any information, whether oral or recorded in any medium, that:
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
<br />
*[https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization]
 
   
* is created or received by UNMC; and
*     relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
<br />
<br />
 
Records containing PHI, in any form, are the property of UNMC. The PHI contained in the record is the property of the individual who is the subject of the record.
 
 
For additional information, contact Sheila Wrobel, Privacy Officer, or see Privacy, Confidentiality and Information Security Procedures contained in the following resources:<br />
 
 
   
* UNMC Privacy, Confidentiality and Information Security Procedures
*     UNMC Destruction of Private and Confidential Information Procedures
*     Laboratory Notebook Maintenance Procedures<br />
<br />
 
 
 
This policy contains minor revisions to UNMC Policy #6056, issued on 03/17/03.<br />


This page updated on Monday, February 16, 2004, by dkp.
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Latest revision as of 09:47, August 15, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6056
Effective Date: 03/17/03
Revised Date: 10/28/22 draft
Reviewed Date:

Retention and Destruction/Disposal of Private and Confidential Information Policy

Basis for Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

  1. It is the policy of the UNMC/Nebraska Medicine and its affiliated entities to ensure the privacy and security of confidential information in the maintenance, retention and eventual destruction/disposal of such media. All destruction/disposal of confidential information media will be done in accordance with federal and state law and pursuant to the UNMC Record Retention Schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
  2. Records involved in any open investigation, audit or litigation should not be disposed of/destroyed. If a preservation notice is received the record retention schedule shall be suspended for these records until the preservation notice terminates.
  3. Records scheduled for destruction/disposal should be secured against unauthorized or inappropriate access until the destruction/disposal of the information is complete.
  4. Private and confidential information shall be destroyed/disposed of using a method that ensures the information cannot be reconstructed or read.
  5. Individuals who know or suspect that confidentiality has been breached by another person or persons have a responsibility to report the breach to the respective supervisor or to the Human Resources Department. Employees should not confront the individual under suspicion or initiate investigations on their own, as such actions could compromise any ensuing investigation. All individuals are to cooperate fully with those performing an investigation pursuant to this policy.

Procedures

  1. If destruction/disposal services are contracted, the contract must provide that the contactor (Business Associate) will establish the permitted and required uses and disclosures of information as set forth in the federal and state law (in accordance with UNMC Policy No. 8009, Contracts, “Contract Management Policy”). Does Nebraska Medicine also have a policy to reference? If so, need policy #) and include the following elements:
    1. Specify the method of destruction/disposal
    2. Specify the time that will elapse between acquisition and destruction of data/media
    3. Establish safeguards against breaches in confidentiality
    4. Indemnify the organization from loss due to unauthorized disclosure
    5. Require that the contractor (Business Associate) maintain liability insurance in specified amounts at all times the contract is in effect
    6. Provide proof of destruction/disposal
  2. Confidential information shall be disposed of according to the table below:
Medium Destruction Procedure(s)
Paper All paper should be disposed of in the desk-side recycling bins, the recycling carts or shredded in a shredding machine. All paper is considered confidential in the recycling process.

Food waste and toiletry products are excluded and should not be placed in recycling bins.

Audiotapes/Videotapes Tape over the information or forward the audiotape/videotape to Environmental Services (DOC 0647; zip 9030) in a sealed package for destruction. Place a "Please Destroy" label on the tape.
CD ROMs/DVDs Cut in two and dispose of in trash.

Large volumes of CDs may be forwarded to Environment Services.

Cell Phones Cell phones which are no longer in use shall be returned to Information Technology which will dispose of the equipment.
Computerized Data/Hard Disk Drives

(NOTE: This includes hard drives in any devices, including copy machines or devices with non-removable hard drives)

This section includes tablet devices (such as iPads, Samsung Tablets, etc.) as well as laptops with non-removable hard drives (such as MacBooks or Surface computers).

Requestor will enter a Service Request containing the following information:
1. Request to decommission a data/hard disk storage device
2. A statement that records are being destroyed in the normal course of business pursuant to Nebraska Medicine Record Retention Policy (is there a policy number?)/UNMC Record Retention Schedule
3. Name of the department representative authorizing data destruction
4. Phone number of representative authorizing destruction
5. Requestor will then arrange secure delivery of devices to North Doctors Building, Ground Floor, to PC Support.
6. PC Support will receive and will securely store the devices until physically destroyed.
7. Final destruction and salvage take place in IT.
8. Questions regarding this process can be directed to PC Support Dispatch at 402-552-7777.
NOTE: In the circumstances where a copier is being traded out, PC Support will ensure that the hard drive is secured by following their internal procedures.
NOTE 2: PC Support may, at its discretion, use data wiping tools to enable reuse of certain hard drives. PC Support will follow NIST Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization which authorizes using the DOD certified standard 5022.22, 3X for wiping

Cassette Tapes/Magnetic Media Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
Computer Diskettes/Floppy Disks Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
Laser Disks Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the disks.
Microfilm/Microfiche Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the microfilm/microfiche.
Photographs Photographs should be shredded or cut in multiple pieces. Photographs should not be placed in recycling containers.
Radiology Films Refer to Radiology Dept. Policy, LR - 6.12, "Retention/Disposal of Radiology Images" is this a Nebraska Medicine or UNMC policy?
Printer Ribbons Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the container.
Other Follow federal/state requirements; contact the Director, Environmental Services, at 402-559-6118, (do you have a better number for them?) or Privacy Officer for further information.

Destruction of Paper

  1. Handling and Security Procedures
    1. Departmental management and Environmental Services should jointly develop a plan for the security, transport and storage of confidential materials from customer departments to the secured locked containers. The placement of the secured locked containers will be jointly developed between departmental management, Recycling Coordinator and Environmental Services.
    2. Locked containers should not be tampered with by unauthorized UNMC/Nebraska Medicine employees.
    3. Environmental Services will be responsible for issuing and logging the keys for unlocking these containers.
  2. Documentation of Secure Disposal

The Certificate of Destruction for all recycled UNMC/Nebraska Medicine confidential material will be kept on file in the Recycling Coordinator’s office.

Definitions

Affiliated Covered Entity (ACE)

Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.

Business Associate

A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI in any form, even if PHI is not accessed. Some examples of such services include storage, including cloud storage, claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.

Confidential Information

Protected Health Information and proprietary information, including contracts, business plans and practices, financial information, employee records and meeting minutes.

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
  • any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Additional Information

This page maintained by dkp.