Retention and Destruction/Disposal of Private and Confidential Information: Difference between revisions

Retention and Destruction/Disposal of Private and Confidential Information (view source)

Revision as of 10:35, October 28, 2022

2,038 bytes added , October 28, 2022

no edit summary

VisualWikitext

Dpanowic

Administrators

2,654

edits

@@ Line 30: / Line 30: @@
 Policy No.: '''6056'''<br />
 Effective Date: '''03/17/03'''<br />
-Revised Date: '''08/29/22 draft''' <br />
+Revised Date: '''10/28/22 draft''' <br />
 Reviewed Date: ''' '''
 <br /><br />
@@ Line 37: / Line 37: @@
 Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access.  [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
 ==Policy==
 #It is the policy of the UNMC/Nebraska Medicine and its affiliated entities to ensure the privacy and security of confidential information in the maintenance, retention and eventual destruction/disposal of such media. All destruction/disposal of confidential information media will be done in accordance with federal and state law and pursuant to the [http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule]. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
 #Records involved in any open investigation, audit or litigation should not be disposed of/destroyed. If a preservation notice is received the record retention schedule shall be suspended for these records until the preservation notice terminates.
 #Records scheduled for destruction/disposal should be secured against unauthorized or inappropriate access until the destruction/disposal of the information is complete.
@@ Line 55: / Line 55: @@
 |'''Medium'''||'''Destruction Procedure(s)'''
 |-
-| Paper|| All paper should be disposed of in the desk-side recycling bins, the recycling carts or shredded in a shredding machine. All paper is considered confidential in the recycling process. Food waste and toiletry products are excluded and should not be placed in the recycling bins.
+| Paper|| All paper should be disposed of in the desk-side recycling bins, the recycling carts or shredded in a shredding machine. All paper is considered confidential in the recycling process.
+Food waste and toiletry products are excluded and should not be placed in recycling bins.
 |-
-| Audiotapes/Videotapes  || Tape over the information or forward the audio/videotape to Environmental Services (DOC 0647; zip 9030) in a sealed package for destruction. Place a "Please Destroy" label on the tape.
+| Audiotapes/Videotapes  || Tape over the information or forward the audiotape/videotape to Environmental Services (DOC 0647; zip 9030) in a sealed package for destruction. Place a "Please Destroy" label on the tape.
 |-
 | CD ROMs/DVDs || Cut in two and dispose of in trash.
--Large volumes of CDs may be forwarded to Environment Services.
+Large volumes of CDs may be forwarded to Environment Services.
 |-
-| Cell Phones || Cell phones which are no longer in use shall be returned to Information Technology who will dispose of the equipment.
+| Cell Phones || Cell phones which are no longer in use shall be returned to Information Technology which will dispose of the equipment.
 |-
 | Computerized Data/Hard Disk Drives
@@ Line 70: / Line 71: @@
 Requestor will enter a Service Request containing the following information:<br />
 . Request to decommission a data/hard disk storage device<br />
-. A statement that records are being destroyed in the normal course of business pursuant to Nebraska Medicine Record Retention Policy<br />
+. A statement that records are being destroyed in the normal course of business pursuant to Nebraska Medicine Record Retention Policy ('''is there a policy number?''')/[http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule] <br />
 . Name of the department representative authorizing data destruction<br />
 . Phone number of representative authorizing destruction<br />
@@ Line 78: / Line 79: @@
 . Questions regarding this process can be directed to PC Support Dispatch at 402-552-7777.<br />
 '''NOTE:'''  In the circumstances where a copier is being traded out, PC Support will ensure that the hard drive is secured by following their internal procedures.<br />
-'''NOTE 2:'''  PC Support may, at its discretion, use data wiping tools to enable reuse of certain hard drives.  PC Support will follow NIST Special Publication 800-88 Guidelines for Media Sanitization which authorizes using the DOD certified standard 5022.22, 3X for wiping
+'''NOTE 2:'''  PC Support may, at its discretion, use data wiping tools to enable reuse of certain hard drives.  PC Support will follow [https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization] which authorizes using the DOD certified standard 5022.22, 3X for wiping
 |-
 | Cassette Tapes/Magnetic Media|| Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
@@ Line 84: / Line 85: @@
 | Computer Diskettes/Floppy Disks || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
 |-
-| Laser Disks|| Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
+| Laser Disks|| Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the disks.
 |-
-| Microfilm/Microfiche || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
+| Microfilm/Microfiche || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the microfilm/microfiche.
 |-
 | Photographs || Photographs should be shredded or cut in multiple pieces. Photographs should not be placed in recycling containers.
@@ Line 92: / Line 93: @@
 | Radiology Films || Refer to Radiology Dept. Policy, LR - 6.12, "Retention/Disposal of Radiology Images" '''is this a Nebraska Medicine or UNMC policy?'''
 |-
-| Printer Ribbons || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the media.
+| Printer Ribbons || Forward to Environmental Services (DOC 0647; zip 9030) in a sealed container for destruction. Place a "Please Destroy" label on the container.
 |-
 | Other || Follow federal/state requirements; contact the Director, Environmental Services, at 402-559-6118, '''(do you have a better number for them?)''' or [mailto:debrbishop@nebraskamed.com Privacy Officer] for further information.
@@ Line 98: / Line 99: @@
 ===Destruction of Paper===
 #Handling and Security Procedures
-##Departmental management and Environmental Services should jointly develop a plan for the security, transport and storage of confidential materials from customer departments to the secured locked containers. The placement of the secured locked containers will be jointly developed between departmental management, [mailto:rboldt@unmc.edu Recycling Coordinator] and Environmental Services.
+##Departmental management and Environmental Services should jointly develop a plan for the security, transport and storage of confidential materials from customer departments to the secured locked containers. The placement of the secured locked containers will be jointly developed between departmental management, [mailto:rhboldt@unmc.edu Recycling Coordinator] and Environmental Services.
 ##Locked containers should not be tampered with by unauthorized UNMC/Nebraska Medicine employees.
 ##Environmental Services will be responsible for issuing and logging the keys for unlocking these containers.
 #Documentation of Secure Disposal
 The Certificate of Destruction for all recycled UNMC/Nebraska Medicine confidential material will be kept on file in the Recycling Coordinator’s office.
 ==Definitions==
 ===Affiliated Covered Entity (ACE)===
-Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
+Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE.
 ===Business Associate===
-A third party that performs services on behalf of Nebraska Medicine/UNMC (that involve the creation, receipt, maintenance or transmission of protected health information). Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
+A third party who performs services on behalf of Nebraska Medicine/UNMC that involve the creation, receipt, maintenance or transmission of PHI. Some examples of such services include claims processing, data analysis, data processing, practice management, utilization review, quality assurance, patient safety activities, billing, benefit management and repricing.
 ===Confidential Information===
-Individually-identifiable health information (protected health information) and proprietary information, including contracts, business plans and practices, financial information, employee records and meeting minutes.
+Protected Health Information and proprietary information, including contracts, business plans and practices, financial information, employee records and meeting minutes.
+===Protected Health Information (PHI)===
+Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
+*is created or received by UNMC/ACE; and
+*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
+PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
+*an Individual’s genetic tests;
+*the genetic tests of an Individual’s family members; or
+*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
+*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
+PHI excludes:
+*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
+*education records covered by the Family Educational Rights and Privacy Act (FERPA); and
+*employment records held by UNMC in its role as employer.
 ==Additional Information==
 *Contact the [mailto:infosecurity@unmc.edu Information Security Office]
 *Contact Director, Environmental Services, at 402-559-6118, '''(do you have a better number for them?)'''
-**Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations
+*Contact Human Resources – Records at 402-559-8962 or Human Resources - Employee Relations
-*Contact [mailto:rboldt@unmc.edu Recycling Coordinator]
+*Contact [mailto:rhboldt@unmc.edu Recycling Coordinator]
 *Contact [mailto:debrbishop@nebraskamed.com Privacy Officer]
+*Contact PC Support Dispatch at 402-552-7777 ('''is there an email address for this dept?''')
 *Procedure No. 6056, [https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information]
 *UNMC Policy No. 8009, [[Contracts]]
 *[http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule]
+*Nebraska Medicine Record Retention Policy ('''is there a policy number?''')
 *Radiology Dept. Policy, LR - 6.12, Retention/Disposal of Radiology Images
-*“Contract Management Policy”)
+*Contract Management Policy '''(policy number needed)'''
 *[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
 *[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]
+*[https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final NIST Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization]
 This page maintained by [mailto:dpanowic@unmc.edu dkp].

Retention and Destruction/Disposal of Private and Confidential Information: Difference between revisions

Retention and Destruction/Disposal of Private and Confidential Information (view source)

Revision as of 10:35, October 28, 2022

Navigation menu

Search