University of Wisconsin-Madison Policy and Procedure



Similar documents
Record Custodian to Health Information Steward Best Practices in Record Retention, Storage, and Destruction

University of Wisconsin-Madison Policy and Procedure

HIPAA Training for Hospice Staff and Volunteers

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

HIPAA Training for Staff and Volunteers

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT POLICY

RETENTION OF UNIVERSITY RECORDS

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

RUTGERS POLICY. Approval Authority: Executive Vice President for Academic Affairs and Senior Vice President for Administration

Approved By: Agency Name Management

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Managing Records: Retention, Destruction and Disposal

NCI-Frederick Safety and Environmental Compliance Manual 03/2013

POLICY AND GUIDELINES FOR THE MANAGEMENT OF ELECTRONIC RECORDS INCLUDING ELECTRONIC MAIL ( ) SYSTEMS

FRONTIER REGIONAL/UNION#38 SCHOOL DISTRICTS. Records Retention Policy for Electronic Correspondence

This policy is not designed to use systems backup for the following purposes:

Media Disposition and Sanitation Procedure

Montana Local Government Records Management Guidelines

California State University, Sacramento INFORMATION SECURITY PROGRAM

LSUHSC-NEW ORLEANS RECORDS RETENTION AND DISPOSITION POLICY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Electronic Records Management in the City of Philadelphia

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT PROGRAM. Revised January 15, 2014

Statement of Policy. Reason for Policy

Get rid of it Securely to keep it Private

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Montclair State University. HIPAA Security Policy

How To Write A Health Care Security Rule For A University

HIPAA BUSINESS ASSOCIATE AGREEMENT

Information Technology Services Guidelines

HIPAA BUSINESS ASSOCIATE AGREEMENT

PHI- Protected Health Information

Valdosta Technical College. Information Security Plan

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Moving Information: Privacy & Security Guidelines

HIPAA Security Alert

HIPAA Business Associate Agreement

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

HIPAA Security. assistance with implementation of the. security standards. This series aims to

That s why outsourcing using a Qualified Contractor is the best solution to the problem of assuring a compliant hard drive destruction audit trail.

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Blocal government bulletin b

BUSINESS ASSOCIATE AGREEMENT

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties

C.T. Hellmuth & Associates, Inc.

Guidance on Personal Data Erasure and Anonymisation 1

The guidance applies to all records, regardless of the medium in which they are held, including , spreadsheets, databases and paper files.

Developing a Records Retention Program

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Best Practices for Responsible Disposal of Tape Media

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

BUSINESS ASSOCIATE AGREEMENT

Model Business Associate Agreement

How To Manage Records And Information Management In Alberta

Business Associate Agreement

ACCESS, PRODUCTION AND RETENTION OF CITY RECORDS

United Cerebral Palsy of Greater Chicago Records and Information Management Policy and Procedures Manual, December 12, 2008

How To Destroy Data From A Hard Drive

Information and Privacy Commissioner of Ontario. Guidelines for the Use of Video Surveillance Cameras in Public Places

Records & Information Management Policy

HIPAA Compliance: Are you prepared for the new regulatory changes?

Administrators Guide Multi User Systems. Calendar Year

BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance Evaluation Report

BAC to the Basics: Business Associate Contracts Made Easy

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Management: A Guide For Harvard Administrators

NC DPH: Computer Security Basic Awareness Training

Transcription:

Page 1 of 6 I. Policy UW-Madison strives to ensure the privacy and security of all patient/clients protected health information in the maintenance, retention, and eventual destruction/disposal of such information. Destruction/disposal of this information in whatever format shall be carried out as described in this document, but always in a manner that leaves no possibility for reconstruction of information. This policy and procedure describes how records shall be disposed of/destroyed. When records may be disposed of/destroyed is outlined in applicable records retention schedules of the UW Health Care Component. II. Definitions A. Protected Health Information ( PHI ): Health information, or healthcare payment information, including demographic information, which identifies the individual or can be used to identify the individual. PHI does not include student records held by educational institutions or employment records held by employers. B. UW-Madison Health Care Component ( UW HCC ): Those units of the University of Wisconsin-Madison that have been designated by the University as part of its health care component under HIPAA. See Privacy Policy # 1.1 Designation of UW-Madison Health Care Component for a listing of these units. III. Procedures A. All destruction/disposal of PHI will be done in accordance with applicable federal and state law and any applicable records retention schedule of the UW HCC unit. Records that have satisfied the period of retention may be destroyed/disposed of by an appropriate method as described in III.G. below. B. Records involved in any open investigation, public records request, audit or litigation must not be destroyed/disposed of. If the UW HCC unit receives notification that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved.

Page 2 of 6 C. Records containing PHI that are not originals and that have no retention of record requirements (i.e. provider copies, shadow charts, etc.) will be destroyed /disposed by shredding or other comparable method determined by each UW HCC unit. Certification of destruction of non-originals is not required. D. Records containing PHI scheduled for destruction/disposal will be secured against unauthorized or inappropriate access until the destruction/disposal of PHI is complete. E. A record of all destruction/disposal of original medical/client records or other original documents containing PHI will be made and retained permanently. Permanent retention is required because the records of destruction/disposal may be needed to demonstrate that the records containing PHI were destroyed/disposed of in the regular course of business. Records of destruction/disposal should include: 1. Date of destruction/disposal. 2. Method of destruction/disposal. 3. Description of the destroyed/disposed record series or medium. 4. Inclusive dates covered. 5. A statement that the records containing PHI were destroyed/disposed of in the normal course of business. 6. The signatures of the individuals supervising and witnessing the destruction/disposal (when appropriate). A sample certificate of destruction is available at the hipaa.wisc.edu webpage in the Forms tab. F. If destruction/disposal services are contracted, the contract shall: 1. Specify the method of destruction/disposal (such method must be consistent with those set forth in III.G. below). 2. Specify the time that will elapse between acquisition and destruction/disposal of data/media. 3. Establish safeguards against breaches in confidentiality. 4. Provide proof of destruction/disposal.

Page 3 of 6 See Privacy Policy # 6.1 Managing Arrangements with Business Associates of the University of Wisconsin-Madison for more details concerning the requirements of a business associate agreement. G. PHI will be destroyed/disposed of using a method that ensures the PHI cannot be recovered or reconstructed. Appropriate methods for destruction/disposal are outlined in the following table. Medium Audiotapes Computerized Data/ Computers & Hard Disk Drives (including within some fax machines and copiers) Computer Data/ Magnetic Media Recommendation Methods for destroying/disposing of audiotapes include recycling (tape over) or pulverizing. Methods of destruction/disposal should destroy/dispose of data permanently and irreversibly. Methods may include overwriting data with a series of characters or reformatting the disk (destroying everything on it). Deleting a file on a disk does not destroy/dispose of the data, but merely deletes the filename from the directory, preventing easy access and making the sector available on the disk so it may not be overwritten. Total data destruction/disposal does not occur until the back-up tapes have been overwritten. Methods may include overwriting data with a series of characters or reformatting the tape (destroying everything on it). Total data destruction does not occur until the back-up tapes have been overwritten. Magnetic degaussing will leave the sectors in random patterns with no preference to orientation, rendering previous data unrecoverable. Computer Diskettes Methods for destroying/disposing of diskettes include reformatting, pulverizing, or magnetic degaussing. Laser Disks Disks used in write once-read many (WORM) document imaging cannot be altered or reused, making pulverization an appropriate means of destruction/disposal.

Page 4 of 6 Medium Microfilm/ Microfiche Paper Records Videotapes Recommendation Methods for destroying/disposing of microfilm or microfiche include recycling and pulverizing. Paper records should be destroyed/disposed of in a manner that leaves no possibility for reconstruction of information. Appropriate methods for destroying/disposing of paper records include: burning, shredding, pulping, and pulverizing. Methods for destroying/disposing of videotapes include recycling (tape over) or pulverizing. H. Additional Information on Disposal of Discarded Paper Containing PHI. On occasion, when copying or faxing documents containing PHI, additional copies are made which are not subject to a retention schedule (because they are copies, not originals) and which may be disposed of immediately after the purpose for which they were made has been fulfilled. Such paper copies may be disposed of in recycle bins or waste receptacles only as described below: 1. Unsecured recycle bins/waste receptacles should be located in areas where the public will not be able to access them. 2. When possible, dispose of paper waste containing PHI in receptacles that are secured by locking mechanisms or that are located behind locked doors after regular business hours. Locked containers must be used with copy machines located in insecure or unattended areas. 3. Paper documents containing PHI may be placed in recycle bins/waste receptacles as described above only if the paper in such bins or receptacles will be disposed of in a manner that leaves no possibility for reconstruction of the information as described in the chart in III.G. above. J. The methods of destruction/disposal will be reassessed periodically, based on current technology, accepted practices, and availability of timely and costeffective destruction/disposal services.

Page 5 of 6 IV. Documentation Requirements A record of all destruction/disposal of original medical/client records or other original documents containing PHI will be made and retained permanently as described in III.E. above using a form substantially similar to the Sample Certificate of Destruction form available at hipaa.wisc.edu. V. Forms Sample Certificate of Destruction VI. References 895.505 Wisconsin Statutes (Disposal of records) 146.819 Wisconsin Statutes (Disposition of records-cease practice) 146.817 Wisconsin Statutes (Fetal tracings) 45 CFR 164.530 (c) (HIPAA Privacy Rule) VII. Related Policies Policy Number 6.1 Managing Arrangements with Business Associates of the University of Wisconsin-Madison Policy Number 8.5 Security of Faxed, Printed, and Copied Documents VIII. For Further Information For further information concerning this policy, please contact the UW-Madison HIPAA Privacy Officer or the appropriate unit HIPAA Privacy Coordinator or sub-coordinator. Contact information is available within the Contact Us tab at hipaa.wisc.edu. Reviewed By Chancellor Chancellor s Task Force on HIPAA Privacy UW-Madison HIPAA Privacy Officer UW-Madison Office of Legal Affairs

Page 6 of 6 Approved By Interim HIPAA Privacy and Security Operations Committee