In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Applies to all members of the UW HCC.
UW–Madison strives to ensure the privacy and security of all patients'/clients’ protected health information in the maintenance, retention, and eventual destruction/disposal of such information. Destruction/disposal of this information in whatever format shall be carried out as described in this document, but always in a manner that leaves no possibility for the reconstruction of information.
This policy and procedure describe how records shall be disposed of/destroyed. When records may be disposed of/destroyed is outlined in applicable records’ retention schedules of the UW HCC.
The signatures of the individuals supervising and witnessing the destruction/disposal (when appropriate).
A sample certificate of destruction is available at the hipaa.wisc.edu webpage in the “Forms” tab.
Provide proof of destruction/disposal.
See UW-116 Managing Arrangements with Business Associates of the University of Wisconsin-Madison for more details concerning the requirements of a business associate agreement.
Protected health information will be destroyed/disposed of using a method that ensures the information cannot be recovered or reconstructed. Appropriate methods for destruction/disposal are outlined in the following table.
|Methods for destroying/disposing of audiotapes include recycling (tape over) or pulverizing.
|Computerized Data/ Computers & Hard Disk Drives (including within some fax machines and copiers)
|Methods of destruction/disposal should destroy/dispose of data permanently and irreversibly. Methods may include overwriting data with a series of characters or reformatting the disk (destroying everything on it). Deleting a file on a disk does not destroy/dispose of the data, but merely deletes the filename from the directory, preventing easy access and making the sector available on the disk so it may not be overwritten. Total data destruction/disposal does not occur until the backup tapes have been overwritten.
|Computer Data/ Magnetic Media
|Methods may include overwriting data with a series of characters or reformatting the tape (destroying everything on it). Total data destruction does not occur until the backup tapes have been overwritten. Magnetic degaussing will leave the sectors in random patterns with no preference to orientation, rendering previous data unrecoverable.
|Methods for destroying/disposing of diskettes include reformatting, pulverizing, or magnetic degaussing.
|Disks used in “write once-read many” (WORM) document imaging cannot be altered or reused, making pulverization an appropriate means of destruction/disposal.
|Methods for destroying/disposing of microfilm or microfiche include recycling and pulverizing.
|Paper records should be destroyed/disposed of in a manner that leaves no possibility for the reconstruction of information. Appropriate methods for destroying/disposing of paper records include: burning, shredding, pulping, and pulverizing.
|Methods for destroying/disposing of videotapes include recycling (tape over) or pulverizing.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa
08-21-2014: Effective date of the revised policy: 08-21-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.