Destruction/Disposal of Protected Health Information

Layout for printing
Policy Number:
UW-130
Old Policy Number:
8.7
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:
Protected health information (PHI)
Health information, or healthcare payment information, including demographic information, which identifies the individual or can be used to identify the individual. Protected health information does not include student records held by educational institutions or employment records held by employers. 
UWMadison health care component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW–Madison Health Care Component for a listing of these units.
Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

UW–Madison strives to ensure the privacy and security of all patients'/clients’ protected health information in the maintenance, retention, and eventual destruction/disposal of such information. Destruction/disposal of this information in whatever format shall be carried out as described in this document, but always in a manner that leaves no possibility for the reconstruction of information.

This policy and procedure describe how records shall be disposed of/destroyed. When records may be disposed of/destroyed is outlined in applicable records’ retention schedules of the UW HCC.

Policy Details

  1. All destruction/disposal of protected health information will be done in accordance with applicable federal and state law and any applicable records retention schedule of the UW HCC unit. Records that have satisfied the period of retention may be destroyed/disposed of by an appropriate method as described in VII. below.
  2. Records involved in any open investigation, public records request, audit, or litigation must not be destroyed/disposed of. If the UW HCC unit receives notification that any of the above situations have occurred or there is the potential for such, the record retention schedule will be suspended for these records until such time as the situation has been resolved.
  3. Records containing protected health information that are not originals and that have no retention of record requirements (i.e. provider copies, shadow charts, etc.) will be destroyed/disposed of by shredding or other comparable method determined by each UW HCC unit. Certification of the destruction of non-originals is not required.
  4. Records containing protected health information scheduled for destruction/disposal will be secured against unauthorized or inappropriate access until the destruction/disposal of protected health information is complete.
  5. A record of all destruction/disposal of original medical/client records or other original documents containing protected health information will be made and retained permanently. Permanent retention is required because the records of destruction/disposal may be needed to demonstrate that the records containing protected health information were destroyed/disposed of in the regular course of business. Records of destruction/disposal should include:
    1. Date of destruction/disposal.
    2. Method of destruction/disposal.
    3. Description of the destroyed/disposed of record series or medium.
    4. Inclusive dates covered.
    5. A statement that the records containing protected health information were destroyed/disposed of in the normal course of business.

    6. The signatures of the individuals supervising and witnessing the destruction/disposal (when appropriate).

      A sample certificate of destruction is available at the hipaa.wisc.edu webpage in the “Forms” tab.

  6. If destruction/disposal services are contracted, the contract will:
    1. Specify the method of destruction/disposal (such method must be consistent with those set forth in VII. below).
    2. Specify the time that will elapse between acquisition and destruction/disposal of data/media.
    3. Establish safeguards against breaches in confidentiality.

    4. Provide proof of destruction/disposal.

      See UW-116 Managing Arrangements with Business Associates of the University of Wisconsin-Madison for more details concerning the requirements of a business associate agreement.

  7. Protected health information will be destroyed/disposed of using a method that ensures the information cannot be recovered or reconstructed. Appropriate methods for destruction/disposal are outlined in the following table.

    Table 1. Appropriate Methods for Destruction/Disposal
    Medium Recommendation
    Audiotapes Methods for destroying/disposing of audiotapes include recycling (tape over) or pulverizing.
    Computerized Data/ Computers & Hard Disk Drives (including within some fax machines and copiers) Methods of destruction/disposal should destroy/dispose of data permanently and irreversibly. Methods may include overwriting data with a series of characters or reformatting the disk (destroying everything on it). Deleting a file on a disk does not destroy/dispose of the data, but merely deletes the filename from the directory, preventing easy access and making the sector available on the disk so it may not be overwritten. Total data destruction/disposal does not occur until the backup tapes have been overwritten.
    Computer Data/ Magnetic Media Methods may include overwriting data with a series of characters or reformatting the tape (destroying everything on it). Total data destruction does not occur until the backup tapes have been overwritten. Magnetic degaussing will leave the sectors in random patterns with no preference to orientation, rendering previous data unrecoverable.
    Computer Diskettes Methods for destroying/disposing of diskettes include reformatting, pulverizing, or magnetic degaussing.
    Laser Disks Disks used in “write once-read many” (WORM) document imaging cannot be altered or reused, making pulverization an appropriate means of destruction/disposal.
    Microfilm/ Microfiche Methods for destroying/disposing of microfilm or microfiche include recycling and pulverizing.
    Paper Records Paper records should be destroyed/disposed of in a manner that leaves no possibility for the reconstruction of information. Appropriate methods for destroying/disposing of paper records include: burning, shredding, pulping, and pulverizing.
    Videotapes Methods for destroying/disposing of videotapes include recycling (tape over) or pulverizing.
  8. Additional Information on Disposal of Discarded Paper Containing PHI. On occasion, when copying or faxing documents containing protected health information, additional copies are made which are not subject to a retention schedule (because they are copies, not originals) and which may be disposed of immediately after the purpose for which they were made has been fulfilled. Such paper copies may be disposed of in recycling bins or waste receptacles only as described below:
    1. Unsecured recycling bins/waste receptacles should be located in areas where the public will not be able to access them.
    2. When possible, dispose of paper waste containing protected health information in receptacles that are secured by locking mechanisms or that are located behind locked doors after regular business hours. Locked containers must be used with copy machines located in insecure or unattended areas.
    3. Paper documents containing protected health information may be placed in recycling bins/waste receptacles as described above only if the paper in such bins or receptacles will be disposed of in a manner that leaves no possibility for the reconstruction of the information as described in the chart in VII. above.
  9. The methods of destruction/disposal will be reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction/disposal services.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:

Additional information may be found at www.compliance.wisc.edu/hipaa

External References:

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
04-14-2003
Revised Dates:

08-21-2014: Effective date of the revised policy: 08-21-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:
11-22-2024 02:29:14