HIPAA Core Policy: Media Reallocation and Disposal

HIPAA Core Policy: Media Reallocation and Disposal

This policy establishes guidelines for the secure reallocation and disposal of media that contain sensitive data.
Effective Date:
Responsible Party:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish policy for the secure reallocation and disposal of media that contain sensitive data.

2. PHILOSOPHY: Information in all forms and throughout its life cycle should be protected from unauthorized access, modification, destruction, or  disclosure, whether accidental or intentional. Improper handling and disclosure of information poses a significant risk to UAB.

3. APPLICABILITY: This Standard applies to all UAB/UABHS Covered Entities: University Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, other UABHS managed entities that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing, school of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this Policy, UAB Covered Entities shall be referred to as “UAB.”


4.1. Definitions:

4.1.1. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.2. Sensitive information or data: Any information that may only be accessed by authorized personnel. It includes PHI, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

4.1.3. Media: Physical objects on which data can be stored such as hard drives, disks, CDs, tapes, paper, and other storage devices.

4.1.4. Reallocate: The assignment of media from one party within UAB to another party within UAB so it can be used for a different purpose.

4.1.5. Disposal: The permanent removal of media as a UAB information asset.

4.1.6. Authorized Personnel: Persons appointed or given authority by UAB Administration to take a given action or serve in a given role.

4.1.7. Secure Disposal Vendor: A third party contracted to sanitize media on the behalf of UAB Covered Entities. Media to be sanitized shall be placed in the vendor’s specially marked containers. Note: UAB’s various secure disposal vendors have specific guidelines regarding the amount of non-paper products that may be placed in the vendors’ containers. Contact your area administrator or secure disposal vendor for details on the handling of non-paper media for your area.

4.1.8. Clean: To render information on media inaccessible, unless special software or techniques are used. Some examples include formatting and re-imaging media.

4.1.9. Sanitize: To expunge data from media or to render it in such a state that recovery of said data is reasonably impossible. Formatting and re-imaging the media are not acceptable forms of sanitization. The use of overwriting software in accord with provisions in this policy is an acceptable form of sanitization.

4.1.10. Physical Destruction: To render media in such a state that recovery of information from the media is reasonably impossible. This is a form of sanitization. Some examples include pulverizing, mangling, and the use of an appropriate shredder. A secure disposal vendor may also be used.

4.1.11. Damage: To render media in such a state that it cannot be accessed by standard methods. However, data on the media may be accessed using special techniques. For example, bending a disk such that it cannot be read by the drive does not comply with provisions in this policy. Damaging media is not an acceptable form of sanitization.

4.1.13. Secure Location: An area or place with restricted and monitored access.


5.1. Sensitive information shall not be removed from its designated UAB area without the approval of UAB Administration.

5.2. Media shall be cleaned or sanitized only by authorized personnel.

5.3. Media containing non-sensitive information shall be cleaned or sanitized prior to being reallocated.

5.4. Media containing sensitive information must be sanitized prior to being reallocated.

5.5. Equipment containing mass storage devices, either removable or non-removable media (including hard disks, flash memory, optical discs, magnetic tape, etc.), with sensitive data shall be reasonably secured at all times to reduce the risk of data and equipment loss.

5.6. Unused equipment containing mass storage devices (including desktop and laptop computers, servers, printers, copiers, fax machines, biomedical equipment, cameras, smartphones (e.g., IPhone, etc.) that is slated for disposal or reallocation shall be sanitized and processed as soon as possible to reduce the risk of data and equipment loss.

5.7. A log shall be kept to verify sanitization or destruction of the media containing sensitive information.

5.8. Sanitization methods include:

5.8.1. Use of overwriting software to expunge all data from the media.

5.8.2. Physically destroying the media.

5.8.3 Use of a degausser to reduce the magnetic flux of the media to virtually zero, thereby expunging all data from the media. The degausser used shall be appropriate for the media being sanitized.

5.9. Media containing sensitive information shall not be placed in the regular trash.

5.10. Secure disposal vendor services shall only be used for the disposal of sensitive information.

5.11. Non-sensitive information shall be placed in regular trash disposal containers.

5.12. UAB employees, vendors, and contractors shall report policy violations to the appropriate Data Security Office.

5.13. UAB employees who do not follow the above policies may be subject to disciplinary action up to and including dismissal.

5.14. Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.

5.15. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.15.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators).

5.15.2. the HSIS Help Desk at 934-8888

5.15.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

5.15.4. UAB HIPAA Security Office at InfoSec@uabmc.edu or (205) 975-1440.

5.15.5. UAB IT Information Security line at 975-0842.


7. SCOPE: This standard applies to all UAB entities covered under HIPAA and their systems that maintain PHI.


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.