HIPAA Core Policy: Media Reallocation and Disposal

HIPAA Core Policy: Media Reallocation and Disposal

Abstract:
This policy establishes guidelines for the secure reallocation and disposal of media that contains sensitive data.
Effective Date:
8/22/2012
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Keyword(s):
None Assigned
Material Original Source:

1. PURPOSE: To establish guidelines for the secure reallocation and disposal of media that contains sensitive data.


2.
PHILOSOPHY: Information in all forms and throughout its life cycle should be protected from unauthorized access, modification, destruction, or  disclosure, whether accidental or intentional. Improper handling and disclosure of information poses a significant risk to UAB/UABHS.


3. APPLICABILITY: This Standard applies to all UAB/UABHS Covered Entities: University Hospital, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, UAB Highlands, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this Policy, UAB/UABHS HIPAA Covered Entities shall be referred to as “UAB/UABHS” or “UAB/UABHS Covered Entities.”


4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.2. Sensitive information or data: Any information that may only be accessed by authorized personnel. It includes Protected Health Information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

4.1.3. Media: Physical objects on which data can be stored such as hard drives, disks, CDs, tapes, paper, and other storage devices.

4.1.4. Transfer: To transmit ongoing use of media and the data contained therein from one party to another party that has the appropriate authorization to access and maintain the data.

4.1.5. Reallocate: To transmit ongoing use of media, not including pre-existing data, from one party within UAB/UABHS to another party within UAB/UABHS.

4.1.6. Disposal: The permanent removal of media as a UAB/UABHS information asset.

4.1.7. Authorized Personnel: Persons appointed or given authority by UAB/UABHS Administration to take a given action or serve in a given role.

4.1.8. Secure Disposal Vendor: A third party contracted to sanitize media on the behalf of UAB/UABHS Covered Entities. Media to be sanitized shall be placed in the vendor’s specially marked containers. Note: UAB/UABHS’s various secure disposal vendors have specific guidelines regarding the amount of non-paper products that may be placed in the vendors’ containers. Contact your area administrator or secure disposal vendor for details on the handling of non-paper media for your area.

4.1.9. Clean: To render information on media inaccessible, unless special software or techniques are used. Some examples include formatting and re-imaging media.

4.1.10. Sanitize: To expunge data from media or to render it in such a state that recovery of said data is reasonably impossible. Formatting and re-imaging the media are not acceptable forms of sanitization. The use of overwriting software in accord with provisions in this standard is an acceptable form of sanitization.

4.1.11. Physical Destruction: To render media in such a state that recovery of information from the media is reasonably impossible. This is a form of sanitization. Some examples include pulverizing, mangling, and the use of an appropriate shredder. A secure disposal vendor may also be used.

4.1.12. Damage: To render media in such a state that it cannot be accessed by standard methods. However, data on the media may be accessed using special techniques. For example, bending a disk such that it cannot be read by the drive does not comply with provisions in this standard. Damaging media is not an acceptable form of sanitization.

4.1.13. Secure Location: An area or place with restricted and monitored access.


5. STANDARDS:

5.1. Sensitive information shall not be removed from its designated UAB/UABHS area without the approval of UAB/UABHS Administration.

5.2. Any reallocation or disposal activity that endangers the well being of personnel or that may negatively affect UAB/UABHS is strictly prohibited. This includes, but is not limited to, the incineration of media in the work place.

5.3. Media shall be cleaned or sanitized only by authorized personnel.

5.4. Media containing non-sensitive information shall be cleaned or sanitized prior to being reallocated.

5.5. Media containing sensitive information shall be sanitized prior to being reallocated.

5.6. Equipment containing mass storage devices, either removable or non-removable media (including hard disks, floppy disks, flash memory, optical discs, magnetic tape, etc.), with sensitive data shall be reasonably secured at all times to reduce the risk of data and equipment loss.

5.7. Unused equipment containing mass storage devices (including desktop and laptop computers, servers, printers, copiers, fax machines, biomedical equipment, cameras, smartphones (e.g., IPhone, Blackberry), etc.) that is slated for disposal or reallocation shall be sanitized and processed as soon as possible to reduce the risk of data and equipment loss.

5.8. A log shall be kept of all property/equipment in which media resides. The log shall include information to verify sanitization or destruction of the media.

5.9. Sanitization methods include:

5.9.1. Use of overwriting software to expunge all data from the media.

5.9.2. Physically destroying the media.

5.9.3. Use of a degausser to reduce the magnetic flux of the media to virtually zero, thereby expunging all data from the media. The degausser used shall be appropriate for the media being sanitized.

5.10. Media containing sensitive information shall not be placed in the regular trash unless the media is sanitized first.

5.11. Secure disposal vendor services shall only be used for the disposal of sensitive information.

5.12. Non-sensitive information shall be placed in regular trash disposal containers.

5.13. UAB/UABHS employees, vendors, and contractors shall report policy violations to the appropriate Data Security Office.

5.14. UAB/UABHS employees who do not follow the above standards may be subject to disciplinary action up to and including dismissal.

5.15. Vendors or contractors who do not follow the above standards may be subject to breach of contract penalties.

5.16. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.16.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/securitycontacts.htm).

5.16.2. the HSIS Help Desk at 934-8888

5.16.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

5.16.4. UAB/UABHS HIPAA Security Office at 975-0072.

5.16.5. UAB IT Data Security Office at 975-0842.


6. REFERENCES:

National Institute of Standards and Technology, Special Publication: 800-88: Media Sanitization, http://csc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf

ISO/IEC 17799: 205(E), Code of Practice for Information Security Management, Control 10.7.2:

Disposal of Media

Department of Defense 5220.22-M

“Destruction of DoD Computer Hard Drives Prior to Disposal”, Memorandum by Deputy Secretary of Defense 8 January 2001

“Disposition of Unclassified DoD Computer Hard Drives”, Memorandum by Assistant Secretary of Defense with attachments 4 June 2001

“Degausser Product List”, National Security Agency, Central Security Service.

“Understanding CD-R & CD-RW”, Optical Storage Technology Association.

“UAB Secure Media Destruction Procedure”, UAB IT, http://main.uab.edu/Sites/it/faqs/57722

“UAB Information Security Handbook”, http://www.hipaa.uab.edu/pdffiles/Information_Security_Handbook_03_2009.pdf

“How do I securely wipe a disk drive?” UAB IT, http://main.uab.edu/Sites/it/faqs/49185


7. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI.


8. ATTACHMENTS: None

 


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.