Standard for HIPAA Destruction/Disposal of Patient PHI

1. All destruction/disposal of media containing PHI will be done in accordance with federal and state law, and pursuant to Ohio University’s written retention policy/schedule (as applicable). Records that have satisfied the period of retention will be destroyed/disposed of as further described below.
   1. Research-related record retention guidelines  Records involved in any current or anticipated investigation, audit, or litigation should not be destroyed. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for such records. When applicable, a qualified protective order will be obtained to limit the use or disclosure of PHI.
   2. Records scheduled for destruction/disposal must be secured against unauthorized or inappropriate access until the destruction/disposal of patient information is complete.
2. A record of all PHI media destruction/disposal must be retained permanently by each HIPAA Covered Entity Unit of Ohio University. Permanent retention of this record is required because the records of destruction/disposal may become necessary to demonstrate that the PHI was destroyed/disposed of in the regular course of business. a.Records of destruction/disposal should include:

   1. Date of destruction/disposal;

      Method of destruction/disposal;

      Destruction of the destroyed/disposal record series or medium;

      Inclusive dates covered;

      A statement that the PHI was destroyed /disposed of in the normal course of business; and;

      The signatures of the individuals supervising and witnessing the destruction/disposal.

3. Media containing PHI should be cleared, purged, or destroyed by the following methods:
   1. Paper, film, or other hard copy media shall be shredded or destroyed such that the PHI cannot be read or otherwise be reconstructed. Redaction is specifically excluded as a means of data destruction.
      1. For HIPAA Covered Entity Units, destruction must occur on site at the University.
      2. For HIPAA-like units, when possible, destruction should occur on-site due to the sensitivity level of the data.
      3. All departments must obtain confirmation of the destruction from the vendor or Ohio University unit providing the destruction service, and keep documented proof of the destruction as described above within section 2.
   2. Electronic media shall be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, guidelines for Media sanitization, such that PHI cannot be retrieved.
4. The Privacy Officer in coordination with the Security Officer must categorize the information to be disposed of, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media. Utilizing Appendix C: Sanitization Recommendations for Protected Health Information (PHI), to decide on the appropriate method for sanitization (cleared, purged, or destroyed). The selected method must be assessed as to cost, environmental impact, etc., and a decision must be made that best mitigates the risks to an unauthorized disclosure of information.
5. HIPAA Covered Entity Units that need to dispose of media containing PHI shall coordinate the disposal of such media with the Office of Information Technology (OIT), IT Asset Management Specialist.
   1. The HIPAA Covered Entity Unit will be responsible for labeling the media in such a way that it is clear to the handler that the data on media contains PHI.
   2. The HIPAA Covered Entity Unit will complete the “Collection” portion of the Certificate of Media Sanitization form.
   3. The HIPAA Covered Entity Unit will then secure the media in a locked cabinet and contact the OIT IT Asset Management Specialist for pickup.
   4. When an OIT representative arrives to pick up the media, the covered entity unit must validate the identity of the individual as an OIT employee, and then can provide the media and a copy of the Certificate of Media Sanitization form to the individual.
   5. The OIT representative will then take the media and corresponding Certificate of Media Sanitization to the IT Asset Management Specialist. OIT must ensure that the media is secured at all times during transit and storage. A secured location may be a locked room that only authorized personnel have access to unlock.
   6. The OIT IT Asset Management Specialist will coordinate with University surplus to arrange for destruction of hard drives, including visual confirmation that such destruction is in compliance with Appendix C: Sanitization Recommendations for Protected Health Information (PHI).
   7. Upon the destruction/disposal of the media, OIT will return to the HIPAA Covered Entity unit, the completed Certificate of Media Sanitization Form.

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.