1. PURPOSE: To ensure reallocation and disposal of media that contain PHI is conducted using secure methods that will meet the requirements of HIPAA 45 CFR 164.310(d)(1).

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, An Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3. ASSOCIATED INFORMATION:

3.1. Definitions:

3.1.1. Protected Health Information (PHI)/ePHI (electronic PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

3.1.2. Media: Any physical object or device on which data can be stored such as hard drives, disks, CDs, DVDs, tapes, paper, and other storage devices.

3.1.3 Transfer: To transmit media (internally or externally in compliance with HIPAA or other applicable regulatory guidance) and the data contained therein from one party to another party that has the appropriate authorization to access and maintain the data.

3.1.4. Reallocate: The assignment of media from one party within UAB to another party within UAB.

3.1.5  Secure Location: Any area or place with restricted and monitored phsycial access through card key or physical lock.

3.1.6. Disposal: The permanent destruction of media.

3.1.7. Secure Disposal Vendor: A third party contracted to sanitize and/or dispose of media on the behalf of UAB or its entities.

4. POLICY:

Reallocation

4.1. Media containing PHI/ePHI may only be dropped off in designated, secured containers or directly to a member of the appropriate Information Security Team.

4.2. Media containing PHI/ePHI information shall not be placed in trash receptacles.

Storage

4.3. ePHI shall be stored on media that is approved by the HIPAA Security Officer, which includes, but is not limited to, computers and electronic storage systems owned and leased/contracted by the organization. Exceptions to this may be approved by submitting a risk assessment request via email riskassessments@uabmc.edu.

4.4. Media PHI/ePHI information shall be stored in a secure location prior to sanitization and/or disposal.

Sanitization

4.5. Media containing ePHI shall be sanitized prior to being reallocated, transferred, or disposed of.

4.6. Approved sanitization methods are included in NIST Special Publication 800-88.

4.7. Media containing ePHI shall be sanitized by authorized personnel approved by the  HIPAA Security Officer and documented in the appropriate Information Security Team's media disposal database (contact the appropriate Information Security Team for details).

Disposal

4.8. Vendors shall be used for the disposal of media. Please contact the appropriate Information Security Team for a list of authorized vendors.

4.9. Vendors shall not remove an PHI/ePHI without a contractual agreement in place.

4.10. Vendors who have been granted permission to remove PHI/ePHI must secure the media for transport and acquire approval from the appropriate Information Security Team.

4.11. Service providers who host ePHI must provide a way of destroying the data as requested by UAB or upon termination of the relationship.

5. ENFORCEMENT:

5.1. Employees or vendors shall report policy violations to the appropriate Information Security Team.

5.2. Requesting or performing reallocation or disposal activities in an effort to eliminate evidence that may incriminate UAB or staff in civil or criminal litigation is strictly prohibited.

5.3. Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction. In addition, UAB may report the matter to civil and criminal authorities as required by law.

5.4. Vendors who do not follow policy shall be subject to breach of contract penalties.

7. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

7.1. Your departmental HIPAA Entity Security Coordinator found on the HIPAA website. 

7.2. The HSIS Help Desk at 205-934-8888 or helpdesk@uabmc.edu. 

7.3. The UAB IT AskIT Help Desk at 205-996-5555 or askit@uab.edu.

7.4. UAB HIPAA Security Office at InfoSec@uabmc.edu or 205-975-1440.

7.5. UAB IT Information Security line at 205- 975-0842.

To view other HIPAA Core Policies and for more information, please visit  the HIPAA website.