HIPAA Core Policy: Media Reallocation and Disposal   



This policy establishes guidelines for the secure reallocation, disposal, and destruction of media that contain PHI/ePHI data.

Effective Date: 9/21/2018


Review/Revised Date: 9/21/2018


Category: Ethics and Integrity


Policy Owner: Provost

Policy Contact: Chief Privacy Officer



1. PURPOSE: To ensure reallocation and disposal of media that contain PHI is conducted using secure methods that will meet the requirements of HIPAA 45 CFR 164.310(d)(1).

2. PHILOSOPHY: It is UAB's position that information in all forms and throughout its life cycle shall be protected from unauthorized access, modification, destruction, or  disclosure, whether accidental or intentional. Improper handling and disclosure of information pose significant risks to UAB, including violation of federal and state laws.

3. APPLICABILITY: This policy applies to all UAB Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Whitaker Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, other UABHS/HSF managed entities that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions, UAB School of Nursing, School of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this policy, UAB Covered Entities shall be referred to as "UAB."


4.1. Definitions:

4.1.1. Protected Health Information (PHI)/ePHI (electronic PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual, and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.2. Media: Any physical object or device on which data can be stored such as hard drives, disks, CDs, DVDs, tapes, paper, and other storage devices.

4.1.3 Transfer: To transmit media (internally or externally in compliance with HIPAA or other applicable regulatory guidance) and the data contained therein from one party to another party that has the appropriate authorization to access and maintain the data.

4.1.4. Reallocate: The assignment of media from one party within UAB to another party within UAB.

4.1.5  Secure Location: Any area or place with restricted and monitored phsycial access through card key or physical lock.

4.1.6. Disposal: The permanent destruction of media.

4.1.7. Secure Disposal Vendor: A third party contracted to sanitize and/or dispose of media on the behalf of UAB or entities.



5.1. Media containing PHI/ePHI may only be dropped off in designated, secured containers or directly to a member of the appropriate Information Security Team.

5.2. Media containing PHI/ePHI information shall not be placed in trash receptacles.


5.3. ePHI shall be stored on media that is approved by the HIPAA Security Officer, which includes, but is not limited to, computers and electronic storage systems owned and leased/contracted by the organization. Exceptions to this may be approved by submitting a risk assessment request via email: riskassessments@uabmc.edu.

5.4. Media PHI/ePHI information shall be stored in a secure location prior to sanitization and/or disposal.


5.5. Media containing ePHI shall be sanitized prior to being reallocated, transferred, or disposed of.

5.6. Approved sanitization methods are included in NIST Special Publication 800-88.

5.7. Media containing ePHI shall be sanitized by authorized personnel approved by the  HIPAA Security Officer and documented in the appropriate Information Security Team's media disposal database (contact the appropriate Information Security Team for details).


5.8. Vendors shall be used for the disposal of media. Please contact the appropriate Information Security Team for a list of authorized vendors.

5.9. Vendors shall not remove an PHI/ePHI without a contractual agreement in place.

5.10. Vendors who have not been granted permission to remove PHI/ePHI must secure the media for transport and acquire approval from the appropriate Information Security Team.

5.11. Service providers who host ePHI must provide a way of destroying the data as requested by UAB or upon termination of the relationship.


5.12. Employees or vendors shall report policy violations to the appropriate Information Security Team.

5.13. Requesting or performing reallocation or disposal activities in an effort to eliminate evidence that may incriminate UAB or staff in civil or criminal litigation is strictly prohibited.

5.14. Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction. In addition, UAB may report the matter to civil and criminal authorities as required by law.

5.15. Vendors who do not follow policy shall be subject to breach of contract penalties.

6. REFERENCES: National Institute of Standards & Technology (NIST) Special Publication 800-88, "Guidelines for Media Sanitization."

7. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

7.1. Your departmental HIPAA Entity Security Coordinator found on the HIPAA website

7.2. The HSIS Help Desk at 934-8888 or helpdesk@uabmc.edu

7.3. The UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

7.4. UAB HIPAA Security Office at InfoSec@uabmc.edu or (205) 975-1440.

7.5. UAB IT Information Security line at 975-0842.

To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.