|This policy supplement outlines the appropriate methods for disposing University records slated for destruction and supports its parent policy, the University of Alabama at Birmingham Records Retention Policy.|
The University of Alabama at Birmingham (“UAB”) is committed to protecting the security and confidentiality of protected information created or received in the course of business. The Records Retention Schedule prescribes the length of time that records created or received by the University must be retained. Once records reach the end of the scheduled retention period, they should be disposed. Records disposition is the final phase of a record’s life cycle.
Paper Records Containing Only Public Information
Most of the records that UAB maintains are administrative or financial in nature and do not contain private or sensitive information. These records should be recycled according to regular University procedures. Recycling is the preferred method to destroy paper information as it is not only environmentally friendly, but it also contributes to revenue to the University. Data is classified as public, sensitive, and restricted/PHI. Please refer to UAB's Data Classification Rule for more details.
Paper Records Containing Sensitive or Restricted/PHI
Records that contain sensitive or restricted/PHI information (e.g., social security numbers, credit card numbers, personal financial information, student academic information, employee health information, etc.) require confidential destruction procedures. Confidential destruction procedures protect protected privacy interests and guard against identity theft. There are generally two ways to destroy paper records to maintain confidentiality: confidential recycling and shredding. Shredding is required for personal health information. Shredding is also preferred for student records.
Shredding and Recycling
All paper shredding and recycling vendors are required to complete a UAB-approved Business Associate agreement to comply with HIPAA regulations.
Credit Card Information
Any records containing credit card information, including credit card numbers or merchant receipts, must be shredded.
Social Security Numbers
Any records containing social security numbers must be shredded.
Personal Health Information
Shredding is the only acceptable means for disposing of unneeded personal health information (PHI).
Disposition of electronic information must be performed in a manner that protects private or confidential information. The sale, donation, scrapping, or internal University transfer of computers or other electronic devices requires the secure destruction of information contained on the
computer or electronic device. Floppy disks, tapes, film, audiotapes, and videotapes must be physically destroyed or the information otherwise securely deleted. The destruction of electronic information must be performed according to the UAB Office of Information Security standard for data deletion. Do not simply throw electronic items in the trash. For specific instructions, you may contact UAB Information Technology.
These procedures have been adapted from University of Minnesota records retention materials.
Records Retention Policy
Data Classification Rule
Disposing of University Records Recommended Checklist
Records Retention Schedule