Section 16: Disposal of PHI
Protected Health Information (PHI): All individually identifiable health information transmitted or maintained by UTD, regardless of form. (e.g., patient name, ID number, address, telephone number, social security number, etc.)
UTD has a duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. PHI may only be disposed of by means that assure that it will not be accidentally released to an outside party. Managers must assure that appropriate means of disposal are reasonably available and operational. This policy is to define the guidelines and procedures that must be followed when disposing of information containing PHI.
Summary of Disposal Policy
- PHI must not be discarded in trash bins, unsecured recycle bags or other publicly-accessible locations. Instead this information must be personally shredded or placed in a secured recycling bag.
- Printed material and electronic data containing PHI shall be disposed of in a manner that ensures confidentiality.
- It is the individual’s responsibility to ensure that the document has been secured or destroyed. And it is the supervisor’s responsibility to ensure that their employees are adhering to the policy.
Destruction of Convenience Copies and Original Documents (Day-to-Day Destruction)
UTD Department Heads shall provide users with access to shredders or secured recycling bags for proper disposal of confidential printouts containing PHI. The user may elect to use either shredding or secure recycle bags for the destruction of convenience copies, as long as the destruction is in accordance with this policy. Original documents shall be destroyed in accordance with the Medical Record Retention Policy, Policy and the Records and Information Management and Retention Policy and this policy.
Secure methods will be used to dispose of electronic data and output. The Information Services Security Group (IS) department is responsible for the destruction of electronic copies containing PHI. However, employees may dispose of the electronic data themselves using the following methods: Deleting on-line data using the appropriate utilities;
- “Degaussing” computer tapes to prevent recovery of data;
- Deleting on-lin data using the appropriate utilities;
- Removing PHI from mainframe disk drives being sold or replaced, using the appropriate initialization utilities;
- Erasing diskettes to be re-used using a special utility to prevent recovery of data; or
- Destroying discarded diskettes.
Hardcopy (Bulk Destruction)
Secure methods will be used to dispose of hardcopy data and output.
- PHI printed material shall be shredded and recycled by a firm specializing in the disposal of confidential records or be shredded by an employee of UTD authorized to handle and personally shred the PHI.
- Microfilm or microfiche must be cut into pieces or chemically destroyed.
- After documents have reached their retention period, all PHI must be securely destroyed using the UTD record retention process governing destruction of records.
- If hardcopy PHI (paper, microfilm, microfiche, etc.) cannot be shredded, it must be incinerated.
Documentation of Destruction
- To ensure that it is in fact performed, UTD personnel or a bonded destruction service must carry out the destruction of PHI.
- If UTD personnel undertake the destruction of the records, the UTD personnel must use the UTD records destruction form provided by the Department of Records Management, if the record is found on the record retention schedule for the department destroying the record.
- If a bonded shredding company undertakes the destruction, the bonded shredding company must provide UTD with the document of destruction that contains the following information: Date of destruction Method of destruction Description of the disposed records Inclusive dates covered A statement that the records have been destroyed in the normal course of business The signatures of the individuals supervising and witnessing the destruction
- Logistics will maintain destruction documents permanently. Upon request the Logistics department and the bonded shredding company must provide the Chief Privacy Officer with the certificate of destruction.