Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title: Protected Health Information: Destruction and Disposal
Subject: Office of Compliance & Corporate Integrity (OCCI)
Policy No: OCCI:2013:P11
Applies: RowanSOM
Issuing Authority: President
Responsible Officer: Chief Audit, Compliance & Privacy Officer; Director of Information Security
Date Adopted: 07/01/2013
Last Revision: 031/2726/20202021
Last Reviewed:  031/2726/20202021

I.    PURPOSE

To establish a policy that ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and Omnibus Privacy Final Rule of 2013 in the destruction and disposal of documentation containing Protected Health Information (PHI).

...

  1. 45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement
  2. 45 CFR, 164.514(e), Code of Federal Regulations, Title 45, Part 164, Subpart E, Security and Privacy Privacy of Individually Identifiable Health Information
  3. 45 CFR, 164.530, Code of Federal Regulation, Security and Privacy, Administrative Requirements
  4. Records Management Policy
  5. Uses and Disclosures of Health Information With and Without an Authorization Policy
  6. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  7. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
  8. Omnibus Privacy Final Rule of 2013
  9. Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
  10. 20 U.S.C. 1232g(a)(4)(B)(iv)

VI. POLICY

RowanSOM Departments and RowanSOM owned or operated facilities shall appropriately protect the privacy of health information that can identify an individual in compliance with federal and state law. RowanSOM will act responsibly in the maintenance, retention and eventual destruction and disposal of all material containing PHI, which includes PHI on fax and copier machine hard drives. The destruction and disposal of PHI will be carried out in accordance with HIPAA regulations and RowanSOM policy. All PHI will be destroyed in a manner in which it cannot be recovered or reconstructed by leveraging the shredding bins provided directly on RowanSOM sites. Medical records will be maintained and destroyed in accordance with the RowanSOM policy, Records Management.

VII. ATTACHMENTS

...

  1. Attachment 1 - Procedures for the Destruction/Disposal of All Protected Health Information (PHI)

...

VIII.

...

NON-COMPLIANCE AND SANCTIONS

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University in accordance with their union and University rules.  Civil and criminal penalties may be applied accordingly.  Violations of this policy may require retraining and be reviewed with employee during the annual appraisal process. The Deans of each College, Vice Presidents, and University President, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently to all violators regardless of job titles or level within the University and in accordance with bargaining agreements for represented employees. Any sanction costs or fines will be borne by the Department and the Department Chair or VP will determine how these funds will be assigned.


By Direction of the President:

...

ATTACHMENT 1
PROCEDURES FOR THE DESTRUCTION/DISPOSAL OF ALL PROTECTED HEALTH INFORMATION (PHI)

  1. Until such time destruction/disposal of PHI is permissible, all PHI will be secured against unauthorized or inappropriate access.
  2. The destruction/disposal of all PHI will be completed using the shredding bin provided directly on RowanSOM sites.  Any material/documents shredded at a non-RowanSOM site, must be brought back in a secure manner to a RowanSOM site and disposed in an office shredding bin. This will ensure proper destruction/disposal of PHI.
  3. The destruction/disposal of all PHI will be accomplished by shredding, incineration or other comparable fashion that ensures that the PHI cannot be recovered or reconstructed. Material that has been destroyed must be stored in a secure container or receptacle, which is not in a publicly accessible location, until, such time that the material is collected by Housekeeping Services or outside agency responsible for trash collection.Until such time as destruction/disposal of PHI is permissible, all PHI will be secured against unauthorized or inappropriate access.
  4. If utilizing an outside agency for destruction/disposal of PHI, a contract and a business associate agreement must be executed between RowanSOM and the outside agency. The contract must provide that upon termination of same, the agency will return or destroy/dispose of all PHI, including proof of destruction/disposal and the methodology by which the material was destroyed.
  1.  Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  2.  Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
  3.  Omnibus Privacy Final Rule of 2013
  4.  Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
  5.  20 U.S.C. 1232g(a)(4)(B)(iv)
  6.  45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement.
  7.  45 CFR, 164.514(e), Code of Federal Regulations, Title 45, Part 164, Subpart E, Security and Privacy, Privacy of Individually Identifiable Health Information.
  8.  45 CFR, 164.530, Code of Federal Regulation, Security and Privacy, Administrative Requirements.
  9.  Records Management Policy
  10.  Uses and Disclosures of Health Information With and Without an Authorization Policy