While often times we work with Security Officers when it comes to the protection of PHI, it is also the responsibility of the Privacy Officer to maintain the privacy of patient’s health information by ensuring it is securely disposed of when it is no longer needed. In an organization’s policies it should outline how the PHI is being protected while awaiting disposal. The PHI should be locked in a bin or locked in a room that only necessary people have access to. This process of sanitization includes all confidential and PHI data in any media, including: paper media, removable media, business mobile computing devices, and information assets prior to disposal, release out of organizational control, or release for reuse.
The Privacy and Security Officers will have to determine whether media, devices, or assets must be:
- Retained prior to disposal.
- Released out of organizational control.
- Released for reuse.
- Securely destroyed or sanitized.
A log or tracking system must be maintained by all departments for all sanitization and destruction activities. This could be destruction of hard drives, the shredding of paper PHI, or the sanitization of a mobile device for reuse.
Business Associates should also follow the steps for the secure disposal of PHI and should supply a certificate of sanitization or destruction of all media and assets.