DRAFT

DRAFT
HIPAA Security Policies
Workstation and Storage Media Hardware Disposal

DRAFT adopted by HIPAA Security Committee on 11/17/03

Policy Summary

This policy governs the procedures required prior to the disposal of any workstation or storage media hardware from the Marshall University Joan C. Edwards School of Medicine / University Physicians & Surgeons (SOM/UP&S).

Purpose

This policy reflects the commitment to ensure that all workstation and storage media hardware disposed of by SOM/UP&S is free of electronic protected health information (PHI) and other confidential data or information.

Policy

Any workstation or storage media owned by a department or division of SOM/UP&S must be disposed of in accordance with any applicable federal, state, local and university laws and regulations regarding the surplus of institutionally-owned equipment. Further, any such workstation or storage media hardware must be cleaned of any PHI or other confidential data or information by means of the procedures here described. It is the responsibility of the chair or head of the department or division owning the workstation or storage media to ensure that this policy is adhered to for any devices disposed.

Scope / Applicability

This policy applies to all workstation and storage media hardware purchased, owned, controlled or used by SOM/UP&S, including equipment purchased by the Marshall University Research Corporation on behalf of individuals or departments within SOM/UP&S, equipment donated and equipment in any other way obtained and owned by SOM/UP&S. Chairs and heads of departments or divisions having ownership of such equipment are responsible for providing access to the workstations or storage media for processing prior to their disposal.

Regulatory Categories

Physical Safeguards

Regulatory Type

REQUIRED implementation specification for workstation disposal.

Regulatory References

§164.310(c)(2)(i) “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”

Definitions

Workstation

"An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment" (§164.304).

Responsible Department

The chair or head of the department or division having ownership of such equipment is responsible for providing access to the workstations or storage media for processing prior to their disposal.

Related Policies

Renewal / Review

This policy shall be reviewed annually to determine if it complies with current HIPAA Security regulations and is appropriate given current technology. In the event that significant related regulatory changes occur, the policy will be reviewed and updated as needed.

Procedures

At least one week prior to the disposal of any workstation or storage media hardware, the department or division having ownership will provide the device to the Division of Information Technology & Medical Informatics (DITMI).
DITMI will wipe the workstation or storage media's data contents with a utility that meets Department of Defense cleaning and sanitizing standard DoD 5220.22-M.
DITMI will document the following information about the process: workstation make, model, serial number and Marshall University inventory tag number; owning department or division; DITMI technician performing the process; and date of completion.
DITMI will not attempt to reinstall any software onto the workstation or storage media.
The owning department or division is responsible for providing any desired, original installation media for appropriately licensed software and for disbursing the machine along the next step in the disposal process following the completion of the steps here described.

Adoption

Adopted by SOM/UP&S Board of Directors on [date].