Media Disposal Policy Template

MEDIA DISPOSAL POLICY Organization: [ORGANIZATION NAME] Effective Date: [DATE] Last Revised: [DATE] Policy Owner: [SECURITY OFFICER] 1. PURPOSE AND SCOPE This Media Disposal Policy establishes procedures for the secure disposal and destruction of media containing Protected Health Information (PHI) or electronic PHI (ePHI) to ensure that disposed media cannot be read or recovered. The policy applies to all workforce members, contractors, and business associates who handle, store, or dispose of media containing PHI, including paper records, hard drives, backup media, mobile devices, and other storage devices. 2. POLICY STATEMENT [Organization Name] is committed to protecting patient privacy and security by ensuring that all media containing PHI is securely and irreversibly destroyed when no longer needed for business, legal, or operational purposes. All disposal of media containing PHI must be conducted in accordance with this policy and HIPAA requirements. No media containing PHI may be discarded in regular waste or recycling without prior secure destruction. 3. TYPES OF MEDIA AND DISPOSAL METHODS 3.1 PAPER RECORDS Paper-based medical records, documents, and materials containing PHI shall be disposed of using one of the following methods: Method 1: Cross-Cut Shredding - Use cross-cut shredder rated for destruction of confidential documents - Shred into pieces no larger than 3/8 inch x 1 1/2 inch (or equivalent) - Shredder security level: DIN 66399 Level P-4 or higher - Collect shredded material in locked bin - Dispose of shredded material as regular waste only after PHI is unrecoverable Method 2: Pulping - Transport paper to commercial paper pulping facility - Facility must be HIPAA-aware and document destruction - Obtain Certificate of Destruction from facility - Verify facility uses appropriate pulping process Method 3: Incineration - Use licensed medical waste incinerator - Facility must be certified and maintain disposal records - Obtain Certificate of Destruction from facility - Track waste from organization to final destruction Method 4: Approved Third-Party Disposal Service - Use medical record destruction service approved by [Organization Name] - Service must provide Certificate of Destruction - Service must carry appropriate insurance - Organization must verify service certifications annually 3.2 HARD DRIVES AND SOLID STATE DRIVES (SSDs) Hard drives and SSDs shall be disposed of using one of the following methods: Method 1: NIST-Approved Wiping Software - Use NIST SP 800-88 compliant data wiping software - Tools include: DBAN, Eraser, KillDisk, Secure Erase - Wipe all data passes on entire drive - Verify with Certificate of Data Destruction - After wiping, device can be donated, sold, or recycled Method 2: Physical Destruction - Use high-powered magnet degaussing equipment (≥16,000 Gauss) - Or use certified hard drive shredding service - Devices rendered permanently unusable - Obtain Certificate of Destruction from service provider Method 3: Encryption-Based Disposal - If drive was encrypted with FDE/full disk encryption - Destroy encryption keys or render unrecoverable - Securely store or destroy drive - Document key destruction and disposal Method 4: Certified Destruction Service - Use ITAD (IT Asset Disposition) service certified for data destruction - Service must carry proper insurance and certifications - Obtain Chain of Custody documentation - Obtain Certificate of Destruction - Verify service compliance annually 3.3 BACKUP TAPES AND OPTICAL MEDIA (CDs, DVDs) Backup tapes and optical media containing PHI shall be disposed of using: Method 1: Physical Destruction - Use certified tape/media destruction service - Service must use demagnetization, shredding, or pulping - Obtain Certificate of Destruction - Optical media must be shredded or incinerated Method 2: Degaussing - For magnetic tapes: use industrial-strength degausser - Must meet military standards (5220.22-M or equivalent) - Verify complete erasure with testing - After degaussing, media can be destroyed as regular waste Method 3: Incineration - Use licensed hazardous waste incinerator - Facility certifies destruction - Obtain Certificate of Destruction Documentation must include: - Media identification and quantity - Date of disposal - Method used - Facility or service name - Certificate of Destruction 3.4 MOBILE DEVICES (PHONES, TABLETS, LAPTOPS) Mobile devices containing PHI shall be disposed of using: Method 1: Remote Wiping - Use mobile device management (MDM) software to wipe device - All data and accounts removed remotely - Verify wipe completion through MDM console - Document date, time, and device identification - After wiping, device can be donated or recycled Method 2: Factory Reset - Perform factory reset through device settings menu - Note: Factory reset alone may not securely remove data - If sensitive data: combine with software wiping or destruction Method 3: Physical Destruction - Use certified device destruction service - Service must physically destroy device - Obtain Certificate of Destruction - Device rendered permanently unusable Method 4: Certified ITAD Service - Use IT Asset Disposition service - Service must offer data destruction verification - Obtain Certificate of Destruction - Maintain documentation of service certifications 3.5 PRINTERS, COPIERS, AND MULTIFUNCTION DEVICES Office equipment with internal memory or hard drives: Method 1: Data Sanitization - Use manufacturer's data sanitization tool - Overwrite all memory storage - Document sanitization completion - Remove hard drive if present and destroy separately - Equipment can then be donated or recycled Method 2: Hard Drive Removal and Destruction - Remove internal hard drive from equipment - Destroy hard drive using approved methods (3.2) - Securely dispose of other equipment components - Document drive identification and destruction method - Obtain Certificate of Destruction for drive Method 3: Manufacturer Wipe - Contact manufacturer for official wipe service - Return equipment to manufacturer for data destruction - Manufacturer provides Certificate of Destruction - Verify manufacturer compliance with HIPAA 3.6 CLOUD-BASED AND VIRTUAL DATA For electronically stored PHI in cloud systems or virtual environments: Method 1: Secure Deletion - Use cloud provider's secure deletion/purge tools - Overwrite or cryptographic erase data - Obtain confirmation of deletion from provider - Document deletion date and confirmation Method 2: Encryption Key Destruction - If data encrypted and key destroyed - Data rendered unrecoverable without key - Document key destruction date and method - Maintain destruction evidence Method 3: Contractual Assurance - Require Business Associate Agreement with destruction clause - Cloud provider must certify destruction upon request - Maintain documentation of destruction verification 4. RETENTION SCHEDULE Media containing PHI shall be retained only as long as necessary for: - Active patient care needs - Regulatory requirements (minimum 6 years typical) - Litigation hold requirements - Business operations needs Once retention period expires: - Media must be identified for destruction - Destruction must occur within [30] days - Emergency destruction may be faster for sensitive breaches - Document all retention decisions 5. DISPOSAL PROCEDURES 5.1 Identification and Inventory All media containing PHI must be: - Clearly labeled as containing PHI - Tracked in media inventory system - Assessed for retention necessity - Marked for disposal when retention expires 5.2 Segregation and Secure Storage Media awaiting disposal must be: - Segregated from regular waste - Stored in locked, secure area - Protected from theft or unauthorized access - Kept in environmentally appropriate conditions - Minimized to as short period as possible (target: 30 days or less) 5.3 Destruction Documentation For each disposal event, document: - Description of media being destroyed - Quantity and identifying information - Date of destruction - Method of destruction used - Location/facility where destruction occurred - Individuals who witnessed destruction - Certificate of Destruction obtained - Approval and sign-off from responsible party 5.4 Third-Party Service Verification When using third-party disposal services: - Verify service credentials and certifications - Obtain signed Service Agreement/contract - Require Chain of Custody documentation - Obtain Certificate of Destruction - Maintain all documentation for 6+ years - Annual verification of service compliance 6. PROHIBITED DISPOSAL METHODS The following disposal methods are NOT permitted: - Placing media in regular trash or recycling - Throwing away without destruction - Donating or selling equipment with intact PHI - Leaving media in dumpsters or landfills - Selling to secondary markets without secure data removal - Incomplete wiping or degaussing - Methods that leave recoverable data traces 7. CHAIN OF CUSTODY All media requiring destruction shall maintain chain of custody: - Identify media custodian - Document transfer of custody - Verify receipt by next custodian - Track media until final destruction - Document any delays or exceptions - Maintain custody documentation for 6+ years Template: [MEDIA DISPOSAL CHAIN OF CUSTODY FORM] 8. DESTRUCTION VERIFICATION Proof of destruction must include: - Certificate of Destruction from facility - Date of destruction - Description of media destroyed - Method of destruction - Signature of authorized representative - Facility certifications/qualifications - Contact information for facility - Confirmation that data is unrecoverable 9. RESPONSIBILITIES 9.1 All Workforce Members - Follow media disposal procedures - Do not discard media containing PHI in regular waste - Report damaged or degraded media - Report lost or stolen media 9.2 Department Managers - Establish retention schedules for their departments - Ensure staff training on disposal procedures - Monitor compliance with disposal requirements - Approve destruction requests 9.3 IT Department - Maintain inventory of electronic media - Configure secure deletion procedures - Oversee IT asset disposition services - Document destruction of IT equipment 9.4 Security Officer - Oversee media disposal policy - Approve disposal service providers - Maintain destruction documentation - Audit compliance with procedures 10. TRAINING All workforce members with media handling responsibilities shall receive training on: - Media disposal policy requirements - Identification of media containing PHI - Approved disposal methods - Secure storage prior to disposal - Chain of custody procedures - Consequences of improper disposal Training shall be provided: - Upon hire for all new employees - Annually for all workforce members - When policy is updated - Upon any security incident 11. AUDIT AND COMPLIANCE 11.1 The organization shall: - Maintain documentation of all media disposal activities - Audit media disposal compliance quarterly - Verify third-party service certifications annually - Review and report on disposal procedures - Address any non-compliance immediately 11.2 Records to maintain: - Inventory of media created and retained - Retention schedules and decisions - Destruction requests and approvals - Certificates of Destruction - Chain of Custody documentation - Training records - Audit findings and corrective actions 11.3 Record retention: - Maintain all destruction documentation for minimum 6 years - Maintain third-party service agreements and certifications indefinitely - Quarterly compliance reports maintained for 3 years 12. POLICY APPROVAL AND IMPLEMENTATION This Media Disposal Policy is effective as of [DATE] and approved by: Security Officer: Signature: _________________________ Date: _________ Print Name: _______________________ Privacy Officer: Signature: _________________________ Date: _________ Print Name: _______________________ Executive Leadership: Signature: _________________________ Date: _________ Print Name: _________________________