MolecularMatch recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.
This policy, and associated procedures for disposal of media, has been subcontracted to a third-party, Platform as a Service, HIPAA compliant vendor (PaaS Subcontractor). We have verified that their policies and procedures meet or exceed our standards and those of HIPAA and the HITRUST Common Security Framework. As such, we have assurances that media will be disposed of properly when no longer used or needed. Dedicated hardware from PaaS Subcontractors is utilized. ePHI is only stored on encrypted data volumes in by our PaaS Subcontractor. There is no other medium on which ePHI is allowed to reside, including any mobile, SD card, or tape-based storage.
Proof of such due diligence is kept by the Security Officer.
- 0.9o - Management of Removable Media
- 164.310(d)(1) - Device and Media Controls
- All removable media is restricted, audited, and encrypted.
- All disposable media within the production environment is assumed to contain ePHI, so all disposable media is treated with the same protections and disposal policies.
- All destruction and disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to the written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
- Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
- Before reuse of any media, all ePHI is rendered inaccessible, cleaned, and scrubbed. All media is formatted to restrict future access.
- All Subcontractors provide that, upon termination of a contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
- Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
- The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.