click here to download MS Word format

UNIVERSITY POLICY

I.        PURPOSE

To establish a policy to ensure UMDNJ’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the destruction and disposal of documentation containing Protected Health Information (PHI).

II.       ACCOUNTABILITY

Under the direction of the President, the Deans, the Senior Vice President for Administration and Finance, the Senior Vice President for Academic Affairs, Vice President for Legal Management, Vice President for Research, Presidents/CEOs of the Healthcare Units, and the University Hospital Medical Director shall ensure compliance with this policy.

III.      APPLICABILITY

This policy shall apply to health information that is generated during provisions of health care to patients in any of the University’s patient care units, patient care centers or faculty practices as well as Human Subjects research under the auspices of the University or by any of its agents in all UMDNJ Schools, Units, Departments and University owned or operated facilities.

IV.     DEFINITIONS

Protected Health Information (PHI) - For a full definition of what constitutes protected health information, see University policy, 00-01-15-15:00, Uses and Disclosures of Health Information With and Without an Authorization.

V.       REFERENCES

A.       45 CFR, 160, Code of Federal Regulations, Title 45, Part 160, Subpart C, General Administrative Requirements, Compliance and Enforcement.

B.       45 CFR, 164.514(e), Code of Federal Regulations, Title 45, Part 164, Subpart E, Security and Privacy, Privacy of Individually Identifiable Health Information.

C.       45 CFR, 164.530, Code of Federal Regulation, Security and Privacy, Administrative Requirements.

D.       Records Management                                                  00-01-10-50:00

E.       Uses and Disclosures of Health Information
          With and Without an Authorizations                              00-01-15-15:00

VI.      POLICY

UMDNJ Schools, Units, Departments and University owned or operated facilities shall appropriately protect the privacy of health information that can identify an individual in compliance with federal and state law.  UMDNJ will act responsibly in the maintenance, retention and eventual destruction and disposal of all material containing PHI.

The destruction and disposal of PHI will be carried out in accordance with HIPAA regulations and University policy.  All PHI will be destroyed in a manner in which it cannot be recovered or reconstructed. Medical records will be maintained and destroyed in accordance with the University policy, Records Management, 00-01-10-50:00.

VII.     PROCEDURE

A.       The destruction/disposal of all PHI will be accomplished by shredding, incineration or other comparable fashion that ensures that the PHI cannot be recovered or reconstructed.  Material that has been destroyed must be stored in a secure container or receptacle, which is not in a publicly accessible location, until such time that the material is collected by Housekeeping Services or outside agency responsible for trash collection.

B.       Until such time as destruction/disposal of PHI is permissible, all PHI will be secured against unauthorized or inappropriate access.

C.       If utilizing an outside agency for destruction/disposal of PHI, a contract and a business associate agreement must be executed between UMDNJ and the outside agency.  The contract must provide that upon termination of same, the agency will return or destroy/dispose of all PHI, including proof of destruction/disposal and the methodology by which the material was destroyed.

By Direction of the President:

_________________________________________
Vice President for Legal Management

Policy Manual Table of Contents

OPPM Home Page

UMDNJ Home Page