Washington University in St. Louis’ university data resources, by definition, practice and intent, are university assets.
This document establishes guidelines for the reuse and disposal of media containing securable university data and the responsibilities of the owners of those media for sanitization. The guideline refers to all media containing securable university data, whether printed or electronic, and will serve to:
- Ensure media containing university data can be reused or disposed in accordance with institutional policies and state and federal privacy and security laws and regulations;
- Provide guidance in the development and implementation of process and procedures to reuse or dispose of media containing securable university data.
All media containing securable university data, whether hardcopy or electronic, when leaving control of the responsible department and destined for reuse or disposal is subject to this guideline. Media that will be reused within a department where there is a transfer in ownership is also subject to this guideline.
All media containing securable university data, is under the control of that data steward/owner for that data. A change or transfer in ownership of the physical media containing securable university data does not negate the responsibility of the data steward/owner.
Responsibilities for implementation
Every data steward/owner of a university system that hosts or consumes university data is responsible for implementing and ensuring compliance with Washington University in St. Louis’ media reuse and disposal guideline and must initiate corrective action with the proper authorities of the university if it is needed.
- Communicating all applicable guidelines to applicable faculty, staff and students
- Establishing specific goals, objectives and action plans to implement the applicable guidelines
- Developing plans that guide information system and database development to satisfy both customers and institutional information needs
- Actively supporting strong data management through data stewardship
- Ensuring availability of education and training in data management principles, including security awareness, to workforce members whose jobs require them to access, maintain or use this data
- Defining an appropriate level of security that corresponds to the sensitivity of the information
Outline procedures that govern receipt, removal and movement of hardware and electronic media containing ePHI or securable university data within the workspace of the department. These guidelines and procedures pertain to the use of hard drives, storage systems, removable disks, floppy drives, CD-ROMS, memory sticks and all other forms of removable media and storage devices.
Data Destruction of ePHI or Securable University Data on Storage Device Prior to Discarding or Reuse of Storage Device
PC’s, Laptops, Tablets, Phones: Before wiping data from any of these types of devices, users, system managers or the Network Security Office staff must insure that there is no ePHI or securable university data located on the device. If no ePHI or securable university data is found (at present), the device may be wiped clean using a data destruction tool. If ePHI or securable university data is found to reside on the device, AND if it is the only copy of said ePHI or securable university data, that data must be copied to an alternate and equally secure location, prior to the drive or disk being erased. When a PC or laptop is leaving the department for whatever reason, the device must be wiped clean using the data destruction tool prior to leaving the department. Note that a data destruction tool which adheres to the Department of Defense (DoD 5220.22-M) standard is recommended. Note that in cases where a hard drive is not functioning and a data destruction tool cannot be used, the drive must either be degaussed or physically destroyed.
CD’s, etc: If any of these types of media storage are known to contain ePHI or securable university data, they must be destroyed when no longer needed. Floppy disks must be erased using the data destruction tool, or physically destroyed and CD’s must be physically broken prior to disposal.
Flash Memory Sticks: Memory sticks in which ePHI or securable university data has been stored must be formatted and the data destroyed using the data destruction tool. If a memory stick is no longer working and accessible, and cannot be formatted, it must be physically destroyed prior to disposal.
Moving Devices with ePHI or Securable University Data
PC’s, Laptops, Tablets, Phones: The user must oversee the movement of a device containing ePHI or securable university data if moving is performed by a third party (e.g., moving company) and the device is not otherwise physically secured. Encryption is also recommended and, in some cases, required by federal and state law.
Flash Memory Sticks: Users must use care when carrying these devices from location to location to ensure they are not lost or stolen. Files located on the devices should be either encrypted or password protected. Encryption is also recommended and, in some cases, required by federal and state law.
Offsite backup media: If removable media used for backup and disaster recovery is stored and transported between locations using a secured environment, the use of a data destruction tool between uses is not necessary.
In addition to the security requirements for general university data, HIPAA mandates the following requirements for any media containing ePHI:
- If the media contains ePHI that will be used in the future, an exact copy of the data must be made prior to its destruction or purge.
- Any media containing ePHI must be tracked, and a record of its purge, destruction or reuse must be kept.
Updated April 1, 2013