The It’s Your Yale website is now home to a new weekly e-newsletter, YourYale, for and about the staff; learn more about what to expect.
Jump to content
1609.1 General Guidelines for Media Containing Confidential Information
1609.2 Disposal of Media Containing Confidential Information
This policy covers all organizational units of the University and applies to media in any format that contains confidential information.
Prevention of unauthorized access to Yale University’s confidential information, including protected health information (PHI), will be maintained by controlling the use, re-use, storage and disposal of media containing such information.
To ensure that sensitive data is protected from unauthorized access and disclosure and to comply with the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
Information that is directly related to the business of Yale University (including finance & administration, alumni affairs, development, human resources, student affairs, legal, clinical and research data), the unauthorized disclosure of which poses or may pose a threat to the University or a violation of law. (See also: High Risk and Moderate Risk Data, as defined in Yale Policy 1604 Data Classification Policy).
Media containing confidential and Protected Health Information (PHI) may include, but is not limited to:
Please also refer to the Master Glossary of HIPAA Security Terms in the Definitions section within Policy 5100 Electronic Protected Health Information Security Compliance.
All media containing confidential information should be handled in a manner to prohibit unauthorized access.
Complete removal of confidential information from electronic media is required before the media is made available for re-use.
When use or retention period of any media containing confidential information is completed, the confidential information must be destroyed, rendered unrecoverable, or returned to the owner.
Procedures specific to protected health information (PHI) apply only to the University’s Covered Components, designated as such for purposes of complying with the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996. The Covered Components are: (1) the Group Health Plan Component; and (2) the Covered Health Care Component, comprised of the School of Medicine, School of Nursing, Department of Psychology clinics and Yale University Health Services.
Please refer to the comprehensive summary of HIPAA Security Roles and Responsibilities provided within Policy 5100 Electronic Protected Health Information Security Compliance.