1609 Media Control
This policy covers all organizational units of the University and applies to media in any format that contains confidential information.
Prevention of unauthorized access to Yale University’s confidential information, including protected health information (PHI), will be maintained by controlling the use, re-use, storage and disposal of media containing such information.
Reason for the Policy
To ensure that sensitive data is protected from unauthorized access and disclosure and to comply with the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
Information that is directly related to the business of Yale University (including finance & administration, alumni affairs, development, human resources, student affairs, legal, clinical and research data), the unauthorized disclosure of which poses or may pose a threat to the University or a violation of law. (See also: High Risk and Moderate Risk Data, as defined in Yale Policy 1604 Data Classification Policy).
Media containing confidential and Protected Health Information (PHI) may include, but is not limited to:
- Paper, for example:
- Permanent documents, such as medical records, billing records, etc.
- Copies of documents, worksheets, schedules, self-stick notes, chart covers, and any other paper of any color or weight.
- Labels that are unused or can easily be removed from material to which they have been affixed (e.g., prescription bottles, IV bags, patient wristbands).
- Overhead transparencies
- Electronic media, for example:
- Computers and any other media on which confidential information is recorded
- Personal Digital Assistant (PDA), or any other handheld and/or wireless device
- Removable magnetic media (e.g., diskette, compact disk (CD), digital video disc (DVD) optical disk, zip disk)
- Hard disk
- Audiotape, videotape, and other miscellaneous media formats, for example:
- Non-removable labels that have been affixed to prescription bottles, IV bags, etc.
- Patient wrist bands
- Embosser plates
- X-ray film
- Microfilm, microfiche, and other miniaturized material not in a container.
Please also refer to the Master Glossary of HIPAA Security Terms in the Definitions section within Policy 5100 Electronic Protected Health Information Security Compliance.
All media containing confidential information should be handled in a manner to prohibit unauthorized access.
Complete removal of confidential information from electronic media is required before the media is made available for re-use.
When use or retention period of any media containing confidential information is completed, the confidential information must be destroyed, rendered unrecoverable, or returned to the owner.
Special Situations & Exceptions
Procedures specific to protected health information (PHI) apply only to the University’s Covered Components, designated as such for purposes of complying with the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996. The Covered Components are: (1) the Group Health Plan Component; and (2) the Covered Health Care Component, comprised of the School of Medicine, School of Nursing, Department of Psychology clinics and Yale University Health Services.
Roles & Responsibilities
Please refer to the comprehensive summary of HIPAA Security Roles and Responsibilities provided within Policy 5100 Electronic Protected Health Information Security Compliance.