Skip to content

Latest commit

 

History

History
29 lines (20 loc) · 3.6 KB

14-disposable_media_policy.md

File metadata and controls

29 lines (20 loc) · 3.6 KB

14. Disposable Media Policy

Cloudticity recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.

Cloudticity utilizes dedicated hardware from subcontractors. We do not store ePHI in our hosted environment. All SSD volumes utilized by Cloudticity customers to store ePHI are encrypted. Cloudticity does not use, own, or manage any mobile devices, SD cards, or tapes that have access to ePHI.

14.1 Applicable Standards

14.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 09.o - Management of Removable Media

14.1.2 Applicable Standards from the HIPAA Security Rule

  • 164.310(d)(1) - Device and Media Controls

14.2 Disposable Media Policy

  1. All removable media is restricted, audited, and encrypted.
  2. Cloudticity assumes all disposable media in its platform may contain ePHI, so it treats all disposable media with the same protections and disposal policies.
  3. All destruction/disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to Cloudticity's written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
  4. Records involved in any open investigation, audit, or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
  5. Before reuse of any media, all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
  6. All Cloudticity subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
  7. Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
  8. The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
  9. In the cases of a Cloudticity customer terminating a contract with Cloudticity and no longer utilizing Cloudticity services, the following actions will be taken depending on the Cloudticity services in use. In all cases, it is solely the responsibility of the Cloudticity customer to maintain the safeguards required of HIPAA once the data is transmitted out of Cloudticity systems.
    • For SaaS or MaaS customer termination, Cloudticity will provide the customer with the ability to export data in a commonly used format for 30 days from the time of termination.
    • For PaaS customer termination, Cloudticity will unconsolidate billing, have the customer add their own credit card for payment, and execute any necessary AWS legal agreements.