Section 27: Maintaining and Storing of PHI;
Secure Destruction
This policy sets the rules for maintaining and storing PHI and secure destruction.
Electronic Storage of PHI
A. UT Dallas shall reasonably safeguard PHI that is electronically stored in order to limit incidental Uses and Disclosures of PHI. Electronically stored PHI may be located on University servers or network attached storage devices, PC workstations, on Office of Information Resources servers or network attached storage devices, or, on electronic storage media such as cartridge tapes, compact disks, or other devices.
B. Electronic PHI stored by University in accordance with paragraph (a) on any computer system or storage device shall be encrypted whenever feasible and protected by User ID and Password protection. Electronic media containing PHI that cannot be password protected shall be secured in locked cabinets or closets to which only Workforce Staff authorized to access the PHI have access.
Storage of Paper Records Containing PHI
A. Papers containing PHI shall be picked up as soon as reasonably possible from publicly accessible locations, such as copiers, mailboxes, and conference room tables, and shall be appropriately filed or destroyed. PHI shall not be left unattended unless the area is secured from unauthorized access.
B. Offices and file cabinets in common areas containing PHI shall be locked during hours when the office is closed and only persons authorized to access the PHI shall be able to unlock the offices or file cabinets.
C. Documents containing PHI shall not be discarded in trash bins, recycling bins, or any publicly accessible locations. All discarded PHI shall be placed in a secure bin for secure disposal. Microfilm and microfiche shall be cut into pieces or chemically destroyed. Any other media containing PHI shall be destroyed such that the PHI cannot be read or accessed before it is discarded.
D. PHI in paper form shall not be removed from an office by staff or other Workforce Members except when Use of the PHI is required for official business. Such PHI should be under the direct control of the person conducting the business that requires its removal and Use at all times, maintained securely at all times by the person, and returned to the office from which it was removed without delay by the person.
Destruction of PHI
All PHI no longer in Use by the University that has met/reached the end of its assigned retention period shall be securely destroyed by (1) shredding; (2) erasing; or (3) otherwise modifying the PHI in the records to make the information unreadable or indecipherable through any means determined by the Privacy Officer.
HIPAA Regulatory Citation: 45 CFR § 164.530(j) Effective: 04/14/2003
Revised: 04/13/2013
Reviewed: 10/21/2022, 03/30/2021, 12/08/2015
Heather Zimmerman, HIPAA Privacy Officer
UT Dallas Callier Center
