HIPAA

Back to eGroups
Expand all | Collapse all

Connecting PHI destruction rules with NIST guidelines

  • 1.  Connecting PHI destruction rules with NIST guidelines

    Posted 12-07-2018 11:24 AM
    ​Perhaps the HIPAA fog has enveloped me but I'm trying to find a firm, written connection with the PHI destruction rules, "Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed," and the NIST Guidelines for Media Sanitation (NIST Special Publication 800-88, revision 1.

    I other words how do I show a doubter that the NIST guidelines apply to the Privacy Rule destruction requirements?

    Any help is appreciated.

    Charlie

    ------------------------------
    Charles Colitre BBA, CHC, CHPC
    Compliance & Privacy Officer
    Crystal Clinic Orthopaedic Center
    Akron,OH
    ------------------------------
    Protenus May


  • 2.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-07-2018 11:36 AM

    NIST is a federal agency? How can there be doubters?  Ha ha

     

    https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html

     

    https://www.nist.gov/policies-notices

     

    https://www.healthit.gov/topic/about-onc

     

    Good luck.

     

    Allie

     

     

    Allison Wein

    Privacy Specialist
    1515 North Saint Joseph Avenue  

    P.O. Box 8000 

    Marshfield, WI 54449-8000
    Direct:   715-221-9414  
    Toll free:  1-800-472-2363 

    Fax:  715-221-9164
    email:  wein.allison@securityhealth.org

    www.securityhealth.org  

    image001.png@01D406DC.8A623250

    CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipient(s) named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify the sender at the electronic mail address noted above and destroy all copies of this communication and any attachments. Thank you for your cooperation.

     

     

    The contents of this message may contain private, protected and/or privileged information. If you received this message in error, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained within. Please contact the sender and advise of the erroneous delivery by return e-mail or telephone. Thank you for your cooperation.



    Original Message
    Protenus May


  • 3.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-07-2018 04:01 PM

    Allie,

     

    Thank you. Excellent information.

     

    Charlie

     

    Charles E. Colitre, BBA, CHC, CHPC

    Compliance and Privacy Officer

    Crystal Clinic Orthopaedic Center

    3925 Embassy Parkway, Ste 250

    Akron, OH 44333

    330 670-6123

     




    Original Message
    Protenus May


  • 4.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-08-2018 07:34 AM
      |   view attached
    Charlie...I posted a video that I think answers the question.  However, if not, please post any follow up so that we can see about getting a better or more complete answer.  I think the video also helps emphasize a few key points related to your posting that others may find useful.

    Let me know if this does the trick in answering your question.

    ------------------------------
    ► The CSG Has Begun! ◄
    --------Frank Ruelas---------
    ------------------------------

    Original Message
    Protenus May


  • 5.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-10-2018 09:24 AM

    Frank,

     

    Thank you so much for the excellent video which does answer my question.  I had both ends of the answer but not the connection which you filled in nicely.

     

    I'm not sure I warranted a video but I hope the information is also useful for others who face the same dilemma, explaining, "where does it say we have to do that."

     

    Merry Christmas/Happy Holidays to you and all in HIPAA Land.

     

    Charlie

     

    Charles E. Colitre, BBA, CHC, CHPC

    Compliance and Privacy Officer

    Crystal Clinic Orthopaedic Center

    3925 Embassy Parkway, Ste 250

    Akron, OH 44333

    330 670-6123

     



    Note: The enclosed information is STRICTLY CONFIDENTIAL and is intended for the use of the intended recipient only. Federal and Ohio laws protect any patient information that may be disclosed in this e-mail. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, use, dissemination, distribution, disclosure, or copying of the contents is prohibited. If you have received this email in error, please notify the sender immediately and return all printed copies by US Mail to: Crystal Clinic Orthopaedic Center, 3925 Embassy Parkway, Suite 250, Akron, OH 44333, Attention, HIPAA Privacy Officer.



    Original Message
    Protenus May


  • 6.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-10-2018 09:56 AM
    Charlie...thanks for the feedback..  Given how much you have helped and continue to help so many of us...glad to be able to give some of that help back to you.  Happy Holidays Charlie.  Hope to see you be in Boston at the CI?

    ------------------------------
    ► The CSG Has Begun! ◄
    --------Frank Ruelas---------
    ------------------------------

    Original Message
    Protenus May


  • 7.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-10-2018 10:06 AM

    Hi Charlie,

     

    There's no need to watch some video posted by a consultant and get second hand information.  Go to https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.

     

    The long and short of it is that the compliance with the NIST standards is not required. Rather, documents or digital media destroyed pursuant to those standards creates a "safe harbor" for any potential breach because the output is not considered individually identifiable health information.

     

    David

     

    David J. Spielman, J.D.

    V.P. Corporate Integrity and Compliance

      and Associate General Counsel

    Exeter Health Resources

    5 Alumni Drive

    Exeter, N.H. 03833

     

    Direct Dial: (603) 580-7657

    Facsimile: (603) 580-7575

     

    image001.png@01D2C99B.471DE0E0

     

    Confidentiality Notice: This message, including any attachments, is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

     

     




    Original Message
    Protenus May


  • 8.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-10-2018 12:18 PM
    Thank you Frank!

    ------------------------------
    Cinda
    Compliance/Ethics & Privacy Director
    Ohio
    ------------------------------

    Original Message
    Protenus May


  • 9.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-10-2018 02:12 PM

    Thank you Frank. Very clear and once again, very practical as well.

    Thank you Charles for asking the question too!

     

    Best Regards,

    Scot Lovejoy  CFP_XSLogo_BlBk 

    Scot Lovejoy RPh. CFP CHC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, 2nd Floor East

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

     




    Original Message
    Protenus May


  • 10.  RE: Connecting PHI destruction rules with NIST guidelines

    Posted 12-10-2018 04:24 PM

    Excellent Video Frank.  Thank you.

     

    Karen Noyes

    Compliance Officer

    Intermountain Medical Imaging

    Gem State Radiology

    877 W. Main Street

    Suite 603

    Boise, ID  83702

    (208) 384-9073

     

     

    HIPAA Notice: This electronic transmission is a confidential communication and is transmitted for the exclusive use of the person or entity to which it is addressed. If you are not the intended recipient you are hereby notified that any disclosure, copying or distribution of this information is strictly prohibited. If you have received this email communication in error, please notify us immediately at (208) 384-9060. To the extent Protected Health Information (PHI) is enclosed, please be advised that it is being sent to you after appropriate authorization from the individual or under circumstances that do not require authorization. It has been disclosed to you from a protected record set whose confidentiality is protected by state and federal law. You, the recipient, are expected to maintain this information in a safe, secure and confidential manner.



    Original Message
    Protenus May