/policies/,/policies/administrative/,/policies/administrative/uwhc/,/policies/administrative/uwhc/uwhc-wide/,/policies/administrative/uwhc/uwhc-wide/administration/,

/policies/administrative/uwhc/uwhc-wide/administration/106.policy

201510274

page

100

UWHC,

Policies,Administrative,UWHC,UWHC-wide,Administration

Electronic Media Handling, Destruction, and Disposal (1.06)

Electronic Media Handling, Destruction, and Disposal (1.06) - Policies, Administrative, UWHC, UWHC-wide, Administration

1.06

Page 1 of 5


Administrative (Non-Clinical) Policy
Category:
 UWHC only (Hospital Administrative-entity wide)  UWMF only (entity wide)
 UWHC Departmental (indicate name)  UWMF Departmental (indicate name)
 UWHC and UWMF (shared)
Policy Title: UW Health Electronic Media Handling, Destruction, and Disposal
(this policy is shared by UWHC and UWMF)
Policy Number: 1.06
Effective Date: October 1, 2015
Chapter: Administration
Version: Revision
I. PURPOSE

The purpose of this policy is to define appropriate handling procedures for electronic media, including
procedures for reuse, destruction, and disposal.

II. SCOPE

This policy applies to all UW Health employees and contractors tasked with disposal of electronic media
and computer hardware containing electronic media.

Computing hardware covered by this policy includes, but is not limited to:
ξ Any UW Health desktop, laptop, or handheld computer
ξ Computer monitors
ξ Printers
ξ Keyboards
ξ Mice
ξ Modems and routers
ξ Servers
ξ Smart phones
ξ Cell phones
ξ Tablets

Electronic media covered by this policy includes, but is not limited to:
ξ Any removable media or portable storage devices
ξ Audiotapes
ξ Videotapes
ξ Floppy disks
ξ Zip disks
ξ CDs and DVDs
ξ Portable hard drives
ξ USB flash drives (aka, jump drives, thumb drives, etc.)
ξ Memory sticks

Page 2 of 5

ξ Flash external memory (including that on digital cameras and portable audio devices)

III. DEFINITONS

Electronic media: Any removable media or portable storage devices.
Degauss: Creating a magnetic field that erases data stored on magnetic media.
Surplus equipment: Personal computers, laptops, handhelds, monitors, and printers that become obsolete
or outdated during their lifecycles and are unusable with specific applications or operating system
software. Equipment is verified and certified as surplus by UW Health Information Services End User
Technical Support (EUTS).
Reusable equipment: Personal computers, laptops, handhelds, monitors, and printers purchased by
departments that become unsuitable for their use, but are usable by other departments. Equipment is
certified for reuse by EUTS.
Junk equipment: Personal computers, laptops, handhelds, monitors, and printers that are not operational
or repairable due to hardware failure, missing part(s), age, or repair history. Equipment is certified as junk
by EUTS.

IV. POLICY

UW Health acknowledges there may be circumstances in which it is operationally necessary to store
corporate data, including protected health information (PHI) or other confidential data, on portable
electronic media. However, because electronic media can be used to transport data and are easily lost or
stolen, storing PHI or other confidential data on such media is highly discouraged. When such data is
stored on portable media, the user is responsible for ensuring the security of the media and preventing
unauthorized access, and must follow the procedures defined in Section V. of this policy.

Electronic information is stored on a wide variety of digital media at UW Health. The approved
destruction methods for electronic media are:
• Full destruction (i.e., incineration, pulverization, etc.)
• Shredding
• Degaussing
• Data wiping (i.e., DBAN)
Note: Data wiping is only applicable to magnetic media that can be mounted on and written to by a PC.

V. PROCEDURE

A. Decommissioning computing technology
1. Personal computers, laptops, printers, and handhelds must not be removed from UW Health
service or satellite locations without first removing any data and software licensed to UW
Health.
2. The UW Health IS EUTS team removes any data and licensed software from hardware that
is certified as surplus, reusable, or junk equipment for UW Health departments and work-
related home use.
3. Electronic information is disposed of by the UW Health IS EUTS team using the most
appropriate method that ensures the data cannot be recovered or reconstructed.
B. Security measures for storage of PHI on electronic media
1. All portable electronic media must be safeguarded from theft with the same care provided
to a personal credit card. Portable media must be labeled to facilitate recovery if lost. Any
loss or theft of a device must be reported immediately to the UW Health Information
Services Help Desk.

Page 3 of 5

2. PHI or other confidential data stored on electronic media must be secured from
unauthorized access with additional precautions such as password protection and data
encryption when possible.
3. Media must be encrypted whenever it is technically and reasonably possible to do so. For
example, USB flash drives (aka jump drives and thumb drives) capable of encryption are
commercially available. Therefore, use of unencrypted USB flash drives is prohibited for
any work related purpose. UW Health employees may obtain an encrypted USB flash drive
for UW Health business purposes by contacting the UW Health Information Services Help
Desk.
4. Portable media that are not capable of encryption must be protected by additional physical
security measures. For example, if a biomedical device requires the use of external media
for data backup, or to transfer data from the device to the computer network, the external
media must be stored securely when not in use or under the direct supervision of
responsible personnel.
C. Destruction, disposal, and reuse of electronic media
1. Data should be removed from electronic media prior to reuse of the media. Special
measures may be necessary to ensure the data cannot be surreptitiously recovered. For
example, reformatting magnetic media is not sufficient, as it does not overwrite the existing
data. Contact the Help Desk for help in determining the proper methods to remove data
from electronic media sources.
2. Electronic media should be destroyed or disposed of using a method that ensures any
confidential information stored on the media cannot be recovered or reconstructed. For
example, any non-magnetic removable media such as CDs and DVDs must be physically
destroyed before being discarded.
3. Use an approved destruction method based on the type of electronic media:
a. UWHC Sites: Mark typical media, such as floppy disks and CDs, as Confidential
and deliver to the Environmental Services (ES) office in D4/125 between 8:00 AM
and 5:00 PM Monday through Friday for destruction and disposal, or schedule
pickup by trained ES facility technicians by calling (608) 263-1260. Each outlying
UWHC facility has a locked container to hold these items until a pick-up is
scheduled through ES. ES transports the media via a locked briefcase to D4/125,
and a log is kept of all pick-ups and drop-offs. ES stores media in locked bins in a
locked room until Pellitteri comes to do on site destruction. Due to the large
volume of media generated at the 8501 Excelsior Drive location, this site stores
their own media in a locked bin and Pellitteri performs on site destruction there. All
other sites follow the above procedure.
b. UWMF Sites: Clinic Managers mark typical media, such as floppy disks and CDs,
as Confidential, and retain the PHI containing media under lock and key until
delivered to the Information Services End User (EUTS) Device Management staff
at the Administrative Office Building (AOB). EUTS Management ensures
appropriate approved destruction methods are used, based on the type of electronic
media, as outlined below.
c. Destroy optical media, such as CDs, DVDs, and Blu-Ray disks, by either full
destruction or shredding before discarding.
d. Destroy magnetic media, such as backup tapes, floppy disks, and hard drives, by
any approved destruction method before discarding. The method used must destroy
data permanently and irreversibly. Total data destruction does not occur until the
medium has been completely erased or overwritten with random data.
e. Destroy RAM/Flash based media, such as flash/thumb drives and PDAs, by either
full destruction or shredding (removable memory only) before discarding. With
extensive use, flash memory media may become unreadable using traditional

Page 4 of 5

methods. However, the data is still present and can be recovered with adequate
technology. Thus, full destruction is required.
f. For other types of digital media disposal, contact the Help Desk.
g. Appropriate methods for destroying/disposing of media are summarized in the
table below
Medium Destruction & Disposal Recommendation
Audiotapes, Videotapes Recycling (complete tape over)
Pulverizing
Hard Disk Drives, Zip
Drives
Overwriting data with a series of characters (destroying everything
on it).
Full destruction
Shredding
Degaussing
Data Wiping

Note: Deleting a file on a disk does not destroy the data, but merely
deletes the filename from the directory, preventing easy access of
the file and making the sector available on the disk so it may be
overwritten. Total data destruction does not occur until the drives
have been completely overwritten.
Magnetic Media (e.g.
floppy disks)
Pulverizing
Magnetic degaussing
Data wiping (i.e., DBAN)
Flash Memory Media (e.g.
jump drives, thumb drives,
memory sticks, and USB
external memory)
Pulverization
Shredding
Data wiping
CDs, DVDs Pulverization
Shredding
PHI Labeled Media Incineration

Note: Reasonable steps should be taken to destroy or de-identify
any PHI information prior to disposal.

D. Vendor serviced media
1. When media, such as hard drives or thumb drives, are covered by vendor warranty, users must
first ascertain if PHI or other confidential data was stored on the media prior to sending the media
to the vendor for servicing.
2. If media does contain PHI or other confidential data, it may only be sent to the vendor for
servicing if:
a. The data can be removed from the media first.
b. UW Health has a HIPAA Business Associate Agreement or maintenance contract in force
with the vendor that addresses how the data must be handled.
c. The hardware vendor provides a written policy and procedure for review by either the
Director of Compliance or CIO, which documents how the vendor assures all data is fully
destroyed prior to reuse or disposal of the media.




Page 5 of 5

VI. REFERENCES

UW Health IS Computer and Server Decommissioning Procedure (Information Services Departmental
Policy #IN-PRO-009)
VII. OTHER

UW Health is a cohesive, united and integrated academic medical enterprise comprised of several entities.
This policy applies to facilities and programs operated by the University of Wisconsin Hospital and
Clinics and the University of Wisconsin Medical Foundation, Inc. Each entity is responsible for
enforcement of this policy in relation to the facilities and programs that it operates.
VIII. COORDINATION (the details of Coordination of UWHC and UWMF are shown below. Approval
and coordination of this policy by those entities is per their individual process.)

UWHCA Sr. Management Sponsor: SVP, Chief Information Officer
UWHCA Author: Manager, End User Technical Support
UWHCA Reviewer(s): UW Health IS Directors; Director, Internal Audit

UWHCA Approval Committee: Administrative Policy & Procedure Committee

UWMF Sr. Management Sponsor: SVP, Chief Information Officer
UWMF Author: Manager, End User Technical Support
UWMF Reviewer: UW Health IS Directors

UWMF Approval: Executive VP, Chief Operating Officer


SIGNED BY:

Ronald Sliwinski
President, University of Wisconsin Hospitals
Chief of Clinical Operations



Revision Detail:

Previous revision: May 2013
Next revision: October 2018