Data Management and Disposal: ePHI/PHI

Electronic protected health information (ePHI) is protected health information (PHI) that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

UConn Health has a duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. The secure handling, storage and disposal of hardware and media containing ePHI data is mandatory per HIPAA security policies.

Destruction and Disposal of ePHI/PHI data

Here is a brief guideline to the procedures that must be followed by UConn Health personnel or a bonded destruction service when disposing of information containing PHI and ePHI.

  • Destruction of Paper Copies and Original Documents (Day-to-Day Disposal) must be personally shredded or placed in secured shredder bins.
  • Disposal of patient identification cards and wrist bands should be discarded in secured shredding bins ONLY.
  • Destruction of X-ray film is securely handled by the Materials Management Department utilizing an outside firm.
  • Disposal of PHI regulated medical waste must be placed in regulated medical waste bins which is incinerated using secure methods.
  • Destruction and disposal of PHI must be documented.
  • Disposal of hardware equipment (biomedical and non-biomedical) includes the logging and removal of ePHI/PHI data.
  • Destruction of electronic media (biomedical and non-biomedical) with ePHI/PHI data is required when no longer needed.