| layout |
|---|
default |
Health Note recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.
ePHI is only stored in our hosted environment using encrypted storage. Health Note does not use, own, or manage any mobile devices, SD cards, or tapes that have access to ePHI.
- 0.9o - Management of Removable Media
- 164.310(d)(1) - Device and Media Controls
- All removable media is restricted, audited, and is encrypted.
- Health Note assumes all disposable media in its Platform may contain ePHI, so it treats all disposable media with the same protections and disposal policies.
- All destruction/disposal of ePHI media will be retained according to state and federal regulations whichever requires retention for the longer period of time.
- HIPAA requires that business associates and covered entities retain the following for at least six years from creation date or last effective date, whichever happens to be later. A written or electronic record of a designation of an organization as a CE (e.g., health plan, affiliated covered entity, etc.) or BA.
- Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
- Before reuse of any media, for example, all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
- All Health Note Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
- Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
- The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
- In the case of a Health Note Customer terminating a contract with Health Note and no longer utilizing Health Note Services, data is retained or removed at the agreed-upon customer's requirement.
- In all cases it is solely the responsibility of the Health Note Customer to maintain the safeguards required of HIPAA once the data is transmitted out of Health Note Systems.
| Revision Date | Revision Description | Notes |
|---|---|---|
| 4/18/2019 | Initial | Initial |
| 4/14/2020 | Reviewed | No changes |
| 3/29/2021 | Reviewed | No changes |
| 2/24/2022 | Reviewed | No changes |
| 5/26/2022 | Updated | update p&p |
| 4/10/2023 | Reviewed | No changes |
| 5/02/2024 | Reviewed | No changes |