RosettaHealth recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 0.9o - Management of Removable Media

  • 09.q - Information Handling Procedures

  • 09.p - Disposal of Media

Applicable Standards from the HIPAA Security Rule

  • 164.310(d)(1) - Device and Media Controls

  • 164.310(d)(2)(i) - Disposal

  • 164.310(d)(2)(ii) – Media re-use

Disposable Media Policy

  1. Printing of any material containing ePHI is not allowed by any RosettaHealth employee unless required for conformance to PHI Uses & Disclosures Policies described in Data Management. In such circumstances NO PHYSICAL COPY (printed or on removable media) of PHI material may be retained by RosettaHealth employees.

  2. No RosettaHealth employee is allowed to copy ePHI from the production environment to any form or removable electronic media (ex usb, memory stick, external HD, CD, DVD, tape, removable disk).

  3. RosettaHealth assumes all disposable media may contain ePHI, so it treats all disposable media with the same protections and disposal policies.

  4. All destruction/disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to the RosettaHealth’s written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.

  5. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.

  6. Before reuse of any media, all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.

  7. Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.

  8. The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.

  9. In the cases of a RosettaHealth Customer terminating a contract with RosettaHealth and no longer utilizing RosettaHealth Services, the Customer has 30 days from the date of termination to retrieve data via RosettaHealth Platform API’s. In all cases it is solely the responsibility of the RosettaHealth Customer to maintain the safeguards required of HIPAA once the data is transmitted out of RosettaHealth Systems.

  10. Disposable media policies for RosettaHealth hosting providers (ClearDATA, AWS) are governed by respective BAA agreements and their own SOC2 and/or HITRUST certified policies.