Page 25 - Information_Security_Program
P. 25
DOCUMENT SECURITY [DP271]
Back to Table of Contents
Scope: Enterprise
Distribution: All employees with access to privacy‐restricted documents
Purpose: To ensure information is securely destroyed after its useful life.
External Regulation or Standard: 45 CFR 164.310(d)(2)(i); 45 CFR 164.310(d)(2)(ii) ‐‐ Device and Media Controls; PCI DSS 4.3
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Employees DP271.1 Organization documents containing Privacy Restricted information must be stored in
a secured location.
Employees DP271.2 Organization documents containing Privacy Restricted information must be delivered
in a trackable manner and hand‐delivered, such as through certified mail or other
approved method and marked “Confidential”, to the intended recipient.
Employees DP271.3 Organization documents containing Privacy Restricted information that need to be
delivered in an expedited manner should be sent through encrypted e‐mail or secure
file‐transfer protocol. If these methods are not available, a Privacy Restricted
document can be faxed if the sender and intended recipient are standing at their
respective fax machines during the transmission.
Employees DP271.4 Organization documents containing Privacy Restricted information must be rendered
unreadable, such as through shredding using an approved shredder or shredding
company, such that there is reasonable assurance the hard‐copy materials cannot be
reconstructed when they no longer have a business or legal purpose. Strip shredders
are not allowed. Shredding companies must be approved through the Director of
Information Technology, Privacy and Data Security, and the organization must have a
valid Business Associate Agreement in place with that organization if Protected
Health Information is involved.
Employees DP271.4a Containers for hard copy documents to be shredded must be locked, preventing
access to its contents
Employees DP271.5 The organization will follow applicable laws and the Board Retention Policy regarding
the retention of document records.
24 | P a g e
GES CONFIDENTIAL