Fox and Geese Logo
2023-04-11 NOTICE: The following policy or plan is currently under internal review and may not be up-to-date or fully aligned with our organization's current practices or procedures. Please check back shortly, or contact us for more information.

Disposable Media Policy

Fox and Geese recognizes that media containing PHI or PII may be reused when appropriate steps are taken to ensure that all stored PHI or PII has been effectively rendered inaccessible. Destruction/disposal of PHI or PII shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for PHI or PII involved in any open investigation, audit, or litigation.

PHI or PII is only stored in our hosted environment using encrypted storage. Fox and Geese LLC does not use, own, or manage any mobile devices, SD cards, or tapes that have access to PHI or PII.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 0.9o - Management of Removable Media

Applicable Standards from the HIPAA Security Rule

  • 164.310(d)(1) - Device and Media Controls

Disposable Media Policy

  1. All removable media is restricted, audited, and is encrypted.
  2. Fox and Geese assumes all disposable media in its Platform may contain PHI or PII, so it treats all disposable media with the same protections and disposal policies.
  3. All destruction/disposal of PHI or PII media will be done in accordance with federal and state laws and regulations and pursuant to the Fox and Geese's written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
  4. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
  5. Before reuse of any media, for example, all PHI or PII is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
  6. All Fox and Geese Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
  7. Any media containing PHI or PII is disposed using a method that ensures the PHI or PII could not be readily recovered or reconstructed.
  8. The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
  9. In the case of a Fox and Geese Customer terminating a contract with Fox and Geese and no longer utilizing Fox and Geese Services, the following actions will be taken depending on the Fox and Geese Services in use. In all cases it is solely the responsibility of the Fox and Geese Customer to maintain the safeguards required of HIPAA once the data is transmitted out of Fox and Geese Systems.
    • In the case of PaaS Customer termination, Fox and Geese will provide the customer with 30 days from the date of termination to export data.