Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Data Destruction Audit

Published byAron Gilbert Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal Data Destruction Audit"— Presentation transcript:

1 Internal Data Destruction Audit
Hello everyone, my name is Anthony Fecondo and I'll be talking to you about the internal data destruction audit that my team has drafted for Sprenger Healthcare Systems. Mengxue Ni, Ivy McCottry, Anthony Fecondo

2 Our Plan Legal and Policy Compliance Representative Data
Destruction is Verified As you know, my team was tasked with creating an audit plan for our company’s data destruction policy. Our audit plan is finished and I hope you’ve had a chance to review it. We’re here today in order to assure everyone that this audit plan will be an effective means of reviewing the implementation of our data destruction policy. It is our belief that our audit plan will be effective for reviewing our data destruction policy because of three factors: the thorough breakdown of the auditing process into its constituent elements that allow auditors to identify and review each aspect of the policy and applicable laws in order to ensure compliance, the sampling and review of resources for compliance in a manner that either analyzes every piece of data or a representative sampling of the data, and the use and management of certificates of destruction to verify the proper disposal of each type of sensitive information that Sprenger handles.

3 Legal/Policy Compliance
Audit Goal Assumptions Audit Review Information Source Ensure that enterprise data destruction policy adheres to applicable federal, state, and local laws he Sprenger CIO and Sprenger Compliance office update the policy when laws change Existing data destruction policy juxtaposed to federal, state, and local laws Auditors will develop a  compliance matrix of applicable federal, state, and local laws and existing data destruction policy Ensure that physical PHI/PII is incinerated Sprenger employees and vendors are trained on proper handling and disposal of PHI/PII Employee and Vendor Representatives Auditors will interview employees with varied levels of responsibility from different departments and vendors Ensure that deleted PHI/PII cannot be recovered disposal of PHI/PII Ensure that prescription bottles are all located within the proper Shred-It receptacles and that those receptacles are locked and maintained in a secure location Sprenger employee utilize third-party vendor Shred-It for final PHI/PII destruction External Certificates of Destruction Auditors will retrieve external certificates of destruction from the vendor management/contracts team Ensure that all information is deleted with 10 days following the expiration of the retention period Sprenger employees do not improperly dispose of PHI/PII Internal Certificates of Destruction Auditors will retrieve internal certificates of destruction from the Sprenger records management database  and/or hard copy files HIPAA Physical PHI/PII Digital PHI/PII Prescription Bottles Data Retention The first aspect of our plan, legal and policy compliance, is demonstrated by our plans thorough review of all the different aspects of the data destruction process. As you can see by the excerpt from our audit plan, we address our processes’ compliance with local, state, and federal laws such as HIPAA, review the processes (such as record keeping, the authorization/training of personnel, and the destruction of the data) involved in destroying physical and digital PHI/PII and prescription bottles, and audit all of these areas to verify that data isn’t being stored past its retention date. Reviewing these three key areas ensures that our organization is complying with both legal and policy requirements.

4 Representative Data Random representative samplings
Terminated Employees Employee Interviews Hard Drives Full review of some materials Cloud Storage Certificates of Destruction The second aspect of our plan addresses the representative nature of our data samplings to ensure that our reviews provide accurate insights into policy compliance. For aspects of our audit that are too broad such as, terminated employees, employee interviews, and hard drives, we can’t test every piece of data. Therefore, we have to test smaller samples and base our evaluations off of the results of the samples. If these samples aren’t representative of the population, then our audit doesn’t provide accurate insights regarding company-wide compliance. In order to avoid this, our audit emphasizes reviewing completely randomized samplings of terminated employees, current employees, and hard drives. For other aspects of the plan such as cloud-storage and certificates of destruction, we avoid this risk altogether by reviewing all of the material.

5 Destruction Verification
Certificates of Disposal Internal and External Physical/Digital PHI/PII Shred-It Retention Leverage Certificate Management Software The final aspect that we believe will make our audit effective at reviewing our data destruction policy is the implementation of certificates of disposal for all sensitive information. These certificates will be created and held on record by every internal department and all associated third parties that handle the destruction of any sensitive data. As the slide indicates, the destruction of physical or digital PHI or PII, the removal of prescription bottles through Shred-IT receptacles, and the destruction of data whose retention time has expired all require a certificate of disposal. These documents will provide the necessary information to keep record of the destruction of data and verify that the process prescribed by the data destruction policy was adhered to. In order to manage these certificates, Sprenger leverages a certificate management software which will be reviewed during the audit process.

6 Conclusion Our audit plan will be effective:
Comprehensive Review of Policy/Law Samplings that Review/Test Relevant Resources Tracking/Confirmation of Destruction by Reviewing Certificates As we have explained, the comprehensive review of the audit’s compliance with policy and law, the representative samplings, and the tracking and confirmation of destruction through certificates of destruction make us confident that our auditing plan will provide an effective means of reviewing the implementation and adherence to our data destruction policy

7 Questions? Thank for listening to our presentation. We hope that you feel secure in supporting our proposed audit plan and if you have any questions or concerns please voice them now.

Download ppt "Internal Data Destruction Audit"

Similar presentations

Edna Greene Medford, Ph.D. Department of History.

Edna Greene Medford, Ph.D. Department of History.
Checking & Corrective Action

Checking & Corrective Action
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/2015 1.

Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Clean-up Days!.

Clean-up Days!.
Auditing Computer Systems

Auditing Computer Systems
Things To Remember About Completing I-9 Forms

Things To Remember About Completing I-9 Forms
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,

1 E-Discovery Changes to Federal Rules of Civil Procedure Concerning Discovery of Electronically Stored Information (ESI) Effective Date: 12/01/2006 October,
ISO 9000 Certification ISO 9001 and ISO 9000.3.

ISO 9000 Certification ISO 9001 and ISO
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Www.frostbrowntodd.com Grant S. Cowan Information Management & eDiscovery Practice Group.

Grant S. Cowan Information Management & eDiscovery Practice Group.
Information Asset Classification

Information Asset Classification
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Similar presentations

Ads by Google