• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • HomePage
  • About
    • Jan Yeomans
    • Rich
  • Structure
    • Jan’s Syllabus
    • Rich’s Syllabus
  • Schedule
    • First Half of Semester
      • Week 1: IT Governance
      • Week 2: IT’s Role and the Control Environment
      • Week 3: IT Administrative Controls
      • Week 4: Enterprise Architecture
      • Week 5: IT Strategy
      • Week 6: Project Portfolio Management
      • Week 7: Policy
    • Second Half of Semeter
      • Week 8: IT Services and Quality
      • Week 9: IT Outsourcing & Cloud Computing
      • Week 10: Monitoring & Evaluating IT
      • Week 11: IT Risk
      • Week 12: IT Security
      • Week 13: Disaster Recovery & Business Continuity
  • Assignments
    • Policy Project
    • Audit Plan Project
  • Webex
    • Sessions 8/30, 9/6, 9/27, 10/11, 11/1, 11/29
  • HBR Coursepack
  • Gradebook

MIS 5202 IT Governance

Temple University

Team 5: Sprenger’s Data Destruction Policy

October 18, 2016 by Anthony Clayton Fecondo 10 Comments

Team members: Anthony Fecondo, Mengxue Ni, Ivy McCottry, Silas Adams

Policy: revision-4-_-10-17-16-data-destruction-policy

Video Presentation

Filed Under: Week 07: Policy Documents & Video Tagged With:

Reader Interactions

Comments

  1. Nathan A. Van Cleave says

    October 18, 2016 at 1:33 pm

    Team 5,

    Kudos to you for taking a crack at a policy where the information is governed primarily through laws and regulations. It clear in your policy that it certainly takes additional thinking and consideration when crafting a policy around PHI/PII healthcare related information.

    Additionally, as you have highlighted, compliance regulations can also be helpful in identifying key requirements and controls for the policy. I would have expected to see a bit more connection to the risks related to not protecting this type of information. I like the “Oversight” section as you clearly layout what could happen if there is a breach.

    The video was comprehensive and encompassed everything in your policy. I think a real life example or scenario around proper data destruction would be helpful for a new hire to see. Overall, very good.

    Reply
    • Ivy M. McCottry says

      October 19, 2016 at 2:18 am

      Nathan – thank you for the feedback. Regarding a real life scenario, do you think it would be helpful to include the dollar amounts for actual violations since they are well publicized or would it be better to highlight the impact of a breach?

      I ask about scenarios because healthcare inherently has a professional requirement for ethics and I wonder what could be a sticky/top of mind scenario for emphasizing the point of following the policy. The most risk someone faces is lost of license which could be the outcome of a scenario.

      Thank you for any additional suggestions you make.

      Reply
      • Andres Galarza says

        October 22, 2016 at 11:12 am

        Ivy, I’ll piggy-back onto what Nathan said.

        I think an example, any example, would help connect an employee’s actions to real-world actions and consequences. Often in training that I’ve received on a number of topics, the real-world examples help paint a picture and clear up any questions that I have.

        For this particular group, they could use any number of HIPAA violations that have been reported in the last few years.

        http://www.inforisktoday.com/prison-term-in-hipaa-violation-case-a-7938

        Reply
  2. Sean Patrick Walsh says

    October 19, 2016 at 10:01 am

    Your policy is well formatted and goes into depth nicely. The tables providing definitions and examples of PII and PHI are laid out nicely for quick reference if needed. The idea to add an annual policy review and update section at the end where the CIO signs it is a great idea. I noticed, unless I missed it when reading, that there is no requirement stipulating an annual review or a review whenever applicable laws are changed, updated, or revised. Would that be helpful in such a policy in such an industry with the level of statutory and regulatory compliance associated with it? Or is the underlying assumption that Section 7 of the policy covers any changes without outright saying so?

    Reply
    • Loi Van Tran says

      October 20, 2016 at 2:52 pm

      Team 5,

      I applaud you for taking such a critical policy within the health industry and making it so understandable for people that are not familiar with it. The formatting of this policy makes it easy to view and was very informative. Along with the comments above, the tables identifying PII/PHI is very comprehensive. I’m not sure that this would apply, but are any stipulations regarding how long medical records are kept, either electronically or paper-base. How does an employee know when records needs to be destroyed or reviewed for destruction? Please educated me, as you probably have more knowledge are completing this policy.

      Reply
  3. Joseph Henofer says

    October 20, 2016 at 9:38 pm

    I thought the policy was laid out very well. I really like how you laid out the key terms and explanation for each. The video was good, but I think if you would have added an example of where your policy was effective and not effective, that would of really drove home the point of the policy.

    Reply
  4. Kevin Blankenship says

    October 21, 2016 at 9:02 am

    I like this policy a lot. I appreciate your work to define and specify information that is regulated and protected by law. HIPAA presents an interesting situation for the business when it come to retaining documents, and I think you did a great job laying out what each type of document is and the impacts of each. PII can be a tricky area and you helped me understand it through your tables.

    Plus the revision log being handwritten and signed was a nice stylistic touch.

    Reply
  5. Xiaodi Ji says

    October 21, 2016 at 11:32 pm

    I like your video. First of all, it is quite simple which help employees get the main point as soon as possible, and do not need read a lot, which can help them focus on what speaker says. Then, in the video, overviewing company and talking about the policy purposes real help employees review their own company and let them think that this policy is very important for the company. However, maybe you should improve the voice’s quality because there are some noise in it which make the video not very clearness.

    For the document, it is very good that writing a special chapter for outside vendor. In the company, outside or third-party vendors are hard to control because they may think they are no belong to this company. Thus, they do not need follow the rules or policy in this company. Therefore, I think this is very good for the company.

    Reply
  6. Ahmed A. Alkaysi says

    October 22, 2016 at 2:53 pm

    Very well done policy. I liked how the policy was detailed but not complicated. It was made in a way where employees would be able to read it without falling asleep. Nice job incorporating HIPAA into your policy as well. It made the policy relevant to today’s laws and regulations. Also liked how the signatures were simulated showing who approved the policy at the end, shows you guys went through the effort in making sure the policy was as complete as can be.

    Reply
  7. Sachin Shah says

    October 26, 2016 at 2:36 am

    I work in Healthcare and the policies are extensive and strict and therefore a lot to cover. Team 5 or Sprenger Healthcare did a good job in covering so much and properly turning such an encompassing rule set into a policy of handful of pages. Its ironic as my hospital is migrating to EPIC as our EMR and the policy stated that further definitions of PII and PHI were listed in the EPIC portal. Yet the foundation of what PII and PHI stand for and generic definition was properly listed in the policy. I like how the 2nd page had a glossary of definitions – basically an employee needs to learn the terms first and then policy will make more sense. That was creative and practical and the outside vendor of work is of much importance. I work with vendors on a daily basis incorporating that into the plan was very good as well.

    Reply

Leave a Reply to Xiaodi Ji Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Weekly Discussions

  • Uncategorized (4)
  • Week 01: IT Governance (6)
  • Week 02: IT's Role & the Control Environment (3)
  • Week 03: IT Administrative Controls (2)
  • Week 04: Enterprise Architecture (2)
  • Week 05:IT Strategy (4)
  • Week 06: Project Portfolio Management (2)
  • Week 07: Policy Documents & Video (7)
  • Week 08: IT Services & Quality (2)
  • Week 09: IT Outsourcing & Cloud Computing (2)
  • Week 10: Monitoring & Evaluating IT (3)
  • Week 11: IT Risk (3)
  • Week 12: IT Security (2)
  • Week 13: Disaster Recovery & Business Continuity (1)
  • Week 14: Maturity Models (8)

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in