Device and Media Controls - Part 2

Episode 62: Know The Rules! Device and Media Controls – Part 2


Device and Media Controls – Part 2

In this week’s “Know The Rules!,” I am talking about the last two HIPAA Device and Media Controls security standard, 45 CFR §164.310(d)(1).

The Device and Media Controls standard requires Covered Entities (CEs) and their Business Associates (BAs) to:

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.

The above standard is all about the proper handling of electronic media, including receiving, removing, backing-up, storage, reuse, disposal and accountability of this media.

The Device and Media Controls standard has four implementation specifications, two required (see Episode 61: Know The Rules! Device and Media Controls) and two addressable.

The Physical Safeguards and their implementation specifications are:
Note: (R) = Required      (A) = Addressable

  • 3. Accountability (A) – 45 CFR 164.310(d)(2)(iii)
  • 4. Data Backup and Storage (A) – 45 CFR 164.310(d)(2)(iv)

Accountability

The Accountability implementation specification is a reasonable and appropriate safeguard that organizations must:

Maintain a record of the movements of hardware and any person responsible therefore.

Since this is an addressable specification, each organization must determine if and how it should be implemented for their organization. If an organization’s hardware and media containing electronic protected health information is moved from one location to another, a record should be maintained as documentation of the move.

Portable workstations and media present a special accountability challenge. Portable technology is getting smaller, less expensive, and has an increased capacity to store large quantities of data. As a result, it is becoming more prevalent in the healthcare industry, making accountability even more important and challenging.

Don’t forget to include your medical devices, pagers (yes, they still use them!) and “Internet of Things” devices even if they don’t contain ePHI. Auditors are looking at them to ensure they are HIPAA compliant too.

Here are some sample questions your organization should consider when developing your Accountability specification:

  1. Is a process implemented for maintaining a record of the movements of, and person(s) responsible for, hardware and electronic media containing ePHI?
  2. Have all types of hardware and electronic media that must be tracked been identified, such as hard drives, magnetic tapes or disks, optical disks or digital memory cards?
  3. If there are multiple devices of the same type, is there a way to identify individual devices and log or record them separately, such as a serial numbers or other tracking mechanisms?

 

Data Backup and Storage

The Data Backup and Storage implementation specification is a reasonable and appropriate safeguard which organizations must:

Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Data Backup and Storage protects the availability of ePHI and is similar to the Data Backup Plan, required as part of your Contingency Plan. Both implementation specifications may be included in the same policies and procedures.

  • Backup and Storage• An organization may choose to backup a hard drive before moving to prevent loss of ePHI when the existing data backup plan does not provide for local hard drive backups.
  • • Another option may be to limit where computer users store their files.
  • • Larger organizations may implement policies that require users to save all information on their network.

 

Either of these options, and others, may be considered reasonable and appropriate solutions, depending on your environment.

Here are some sample questions your organization should consider when developing your Data Backup and Storage specification:

  1. Is a process implemented for creating a retrievable, exact copy of ePHI, when needed, before movement of equipment?
  2. Does the process identify situations when creating a retrievable, exact copy of ePHI is required and situations when not required before movement of equipment?

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Device and Media Controls

 

For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.