Device and Media Controls - Part 1

Episode 61: Know The Rules! Device and Media Controls – Part 1


Device and Media Controls

In this week’s “Know The Rules!,” I am talking about the first two elements of the HIPAA Device and Media Controls security standard, 45 CFR §164.310(d)(1).

The Device and Media Controls standard requires Covered Entities (CEs) and their Business Associates (BAs) to:

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.

The above standard is all about the proper handling of electronic media, including receiving, removing, backing-up, storage, reuse, disposal and accountability of this media.

The Device and Media Controls standard has four implementation specifications, two required and two addressable. Today I am presenting two of the four, they are media disposal and reuse.

Two of the Physical Safeguards and their implementation specifications are:
Note: (R) = Required      (A) = Addressable

  1. Disposal (R) – 45 CFR 164.310(d)(2)(i)
  2. Media Re-Use (R) – 45 CFR 164.310(d)(2)(ii)

Disposal

The Disposal implementation specification states that CEs and their BAs must:

Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Re-Use

 

 

Before healthcare organizations dispose of, or recycle, any electronic media that contains electronic protected health information (ePHI) they should make sure it is unusable and/or inaccessible.

 

 

 

One way to dispose of electronic media is by degaussing.

What the heck is degaussing?

Degaussing is a method where a strong magnetic field is applied to magnetic media to fully erase the data.

If a CE or BA does not have access to degaussing equipment, another way to dispose of the electronic media is to physically damage it beyond repair, making the data inaccessible.  That’s right it’s hammer time!!

Here are some sample questions your organization should consider when developing your Disposal specification:

Degaussing

  1. Are policies and procedures developed and implemented that address disposal of ePHI, and/or the hardware or electronic media on which it is stored?
  2. Do the policies and procedures specify the process of making ePHI, and/or the hardware or electronic media, unusable and inaccessible?
  3. Do the policies and procedures specify the use of a technology, such as software or a specialized piece of hardware, to make ePHI, and/or the hardware or electronic media, unusable and inaccessible?
  4. Are the procedures followed by your workforce authorized to dispose of ePHI, and/or the hardware or electronic media?

Media Re-Use

Instead of disposing of electronic media, your organization may want to reuse it. The re-use of media contains a required Media Re-Use provision regarding the re-use of media for ePHI, and is a required implementation specification:

Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Besides proper disposal, if your organization decides to re-use the same media which previously contained ePHI, your organization must appropriately reuse the electronic media, whether for internal or external use.

  • • Internal re-use may include re-deployment of PCs or sharing removable media.
  • • External re-use may include donation of electronic media to charity organizations or local schools.

No matter what you decide, it is important to remove ALL ePHI previously stored on ANY and ALL previous devices and/or media to prevent unauthorized access.

Here are some sample questions your organization should consider when developing a Media Re-use specification:

  1. Are procedures developed and implemented for removal of ePHI from electronic media before re-use?
  2. Do the procedures specify situations when all ePHI must be permanently deleted or situations when the electronic media should only be reformatted so that no files are accessible?

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

 

Know The Rules - Device & Media Controls

 

 

For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.

Leave a Reply