|
device
and media controls (HIPAA)
Covered
entities must implement device and media controls as a
part of their physical
safeguards. The HIPAA Security
Rule defines those as "policies and procedures that
govern the receipt and removal of hardware and electronic
media that contain protected health information [PHI] into
and out of a facility, and the movement of these items within
the facility."
Four implementation
specifications are included in this standard; the first
two are required, the last two addressable::
The first embraces
implementation of "policies and procedures to address
the final disposition of electronic [PHI], and/or the hardware
or electronic media on which it is stored."
The second is closely
related: policies and procedures for "removal of electronic
[PHI] from electronic media "before the media are made
available for re-use."
The third covers
maintenance of "a record of the movements of hardware
and electronic media and any person responsible therefore."
The last addresses
creation of "a retrievable, exact copy of electronic
[PHI], when needed, before movement of equipment." (A
broader requirement for data backup and disaster recovery
is part of the contingency
plan standard, as well as implicit in the data
integrity standard.)
DHHS has noted
that "device" and "media" are to be interpreted
broadly. (Final Rule, p.123ff). Equipment re-use or recycling
is covered, if such equipment is configured with unremoved
storage media (such as an internal hard drive) that may contain
PHI. So are removable media of all types, from disk drives
to "flash memory." (For a broader discussion of
digital media types and secure disposal, click here.)
The addressable
specification for accountability reflects DHHS' view that
not all facilities will need detailed tracking procedures.
("For example, small providers would be unlikely to be
involved in large-scale moves of equipment that would require
systematic tracking, unlike, for example, large health care
providers or health plans.")
See also:
|
