DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. The physical safeguard component of the Security Rule contains four standards that covered entities and business associates are subject to:
1. Facility Access controls.
2. Workstation Use controls.
3. Workstation Security controls.
4. Device and Media controls.
This article covers the fourth of the four standards, Device and Media Controls.
The Device and Media Controls standard requires covered entities and business associates to "Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. "
The standard contains four "implementation specifications" - specific measures to be followed to implement the standard. The four implementation specifications are:
(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
What is Electronic Media?
The term "Electronic media" means electronic storage media, including:
1. Memory devices in computers.
2. Any removable, transportable digital memory medium such as flash drives, CDs, DVDs, solid-state drives (SSDs, and magnetic storage.
Let's look at each of the four implementation specifications:
1. Disposal. The disposal specification requires covered entities and business associates to "Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored."
PHI disposal may be required under a variety of circumstances, including when required by law or contract (e.g., business associate agreement). Organizations should develop policies and procedures instructing employees on:
a. How to properly dispose of ePHI
b. Which employees are authorized to dispose of ePHI
c. Which employees are authorized to dispose of the hardware or electronic media on which ePHI is stored
Proper disposal requires that the ePHI or electronic media on which ePHI is stored be rendered unusable, unreadable, and/or inaccessible. There are three NIST-recognized media sanitization methods – clearing, purging, and destruction. Organizations should select the appropriate sanitization method(s) for all ePHI disposal.
- Clearing sanitizes data, protecting against simple, non-invasive data recovery techniques. Clearing is typically applied through standard Read/Write commands to the storage device. This may include rewriting with a new value or using a menu option to reset a device to the factory state (when rewriting is not supported). The data is then overwritten and verified. Most devices support some level of clearing sanitization. Clearing sanitization has a limit, however – it does not reach hidden areas or areas that cannot be addressed.
- Purging applies techniques that render data recovery infeasible. Purging provides a more thorough level of sanitization than clearing, and is used for more confidential data. Purging requires the removal of hidden drives, if these are present. Purging may not work on all firmware.
- Destroying renders target data recovery infeasible. Destroying also renders the media incapable of storing data afterward. “Destroying” includes a variety of techniques, such as shredding, incinerating, pulverizing, melting, and other physical techniques. These techniques may be necessary for drives that are already beyond all possible use or standard overwriting methods because of physical damage.
2. Media Re-Use. The media re-use specification calls for covered entities and business associates to "Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use."
Covered entities and business associates should require that ePHI on hardware and electronic media be rendered unusable and/or inaccessible before the hardware and electronic media are available for re-use - whether for a workforce member who does not require access to the ePHI, or when the equipment is transferred to a different workforce member with different ePHI access needs. Covered entities and business associates should ensure that hardware and electronic media will be rendered unusable and/or inaccessible in accordance with the NIST cleaning and purging standards mentioned above.
3. Accountability. The accountability specification calls for covered entities and business associates to "Maintain a record of the movements of hardware and electronic media and any person responsible therefore."
To meet this specification, organizations can prepare an inventory that identifies all of the hardware and media that contain ePHI. The contents of the inventory can be confirmed on at least an annual basis. An organization may use The Guard's Device and Application Inventories (located by clicking the "Assets" tab) to create and monitor the inventory.
To implement the accountability specification, an organization may also implement a tracking system. The tracking system can document the assignment of responsibility for hardware and electronic media containing ePHI, as well as the transfer of authority for these devices. The organization can maintain a record of the transfer of hardware and electronic media between its point of origination and its point of receipt. The organization can ensure that this record contains the names of the individuals responsible for the hardware and electronic media. Examples of documentation can include documenting when laptops are sent out to the manufacturer for repair, or, assigning a user a specific computer and documenting this on the Device Inventory. To ensure that hardware and electronic media can be accurately and appropriately tracked, an organization may require that loss or theft of electronic equipment or media containing ePHI be immediately reported to authorized personnel.
4. Data backup and storage. The data backup and storage specification requires covered entities and business associates to "Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment."
To meet this specification, covered entities and business associates can require the testing of backups prior to moving any equipment inside of or outside of their facilities. Testing measures should account for what equipment is to be tested, who is to perform the testing, and documentation of test results. The covered entity or business associate may then ensure that a retrievable, exact backup of ePHI is available before equipment is moved.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article