Device and Media Controls
Media Re-Use
Information Alteration and Destruction
Disposal
Additional Considerations

This topic includes requirements to implement procedures for securing hardware and software in and out of your organization, including procedures for checking-out, reusing and disposing of hardware/software.

NOTE that the HIPAA security regulations only require hardware and software security for electronic protected health information. Before you proceed with this topic, you should decide whether your hardware and software security will apply to all electronic data and resources, or to just electronic protected health information.

HELPFUL DOCUMENTATION RELATED TO THIS TOPIC:
Device and Media Controls Checklist for compliance from the National Institute of Standards and Technology’s An Introductory Resource Guide for Implementing the HIPAA Security Rule, October 2008

REQUIRED COMPLIANCE ACTIONS

In connection with this topic, the HIPAA security regulations include certain standards and specifications that are required, which means covered entities are required to implement them. The requirements are set forth below.

DEVICE AND MEDIA CONTROLS

WHAT IS REQUIRED: Device and media controls are required in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software (for example, laptops, diskettes, tapes) into and out of a facility.

SOURCE: §164.310(d)(1): Physical Safeguards: Device and Media Controls

HELPFUL DOCUMENTATION
Security Standards: Physical Safeguards CMS Security Guidance: Device and Media Controls guidance begins on page 10

REQUIRED POLICY AND FORMS
Sample Hardware and Software Control Policy
This policy sets forth the procedure for checking-out software and hardware from the organization, the obligations of workforce members who are approved to remove software and hardware; and the procedures for receipt of hardware and software into the organization.

Form for Checking-Out Hardware and Software

Select OneRequired Action
Policies and procedures are already in place in the organization for device and media controls.Attach documentation to this worksheet of the policies and procedures in effect dealing with device and media controls.
Policies and procedures for dealing with device and media controls will be implemented.Attach documentation to this worksheet regarding who is responsible for development of the policies and procedures, the timetable for completion, and copies of the written policies and procedures, when completed.

MEDIA RE-USE

WHAT IS REQUIRED: Policies and procedures must be adopted for removal of electronic protected health information from electronic media before the media are made available for re-use.

SOURCE: §164.310(d)(2)(ii): Physical Safeguards: Media Re-Use

HELPFUL DOCUMENTATION
Security Standards: Physical Safeguards CMS Security Guidance: Media Re-Use guidance begins on page 11

REQUIRED POLICY
Guidelines for Developing Procedures for Re-Use and Disposal of Hardware and Software that Contain Electronic Protected Health Information

Select OneRequired Action
Policies and procedures are already in place in the organization for the re-use of hardware and software that contain electronic protected health information.Attach documentation to this worksheet of the policies and procedures in effect dealing with the re-use of hardware and software that contain electronic protected health information.
Policies and procedures for the re-use of hardware and software that contain electronic protected health information will be implemented.Attach documentation to this worksheet regarding who is responsible for development of the policies and procedures, the timetable for completion, and copies of the written policies and procedures, when completed.

INFORMATION ALTERATION AND DESTRUCTION

WHAT IS REQUIRED: Policies and procedures must be implemented to protect electronic protected health information from improper alteration or destruction and to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

SOURCE: §164.312(c)(i): Technical Safeguards: Integrity

HELPFUL DOCUMENTATION
Security Standards: Technical Safeguards CMS Security Guidance: Integrity guidance begins on page 8

Integrity Checklist for compliance from the National Institute of Standards and Technology’s An Introductory Resource Guide for Implementing the HIPAA Security Rule, October 2008

REQUIRED POLICY
Guidelines for Developing Procedures to Prevent Alteration and Destruction of Electronic Protected Health Information

Select OneRequired Action
Procedures to prevent information alteration and destruction are already in place in the organization.Attach documentation to this worksheet of the procedures to prevent information alteration and destruction in effect in the organization.
Procedures to prevent information alteration and destruction will be implemented.Attach documentation to this worksheet regarding who is responsible for development of the procedures to prevent information alteration and destruction, the timetable for completion, and copies of the written policies and procedures, when completed.

DISPOSAL

WHAT IS REQUIRED: Policies and procedures must be adopted that address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

SOURCE: §164.310(d)(2)(i): Physical Safeguards: Disposal

HELPFUL DOCUMENTATION
Security Standards: Physical Safeguards CMS Security Guidance: Disposal guidance begins on page 10

REQUIRED POLICY
Guidelines for Developing Procedures for Re-Use and Disposal of Hardware and Software that Contain Electronic Protected Health Information

Select OneRequired Action
Media disposal policies and procedures are already in place in the organization.Attach documentation to this worksheet of the disposal policies and procedures in effect.
Disposal policies and procedures will be implemented.Attach documentation to this worksheet regarding who is responsible for development of the policies and procedures, the timetable for completion, and copies of the written policies and procedures, when completed.

ADDITIONAL CONSIDERATIONS

In connection with this topic, the HIPAA security regulations also include certain specifications that are “addressable,” rather than required, meaning that the covered entity must undertake an assessment of whether the specification is a reasonable and appropriate safeguard, when analyzed with reference to the likely contribution to protecting your organization’s electronic protected health information. Large organizations with sophisticated computer network systems should consider implementing most, if not all, of these addressable specifications. The addressable specifications are as follows:

HARDWARE AND SOFTWARE ACCOUNTABILITY Covered entities are encouraged to consider implementing a system to record the movements of hardware and electronic media and any person responsible therefore.

SOURCE: §164.310(d)(2)(iii): Physical Safeguards: Accountability.

HELPFUL DOCUMENTATION
Security Standards: Physical Safeguards CMS Security Guidance: Hardware and Software Accountability guidance begins on page 12.

NOTE: The Sample Hardware and Software Control Policy listed above will set forth your system for recording movement of hardware and software in and out of the organization. This addressable component requires you to consider also recording movements within your organization.

Select OneRequired Action
Procedures for recording the movements of hardware and electronic media and any person responsible are already in place in the organization.Attach to this worksheet documentation of the procedures for recording the movements of hardware and electronic media and any person responsible.
It is reasonable and appropriate to implement procedures for recording the movements of hardware and electronic media and any person responsible.Implement procedures to record the movements of hardware and electronic media and those responsible for the tracking and attach documentation to this worksheet of the procedures to be implemented, who is in charge of the implementation, and the timetable for implementation.
We have or will implement an equivalent alternative safeguard to procedures for recording the movements of hardware and electronic media and any person responsible.Document who is responsible for implementing the equivalent and what the elements of the equivalency are.
It is not reasonable and appropriate to implement procedures for recording the movements of hardware and electronic media and any person responsible.Document why it would not be reasonable and appropriate to implement these procedures.

TRANSMISSION INTEGRITY CONTROLS Covered entities are encouraged to consider measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of

SOURCE: §164.312(e)(2)(i): Technical Safeguards: Integrity Controls.

HELPFUL DOCUMENTATION
Security Standards: Technical Safeguards CMS Security Guidance: Integrity Control guidance begins on page 11

NOTE: This addressable specification deals only with transmitted electronic protected health information and presumably is concerned about information that is transmitted outside your organization and then sent back. If your organization makes this type of transmission, you must consider whether it is appropriate to institute some type of system or procedure for assuring that the information has not been tampered with during or after transmission. One way to accomplish this is to require a back-up of the transmitted data which is used to verify the accuracy of the re-transmitted data.

Select OneRequired Action
Measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of are already in place in the organization.Attach to this worksheet documentation of the measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of that are in place in the organization.
It is reasonable and appropriate to implement measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.Implement procedures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of and those responsible for the developing the procedures and attach documentation to this worksheet of the procedures to be implemented, who is in charge of the implementation, and the timetable for implementation.
We have or will implement an equivalent alternative safeguard to measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.Document who is responsible for implementing the equivalent and what the elements of the equivalency are.
It is not reasonable and appropriate to implement measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.Attach documentation to this as to why it would not be reasonable and appropriate to implement measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION Covered entities are encouraged to consider electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
SOURCE: §164.312(c)(2): Technical Safeguards: Mechanism to Authenticate Electronic Protected Health Information

HELPFUL DOCUMENTATION
Security Standards: Technical Safeguards CMS Security Guidance: Mechanism to Authenticate PHI guidance begins on page 9

NOTE: This addressable specification is suggesting that organizations have software installed which will ascertain the continued integrity of electronic protected health information. Your policy on Information Alteration and Destructionrequired from the topic list above, should have already dealt with this issue.

Select OneRequired Action
Electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner are already in place in the organization.Attach to this worksheet documentation of the electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner that are in place in the organization.
It is reasonable and appropriate to implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner and and document those responsible for the developing the mechanisms and attach documentation to this worksheet of the procedures to be implemented, who is in charge of the implementation, and the timetable for implementation.
We have or will implement an equivalent alternative safeguard to electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.Document who is responsible for implementing the equivalent and what the elements of the equivalency are.
It is not reasonable and appropriate to implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.Attach documentation to this as to why it would not be reasonable and appropriate to implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

DATA BACKUP AND STORAGE Covered entities are encouraged to consider creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

SOURCE: §164.310(d)(2)(iv): Physical Safeguards: Data Backup and Storage

HELPFUL DOCUMENTATION
Security Standards: Physical Safeguards CMS Security Guidance: Data Backup and Storage guidance begins on page 13

NOTE: This addressable specification should already be implemented as part of your required Data Backup and Recovery Plan.

Select OneRequired Action
A system for creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment is already in place in the organization.Attach to this worksheet documentation of the system for creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment that is in place in the organization.
It is reasonable and appropriate to implement a system for creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.Implement a system for creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment and document those responsible for the developing the system and attach documentation to this worksheet of the procedures to be implemented, who is in charge of the implementation, and the timetable for implementation.
We have or will implement an equivalent alternative safeguard to creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.Document who is responsible for implementing the equivalent and what the elements of the equivalency are.
It is not reasonable and appropriate to implement a system for creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.Attach documentation to this as to why it would not be reasonable and appropriate to implement system for creating a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment