The Health Insurance Portability and Accountability Act (HIPAA) standards are designed specifically for healthcare organizations. Standards include procedures for information security and mechanisms for physical safeguards of data.
What is the Security Rule?
The HIPPA Security Rule is the standard for safeguarding electronic protected health information (e-PHI). According to the Security Rule, physical safeguards are “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” These mechanisms provide another layer of security beyond administrative and technical safeguards to the information security measures. https://www.hhs.gov/hipaa/for-professionals/security/index.html Shred Alaska helps organizations comply with the Security Rule when electronic data storage has reached the end of its life.
What is the Device and Media Controls Standard?
According to the Device and Media Controls standard, organizations are required “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” Electronic media refers to “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card…”
By complying with this standard, organizations demonstrate measures for the proper handling of electronic media. Shred Alaska can help organizations comply with the disposal aspect of this standard. A NAID Certified data destruction vendor is important if you are a healthcare organization required to comply with HIPAA.
Sample questions for covered entities to consider:
✓ Are policies and procedures developed and implemented that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the final disposal of the hardware?
✓ Do the policies and procedures identify the types of hardware and electronic media that must be tracked and destroyed?
✓ Have all types of hardware and electronic media that must be tracked been identified?
What are the Requirements for HIPAA Disposal?
While implementing a security program, each organization should “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.” While disposing electronic media that contains sensitive information, the organization should ensure that the media is unusable or inaccessible.
To View the HIPAA Security Series
The best way to dispose of the electronic materials is to physically damage them beyond repair, making the data inaccessible. Sample questions for covered entities to consider:
✓ Are policies and procedures developed and implemented that address disposal of EPHI, and/or the hardware or electronic media on which it is stored?
✓ Do the policies and procedures specify the process for making the hardware or electronic media, unusable and inaccessible?
✓ Do the policies and procedures specify the use of a technology, such as software or a specialized piece of hardware, to make EPHI, and/or the hardware or electronic media, unusable and inaccessible?
✓ Are the procedures used by personnel authorized to dispose of EPHI, and/or the hardware or electronic media?
Shred Alaska will shred all of your electronic media, rendering the media unusable and inaccessible.