HIPAA Security Standards and Physical Safeguards
Hard Drive Destruction: Guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known as the Security Rule, was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We provide businesses in Orange County, Los Angeles and San Jose, California secure and certified HIPAA Compliant document shredding and hard drive shredding. How to destroy HIPAA media.
For more information go to the Health and Human Services website HIPAA Security Series
HIPAA Requirements for Electronic Media Disposal
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.
E-Waste Security is a very professional organization. SSAE 16 Professionals, LLP refers all of its clients to E-Waste Security because we know they will receive impeccable service.
The Device and Media Controls standard requires covered entities to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
As referenced here, the term “electronic media” means, “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card…” This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability. Sample questions for covered entities to consider:
Are policies and procedures developed and implemented that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the movement of these items within the facility?
Do the policies and procedures identify the types of hardware and electronic media that must be tracked?
Have all types of hardware and electronic media that must be tracked been identified?
The Disposal implementation specifications states that covered entities must:
“Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
When covered entities dispose of any electronic media that contains EPHI they should make sure it is unusable and/or inaccessible. One way to dispose of electronic media is by degaussing. Degaussing is a method whereby a strong magnetic field is applied to magnetic media to fully erase the data. If a covered entity does not have access to degaussing equipment, another way to dispose of the electronic is to physically damage beyond repair, making the data inaccessible. Sample questions for covered entities to consider: