Device and Media Controls: What This HIPAA Security Rule Physical Safeguard Standard Means

This is the fourth and last Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has four implementation specifications:  disposal, media re-use, accountability, and data backup and storage.  The first two are required; the last two are addressable.  Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

This standard requires that covered entities implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.  The policies and procedures will be outcomes of the covered entity’s risk analysis.

A covered entity should create a written inventory of all of its hardware and electronic media and track the movement of its inventory within its physical facility.  In addition, a covered entity should tightly control the introduction in the covered entity of unauthorized electronic media, such as software and USB compatible external drives used externally by workforce members.  Maintaining a current inventory and controlling unauthorized external electronic media enhances the covered entity’s likelihood of risk mitigation in the event of a contingency.

As mentioned above, there are four implementation specifications for this standard.  With respect to disposal and media re-use implementation specifications, it is critical to remember that file deletion and erasure functions generally do not delete files and data, but rather delete only the file name, not the underlying data content.  In the context of this discussion, data content means electronic protected health information.  Using the file deletion and erasure functions prior to disposal or media re-use may not achieve the intended result, eliminating electronic protected health information and proprietary information of the covered entity.  Failure to properly eliminate electronic protected health information increases potential risk of a privacy breach or security incident that could have serious consequences for the covered entity, especially with the increased enforcement provisions of ARRA, which are in effect.

The bottom line:  if you dispose of or reuse electronic media, ask your vendor or computer store for information on how to delete electronic protected health information in your database, and, most importantly, how to verify the deletion.  Finally, as part of the procedure, be sure to document in writing your actions.

Leave a Reply

Your email address will not be published. Required fields are marked *