• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Physical Safeguard Standard, Device and Media Controls: Medi Re-use Implementation Specification-What to Do and How to Do It

May 20, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Media Re-use is the second of four implementation specifications, and it is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity must implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

How to Do It

A covered entity must delete any electronic protected health information on electronic media prior to re-use of the media.  The covered entity should consult with its hardware and software vendors to determine methods that work best for deleting electronic protected health information from electronic media that are to be re-used.  This includes moving electronic protected health information from one workstation to another within a covered entity as job responsibilities change for workforce members.  The covered entity’s Security Official should ensure that electronic protected health information is backed up and in secure storage prior to deleting electronic health information on subject electronic media.

Since publication of the final Security Rule on February 20, 2003, in the Federal Register, new storage media such as flash drives have become ubiquitous and costs of storage media have fallen significantly, with the result that replacing electronic storage media is relatively inexpensive.  Accordingly, a covered entity should consider as part of its risk analysis as an appropriate risk mitigation strategy the destruction rather than re-use of any electronic media that contain electronic protected health information.

Tags: 200320092010American Recovery and Reinvestment ActARRAbusiness associatescovered entitydevice and media controlselectronic protected health informationFebruary 17February 20Federal Registerflash drivehardware vendorHITECH Actimplementation specificationmedia re-usephysical safeguard standardPresident ObamarequiredRisk Analysisrisk mitigationSecurity Rulesoftware vendorworkstation
No Comments
Share
0

You also might be interested in

CMS and ONC Publish Final Rules for Meaningful Use Stage 2 Security in Federal Register

Sep 3, 2012

September 4, 2012.  The Department of Health and Human Services[...]

Red Flags Rules Compliance Countdown: Today

May 1, 2009

The Federal Trade Commission’s (FTC’s) red flags rules for financial[...]

Transmission Security Encryption: What to Do and How to Do It

Jul 14, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next