In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Media Re-use is the second of four implementation specifications, and it is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
A covered entity must implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
How to Do It
A covered entity must delete any electronic protected health information on electronic media prior to re-use of the media. The covered entity should consult with its hardware and software vendors to determine methods that work best for deleting electronic protected health information from electronic media that are to be re-used. This includes moving electronic protected health information from one workstation to another within a covered entity as job responsibilities change for workforce members. The covered entity’s Security Official should ensure that electronic protected health information is backed up and in secure storage prior to deleting electronic health information on subject electronic media.
Since publication of the final Security Rule on February 20, 2003, in the Federal Register, new storage media such as flash drives have become ubiquitous and costs of storage media have fallen significantly, with the result that replacing electronic storage media is relatively inexpensive. Accordingly, a covered entity should consider as part of its risk analysis as an appropriate risk mitigation strategy the destruction rather than re-use of any electronic media that contain electronic protected health information.