In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Accountability is the third of four implementation specifications, and it is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
A covered entity should maintain a record of the movements of hardware and electronic media and any person responsible for that hardware or electronic media.
How to Do It
A covered entity should maintain written documentation concerning the movement of hardware and electronic media and responsible parties for such hardware and electronic media. How this is done is an outcome of the covered entity’s risk analysis. At a minimum, a covered entity should develop an up-to-date written inventory of hardware and electronic media, and for each item in the inventory, assign a workforce member to have responsibility for that property. A sample inventory might include, for each item of hardware and electronic media: description, model and serial number, manufacturer, purchase price, date purchased, date put in service, responsible party. A copy of the inventory should be kept in a secure location outside of the physical facility of the covered entity for use in recovery from a contingency or disaster. The covered entity may find it useful to leave a copy with its attorney or insurance agent for safekeeping. Remember, the written inventory must be maintained for six years from the last entry, and can be kept on paper or electronic format.
It is important to note why this implementation specification is addressable. A covered entity such as a health plan with many workforce members and hardware and electronic media needs is going to have different inventory accountability requirements than say a small healthcare provider. The former likely will have to require “systematic tracking” of hardware and electronic media, whereas the latter may never have need to move and account for such equipment.