• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Physical Safeguard Standard, Device and Media Controls: Accountability Implementation Specification-What to Do and How to Do It

May 21, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Accountability is the third of four implementation specifications, and it is addressable.  Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity should maintain a record of the movements of hardware and electronic media and any person responsible for that hardware or electronic media.

How to Do It

A covered entity should maintain written documentation concerning the movement of hardware and electronic media and responsible parties for such hardware and electronic media.  How this is done is an outcome of the covered entity’s risk analysis.  At a minimum, a covered entity should develop an up-to-date written inventory of hardware and electronic media, and for each item in the inventory, assign a workforce member to have responsibility for that property.  A sample inventory might include, for each item of hardware and electronic media:  description, model and serial number, manufacturer, purchase price, date purchased, date put in service, responsible party.   A copy of the inventory should be kept in a secure location outside of the physical facility of the covered entity for use in recovery from a contingency or disaster.  The covered entity may find it useful to leave a copy with its attorney or insurance agent for safekeeping.  Remember, the written inventory must be maintained for six years from the last entry, and can be kept on paper or electronic format.

It is important to note why this implementation specification is addressable.  A covered entity such as a health plan with many workforce members and hardware and electronic media needs is going to have different inventory accountability requirements than say a small healthcare provider.  The former likely will have to require “systematic tracking” of hardware and electronic media, whereas the latter may never have need to move and account for such equipment.

Tags: 20092010accountabilityaddressableAmerican Recovery and Reinvestment ActARRAbusiness associatescovered entitydevice and media controlsFebruary 17HITECH Actimplementation specificationphysical facilityphysical safeguard standardPresident ObamaRisk Analysissecure offsite locationSecurity Rulesystematic tracking.written documentationwritten inventory
No Comments
Share
0

You also might be interested in

Correction Key Privacy/Security Principle of Meaningful Use 2011 Objectives

Jun 26, 2009

On December 15, 2008, the Office of the National Coordinator[...]

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

Jun 7, 2013

June 7, 2013.  Today, HHS published in the Federal Register[...]

CMS and ONC Publish Final Rules for Meaningful Use Stage 2 Security in Federal Register

Sep 3, 2012

September 4, 2012.  The Department of Health and Human Services[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next