The purpose of the Device and Media Control Accountability Policy is to ensure Covered Entities and Business Associates create a record of the movements of hardware and electronic media and any person responsible for the same.
Device: For the purposes of this policy devices are considered to be electronic hardware (including but not limited to workstations, personal computers, servers, laptops, copiers, fax machines, and handheld units) with storage capability to record and save ePHI. Storage Media: Including but not limited to disk drives, tapes, floppy disks, CD’s, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.
If a covered entity’s hardware and media containing EPHI are moved from one location to another, a record should be maintained as documentation of the move. In the case of portable workstations, it may be impossible to keep an accurate record of where the devices are at any particular time, therefore, the assigned owner to the device will be kept on record as an alternative.
When using storage devices and removable media to transport EPHI a procedure will be implemented to track and maintain records of the movement of those devices and media and the parties responsible for the device and media during its movement.
Each section/department must identify, and assign individual responsibility, for the movement and storage of its sensitive data. This should be formally documented within the section/department. Data owners are ultimately responsible, but may delegate responsibility to the individuals managing or using the electronic sensitive information.
The Security Officer already has mechanisms in place for accountability of equipment (inventory management). Similarly, all mobile devices used to store sensitive information must be identified and inventoried. Care should be taken when marking media so as not to draw undue attention. Detailed tracking records are required if the movement of electronic sensitive information cannot be encrypted.
A record shall be maintained to identify movements of devices containing ePHI. The movement of hardware, electronic media and devices includes the receipt, removal, storage and/or disposal of ePHI systems. Such information will also include the identity of responsible persons associated with the movement. Movements of mobile hardware, media, or devices does not have to be tracked, but ownership of this equipment must be recorded.
The physical movement of any device containing ePHI shall be coordinated with the Security Officer or its designated representative. The security officer shall be responsible for maintaining a log, either electronic or paper, tracking the movement of electronic media and equipment, including software. This log will also identify the individuals who have access to such media and equipment once the item(s) have moved.
Team members are not authorized to remove any equipment unless explicitly approved by his/her supervisor and the Security Offices. If a team member moves to another position within the Organization, the equipment will not move with him/her, unless explicitly approved by the supervisor and the HIPAA Security Officer.
Any ePHI stored in a removable should be encrypted before the same leaves the workarea.
