This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Device and Media Control Accountability Policy

Reference: ยง164.310(d)(2)(iii)
Last Updated: October 26, 2024

Purpose

The purpose of the Device and Media Control Accountability Policy is to ensure Covered Entities and Business Associates create a record of the movements of hardware and electronic media and any person responsible for the same.

Policy

Definitions

Device: For the purposes of this policy devices are considered to be electronic hardware (including but not limited to workstations, personal computers, servers, laptops, copiers, fax machines, and handheld units) with storage capability to record and save ePHI. Storage Media: Including but not limited to disk drives, tapes, floppy disks, CDโ€™s, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.

If a covered entityโ€™s hardware and media containing EPHI are moved from one location to another, a record should be maintained as documentation of the move. In the case of portable workstations, it may be impossible to keep an accurate record of where the devices are at any particular time, therefore, the assigned owner to the device will be kept on record as an alternative.

When using storage devices and removable media to transport EPHI a procedure will be implemented to track and maintain records of the movement of those devices and media and the parties responsible for the device and media during its movement.

Each section/department must identify, and assign individual responsibility, for the movement and storage of its sensitive data. This should be formally documented within the section/department. Data owners are ultimately responsible, but may delegate responsibility to the individuals managing or using the electronic sensitive information.

Hardware/media Identification

The Security Officer already has mechanisms in place for accountability of equipment (inventory management). Similarly, all mobile devices used to store sensitive information must be identified and inventoried. Care should be taken when marking media so as not to draw undue attention. Detailed tracking records are required if the movement of electronic sensitive information cannot be encrypted.

Procedure

A record shall be maintained to identify movements of devices containing ePHI. The movement of hardware, electronic media and devices includes the receipt, removal, storage and/or disposal of ePHI systems. Such information will also include the identity of responsible persons associated with the movement. Movements of mobile hardware, media, or devices does not have to be tracked, but ownership of this equipment must be recorded.

The physical movement of any device containing ePHI shall be coordinated with the Security Officer or its designated representative. The security officer shall be responsible for maintaining a log, either electronic or paper, tracking the movement of electronic media and equipment, including software. This log will also identify the individuals who have access to such media and equipment once the item(s) have moved.

Team members are not authorized to remove any equipment unless explicitly approved by his/her supervisor and the Security Offices. If a team member moves to another position within the Organization, the equipment will not move with him/her, unless explicitly approved by the supervisor and the HIPAA Security Officer.

Note

Any ePHI stored in a removable should be encrypted before the same leaves the workarea.

Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!
overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram