As part of the HIPAA Security Rule, there is a standard that refers to the Device and Media Controls.
What is a device according to HIPAA Security Rule? Devices are anything digital you may use in the practice that may access or save digital information including ePHI. Computers, laptops, printers, scanners, fax, tablets, etc. Remember scanners, faxes, and printers have hard drives that store information.
What am I required by the Devices and Media Control Standard to do?
There are four implementation specifications or things you need to do. You must have a procedure to
1- Dispose of electronic media.
2- Reuse electronic media
3- Accountability (which means documentation)
4- Data back up & Storage
What does this really mean for a covered entity?
1- Dispose of electronic media means to destroy the machine so that the hard drive is inaccessible. There are companies that will shred or incinerate machines. A good old fashion hammer works as well.
2- To reuse a device such as take it home or sell it; the device must be professionally wiped clean. Deleting files and emptying trash does NOT remove all information from the device.
3- Accountability just means document what you did with the device and we recommend filing into your compliance manual.
4- Data backup is super important. You are only as good as your back up system. You own your data please be sure that you have a backup, its off-site, and it can be restored. The worst time to discover you have a bad back up is when you need to restore the data and it is not there or can not be accessed.
Breakthrough Coaching has systems and forms to make this process easy.