HIPAA Security Standards and Physical Safeguards

Hard Drive Destruction: Guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known as the Security Rule, was adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  NIST 800-66 Guide for Implementing HIPAA Security Rule

We provide businesses in Orange County, Los Angeles and San Jose, California secure and certified HIPAA Compliant document shredding and hard drive shredding. How to destroy HIPAA media.  For more information go to the Health and Human Services website HIPAA Security Series

HIPAA Requirements for Electronic Media Disposal

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.

DEVICE AND MEDIA CONTROLS – STANDARD 164.310(d)(1)

The Device and Media Controls standard requires covered entities to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

As referenced here, the term “electronic media” means, “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card…” This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability. Sample questions for covered entities to consider:

Are policies and procedures developed and implemented that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the movement of these items within the facility?

Do the policies and procedures identify the types of hardware and electronic media that must be tracked?

Have all types of hardware and electronic media that must be tracked been identified?

Disposal (Required)

Media Re-Use (Required)

Accountability (Addressable)

Data Backup and Storage (Addressable)

DISPOSAL (R) – § 164.310(d)(2)(i)

The Disposal implementation specifications states that covered entities must:

“Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”

When covered entities dispose of any electronic media that contains EPHI they should make sure it is unusable and/or inaccessible. One way to dispose of electronic media is by degaussing. Degaussing is a method whereby a strong magnetic field is applied to magnetic media to fully erase the data. If a covered entity does not have access to degaussing equipment, another way to dispose of the electronic is to physically damage beyond repair, making the data inaccessible. Sample questions for covered entities to consider:

Are policies and procedures developed and implemented that address disposal of EPHI, and/or the hardware or electronic media on which it is stored?

Do the policies and procedures specify the process for making the hardware or electronic media, unusable and inaccessible?

Do the policies and procedures specify the use of a technology, such as software or a specialized piece of hardware, to make EPHI, and/or the hardware or electronic media, unusable and inaccessible?

Are the procedures used by personnel authorized to dispose of EPHI, and/or the hardware or electronic media?