The Health Insurance Portability and Accountability Act (HIPAA) require organizations, including: insurance companies, clinics, doctor’s offices and hospitals, to physically safeguard electronic protected health information (EPHI) stored on computer hard drives, optical, flash and magnetic media.
PROTECT EPHI FROM UNAUTHORIZED ACCESS
There are three basic standards for physical safeguards to protect EPHI from unauthorized access or intrusion. These are Facility Access Controls, Workstation Security and Device and Media Controls. We will discuss Device and Media Controls – the process of digital data destruction and disposal such as hard drive destruction or shredding – in our next segment.
Facility Access Controls – Covered entities must establish:
- Contingency plan to restore lost data – Establish protocols that allow access to support restoration of data in the event of a disaster
- Security plan to safeguard against unauthorized physical access – Physical access controls allow only those individuals with legitimate business needs to access EPHI
- Access control to validate a person’s access – Processes to validate or deny access based on a person’s role or job function and the need to perform their tasks
- Maintenance records – Document changes to security equipment detailing the loss of authorized access to EPHI when an employee is terminated
HIPAA AND DIGITAL DATA DESTRUCTION VENDOR DUE DILIGENCE
RISK OF LIABILITY: Do your policies and procedures identify individuals (employees, associates and contractors) with authorized physical access by title and/or job function?
Do you allow your electronic recycler or data destruction vendor to remove PCs or laptop computers for offsite destruction?
E-Waste Security is a NAID Certified digital data and hard drive destruction company. We provide onsite destruction services to help comply with PHI destruction requirements associated with HIPAA and other data privacy laws.