Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 36 ADMINISTRATIVE MANUAL APPROVED BY:

DEVICE AND MEDIA CONTROLS
POLICY # 36
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures that govern the receipt and removal
of hardware and electronic media that contain EPHI into and out of a
facility, and the movement of these items within the facility.”
Policy Summary:
EPHI on Sindecuse Health Center (SHC) information systems and
electronic media must be protected, accounted for, properly stored,
backed up and disposed of in accordance with specific procedures. These
controls must be in place for hardware and electronic media into, out of
and within the facility.
Purpose:
This policy reflects SHC’s commitment to appropriately control
information systems and electronic media containing EPHI moving into,
out of and within its facilities.
Policy:
1. EPHI located on SHC information systems or electronic media must
be protected against damage, theft, and unauthorized access. This
includes both EPHI received by SHC and created within SHC. EPHI
must be consistently protected and managed through its entire life cycle,
from origination to destruction.
2. Information systems and electronic media for which this policy
applies include, but are not limited to, computers (both desktop and
laptop), floppy disks, backup tapes, CD-ROMs, zip drives, portable hard
drives and PDAs.
3. All SHC electronic media that contains EPHI must be clearly marked
as confidential and should have a tracking number attached to it.
4. SHC must regularly conduct a formal, documented process that
ensures consistent control of all electronic media and information
systems containing EPHI that is created, sent, received or destroyed by
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DEVICE AND MEDIA CONTROLS
SHC.
5. At least annually, SHC must conduct an organization-wide inventory
to identify all of its information systems and electronic media that contain
EPHI. Inventory results must be documented and stored in a secure
manner, e.g. on a computer with appropriate file access permissions or in
a locked drawer.
6. Access to information systems and electronic media containing EPHI
at SHC must be provided only to authorized SHC workforce members
who have a need for specific access in order to accomplish a legitimate
task.
7. SHC workforce members must not attempt to access, duplicate or
transmit electronic media containing EPHI for which they have not been
given appropriate authorization.
8. All SHC information systems and electronic media containing EPHI
must be located and stored in secure environments that are protected by
appropriate security barriers and entry controls. The level of these
controls should be commensurate with identified risks to the electronic
media and information systems.
9. As defined in SHC’s Disposal policy, all information systems and
electronic media containing EPHI must be disposed of securely and
safely when no longer required.
10. As defined in SHC’s Media Re-use policy, all EPHI on SHC
information systems and electronic media must be carefully removed
before the media or information systems are made available for re-use.
11. As defined in SHC’s Accountability policy, all information systems
and electronic media containing EPHI that are received or removed from
SHC or move within its facilities must be appropriately tracked and
logged.
12. As defined in SHC’s Data Backup and Storage policy, backup
copies of all EPHI located on SHC information systems or electronic
media must be regularly made and stored securely.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Physical Safeguards
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DEVICE AND MEDIA CONTROLS
Category:
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.310(d)(1)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Authorize means to grant authority or permission to.
Risk means the likelihood that a specific threat will exploit a certain
vulnerability, and the resulting impact of that event.
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DEVICE AND MEDIA CONTROLS
Access means the ability or the means necessary to read, write, modify, or
communicate data or otherwise use any system.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Disposal
Media Re-use
Accountability
Data Backup and Storage
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
P37-DISPSL
P37-DISPSL
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
P5-ISAREV
P5-ISAREV
POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
53. policies and procedures for security
53. policies and procedures for security
Download