Device and Media Controls
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Device and Media Controls
Policy Number: IS-12 (Physical Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Policy and Privacy Services Officer
Table of Contents
Applicability
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
I. Purpose
To set forth the Policy governing the receipt, disposal, storage, and re-use of all Electronic Media containing electronic protected health information (e-PHI) into and out of Drexel University (DU) and within DU. Electronic Media includes, but is not limited to, any electronic computing device such as a laptop or desk computer, and other mobile devices used to store e-PHI, as well as diskettes, compact disks, DVDs and tapes.
II. Policy
The Security Officer and all individual users are responsible for safeguarding the security and integrity of data stored on Electronic Media, whether in use or during transit, storage, re-use or after disposal. This includes protection from unauthorized access, intrusion, heat, magnetic fields, physical damage and other similar threats.
DU maintains a comprehensive device and media control program, which is coordinated by DU IT. Departments are responsible for notifying DU IT of all equipment and software purchases. Any removal of equipment or software from the Department’s inventory must also be communicated to DU IT. Documentation of device and media controls for DU includes:
- identification of the DU personnel responsible to assure that e-PHI, as well as the hardware or electronic media on which it is stored, is properly destroyed and cannot be recreated;
- identification of the DU personnel responsible to assure that PHI is removed from reusable media before it is used to record new information; and
- a description of the method used to record the movement and storage of hardware and electronic media into and out of DU. This includes assigning a Workforce Member with responsibility for documenting the receipt or removal of the hardware and electronic media so that the location of both is known at all times, and the action or event is traceable to that Workforce Member.
III. Procedure
- Device and Media Accountability
DU has instituted an Asset Inventory Management Process in order to record the movement of hardware and Electronic Media into and out of, and within the organization. Every device or media control known to house e-PHI is identified with a unique tracking number.
- Data Backup and Storage
DU's Security Officer or his/her designee may choose to make an exact retrieval electronic copy of the data prior to completing the sanitizing or transfer process. This may also be done at the request of a specific business user. Creation of an exact retrievable copy may also be a component of DU's Contingency Plan.
- Device and Media Reuse
DU's Data Stewards shall notify the Security Officer and request that he/she help to assure that all devices and media equipment are sanitized prior to reuse.
- Device and Media Disposal
- DU's Security Officer, or his/her designee, upon notification and request is responsible for retrieval and proper disposal of all devices and media containing sensitive DU data and/or e-PHI. All devices and media equipment, including storage media and personal computers and other hardware containing sensitive information or e-PHI, are sanitized prior to disposal.
- Data Stewards or another representative of the department must notify DU IT of their plans to dispose of any electronic equipment or software. DU IT will assist in the removal and sanitization of the equipment.
- Method of destruction used, together with the date, and signature of individual who conducted the process, will be logged either manually or automatically in the inventory library in accordance with DU policy.
IV. References
45 CFR §§ 164.310 (d)(1)(2); 164.530(c)
Back to Top