Workstation Security 45 CFR § 164.310(c) The placement of workstations and equipment should be considered when planning the office layout. Make sure you have identified all workstations, equipment, and devices that access or store ePHI. Equipment that has access to or stores ePHI should be in a protected area away from public traffic if possible or implement the use of a print code. For the portable devices that are in an area accessed by patients, they must be secured. Server rooms should be kept always locked, especially if they are located near an exit.
Device and Media Controls 45 CFR § 164.310(d)(1) Policies and procedures are required in this section to address the movement, disposal, or re-use of equipment that has contained ePHI. This includes disks, magnetic tapes and hard drives in computers, copiers, fax machines, or fax servers. This documentation must be stored for at least 6 years.
Disposal 45 CFR § 164.310(d)(2)(i) When the time comes to replace equipment, it must be disposed of properly to ensure ePHI cannot be retrieved. The method of destruction must be documented.
Media Re-use 45 CFR § 164.310(d)(2)(ii) Before any hardware, equipment, or device that has stored ePHI must be sanitized before it can be made available for re-use. The method of sanitation must be documented.
Accountability 45 CFR § 164.310(d)(2)(iii) If your organization has any devices including memory cards and optical disks that store ePHI, the movement of these in and out of the facility should be documented by whom and when.
Let Aris work with you for an easy online path to HIPAA compliance