(2) Implementation specifications:
(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
Tell Me More:
The Media re-use implementation specification requires covered entities to implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. This media may include system hard drives, CDs, DVDs, magnetic tapes, USB drives, hard drives in copiers, floppy disks, and other media.
Each covered entity and business associate needs to clean ePHI from all media prior to re-using the media. Many of the same approaches used in disposing of media can also be used to clean media prior to re-use. Keep in mind that it may be acceptable to clean and re-use media within the covered entity; however, careful consideration should be given to whether or not media will be cleaned and then re-used outside the organization. It is probably better simply to destroy the media. It is also a good idea to consider these questions in general and when performing a risk analysis:
- Are electronic media re-used? If so, the organization needs a written policy regarding when and how such media are reused.
- Is there a documented methodology to clean media prior to re-use? It may be necessary to obtain new software or hardware to clean the media.
- Have you tested the media to ensure that the methodology is adequate and clean and that ePHI is not recoverable?
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-12 chapter 14 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations