FacebookTwitterLinkedInEmailPrint
This entry is part 5 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(ii) Media re-use (Required).  Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Tell Me More:

The Media re-use implementation specification requires covered entities to implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.  This media may include system hard drives, CDs, DVDs, magnetic tapes, USB drives, hard drives in copiers, floppy disks, and other media.

Each covered entity and business associate needs to clean ePHI from all media prior to re-using the media. Many of the same approaches used in disposing of media can also be used to clean media prior to re-use. Keep in mind that it may be acceptable to clean and re-use media within the covered entity; however, careful consideration should be given to whether or not media will be cleaned and then re-used outside the organization. It is probably better simply to destroy the media.   It is also a good idea to consider these questions in general and when performing a risk analysis:

  • Are electronic media re-used? If so, the organization needs a written policy regarding when and how such media are reused.
  • Is there a documented methodology to clean media prior to re-use? It may be necessary to obtain new software or hardware to clean the media.
  • Have you tested the media to ensure that the methodology is adequate and clean and that ePHI is not recoverable?

A complete set of HIPAA Security Policies and Procedures may be purchased here.

References:

Series Navigation<< 164.312 Technical safeguards164.310(d)(2)(iv) Standard: Device and media controls – Data backup and storage >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint