(2) Implementation specifications:
(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Tell Me More:
For the Accountability implementation specification, covered entities and business associates must address how to maintain a record of the movements of hardware and electronic media.
In order to control access to ePHI, it is necessary to consider documenting the location of the information. Toward that end, it is recommended that each covered entity and business associate create an inventory of hardware and electronic media containing ePHI, including mobile devices such as PDAs and cellphones. That inventory should detail the location of and the person responsible for the hardware and electronic media. The inventory should be updated when the location or person changes.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Does the organization have an inventory of all hardware and electronic media containing ePHI?
- Does the inventory indicate the location of and person responsible for the hardware and media?
- Is the log kept up to date, such that the movements and current locations of the hardware and media are recorded?
- NIST SP 800-12 chapter 14 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations