(2) Implementation specifications:

(iii) Accountability (Addressable).  Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Tell Me More:

For the Accountability implementation specification, covered entities and business associates must address how to maintain a record of the movements of hardware and electronic media.

In order to control access to ePHI, it is necessary to consider documenting the location of the information. Toward that end, it is recommended that each covered entity and business associate create an inventory of hardware and electronic media containing ePHI, including mobile devices such as PDAs and cellphones. That inventory should detail the location of and the person responsible for the hardware and electronic media. The inventory should be updated when the location or person changes.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the organization have an inventory of all hardware and electronic media containing ePHI?
  • Does the inventory indicate the location of and person responsible for the hardware and media?
  • Is the log kept up to date, such that the movements and current locations of the hardware and media are recorded?

References:

Series Navigation<< 164.308(b)(1) Administrative safeguards – Standard: Business associate contracts and other arrangements164.310 Physical safeguards >>