HIPAA - Accountability 164.310(d)(2)(iii)

Overview:
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Action Items:
1) Obtain and review policies and procedures related to device and media accountability. Evaluate the content relative to the specified performance criteria regarding tracking the location of electronic media and hardware (including entity-owned and personally-owned electronic/mobile devices and media containing, or with access to, EPHI) and maintaining records of movements of, and individual(s) responsible for, hardware and electronic media that has access or contains EPHI. Elements to review may include but are not limited to: Workforce members’ roles and responsibilities in the device and media accountability process; How records of movements of electronic media and hardware are maintained; The processing of reviewing and certifying movements of hardware and electronic media records; Identify the types of hardware and electronic media that will be tracked in the device and media accountability process
2) Obtain and review documentation demonstrating a record of movements of hardware and electronic media and person responsible therefore. Evaluate and determine if media and hardware (including entity-owned and personally owned electronic/mobile devices and media) are tracked, recorded, and certified by appropriate personnel.

Related Documents:
1) Policies and procedures related to device and media accountability.
2) Documentation demonstrating a record of movements of hardware and electronic media and person responsible therefore.

Additional Guidance:
Since this is an addressable specification, each covered entity must determine if and how it should be implemented for their organization. If a covered entity’s hardware and media containing EPHI are moved from one location to another, a record should be maintained as documentation of the move.

Portable workstations and media present a special accountability challenge. Portable technology is getting smaller, less expensive, and has an increased capacity to store large quantities of data. As a result, it is becoming more prevalent in the health care industry, making accountability even more important and challenging.

Some questions covered entities may want to address when implementing the accountability specification include the following:
- Sample questions for covered entities to consider: Is a process implemented for maintaining a record of the movements of, and person(s) responsible for, hardware and electronic media containing EPHI?
- Have all types of hardware and electronic media that must be tracked been identified, such as hard drives, magnetic tapes or disks, optical disks or digital memory cards?
- If there are multiple devices of the same type, is there a way to identify individual devices and log or record them separately, such as a serial numbers or other tracking mechanisms?