HIPAA Data Security Safeguards
White Paper
|
OCTOBER 2020
There are five HIPAA Security Rule 45 CFR safeguards that organizations may be found negligent of during a breach, complaint or audit:
3. HIPAA Security Rule
45 C.F.R. 164.308(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2)


Administrative Safeguard - Security Management Process (Risk Management functions)
Physical Safeguard - Facility Access Controls
Phyiscal Safeguard - Device and Media Controls
NIST SP 800-52 MP-6
Assets are formally managed throughout removal, transfers and disposition

TechR2 Tear-A-Byte process meets these requirements and ensures proper policies, procedures and processes are in place to provide accountability for the disposal of electronic PHI.

4. HIPAA Security Rule
45 C.F.R. 164.310(d)(2)(i), 164.310(d)(2)(ii)

Policy and regulations regarding the phyiscal operating environment for organizational assets are met

TechR2 Tear-A-Byte takes the burden of managing the associated documentation required to demonstrate the proper disposal of electronic PHI


5. HIPAA Security Rule
45 C.F.R. 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.316(b)(2)(iii)

Data is destroyed according to policy
1.
HIPAA Security Rule
45 C.F.R. 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(d) Administrative Safeguard - Security Management Process (Risk Management functions)


Physical devices and systems within the organization are inventoried

TechR2 supports these safeguard requirements through the Tear-A-Byte process which inventories data center assets. Data centers are typically the central repository of electronic medical record databases and provide access to large quantities of protected health information.

2. HIPAA Security Rule
45 C.F.R. 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)

Administrative Safeguard - Security Management Process (Risk Management functions)
Physical Safeguard - Facility Access Controls
Physical Safeguard - Device and Media Controls

Physical devices and systems within the organization are inventoried


The Tear-A-Byte process supports these functions through inventory management and tracking services capabilities, ensuring that inventoried equipment does not leave the designated location in an unauthorized manner. This in turn supports Risk Management requirements by providing assurance to leadership that large amounts of Personal Health Information (PHI) are not being removed from designated locations. Additionally, it addresses the requirement for the proper disposal of electronic PHI as well as establishes accountability for hardware and electronic media.