Opening Hours Mon to Fri - 8.00 AM to 5.00 PM
Sat to Sun - Closed
Call Us 877-291-1099
Email Us sales@techworksinc.com

Risk Analysis

Administrative Safeguard

A1 – §164.308(a)(1)(i) Standard Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)?

A2 – §164.308(a)(1)(i) Standard Does your practice have a process for periodically reviewing its risk analysis policies and procedures and making updates as necessary?

A3 – §164.308(a)(1)(ii)(A) Required Does your practice categorize its information systems based on the potential impact to your practice should they become unavailable?

A4 – §164.308(a)(1)(ii)(A) Required Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of a significant event or change in your business organization or environment?

A5 – §164.308(a)(1)(ii)(B) Required Does your practice have a formal documented program to mitigate the threats and vulnerabilities to ePHI identified through the risk analysis?

A6 – §164.308(a)(1)(ii)(B) Required Does your practice assure that its risk management program prevents against the impermissible use and disclosure of ePHI.

A7 – §164.308(a)(1)(ii)(B) Required Does your practice document the results of its risk analysis and assure the results are distributed to appropriate members of the workforce who are responsible for mitigating the threats and vulnerabilities to ePHI identified through the risk analysis?

A8 – §164.308(a)(1)(ii)(B) Required Does your practice formally document a security plan?

A9 – §164.308(a)(1)(ii)(C) Required Does your practice have a formal and documented process or regular human resources policy to discipline workforce members who have access to your organization’s ePHI if they are found to have violated the office’s policies to prevent system misuse, abuse, and any harmful activities that involve your practice’s ePHI?

A10 – §164.308(a)(1)(ii)(C) Required Does your practice include its sanction policies and procedures as part of its security awareness and training program for all workforce members?

A11 – §164.308(a)(1)(ii)(D) Required Does your practice have policies and procedures for the review of information system activity?

A12 – §164.308(a)(1)(ii)(D) Required Does your practice regularly review information system activity?

A13 – §164.308(a)(2) Required Does your practice have a senior-level person whose job it is to develop and implement security policies and procedures or act as a security point of contact? 29
A14 – §164.308(a)(2) Required Is your practice’s security point of contact qualified to assess its security protections as well as serve as the point of contact for security policies, procedures, monitoring, and training?

A15 – §164.308(a)(2) Required Does your practice have a job description for its security point of contact that includes that person’s duties, authority, and accountability?

A16 – §164.308(a)(2) Required Does your practice make sure that its workforce members and others with authorized access to your ePHI know the name and contact information for its security point of contact and know to contact this person if there are any security problems?

A17 – §164.308(a)(3)(i) Required Does your practice have a list that includes all members of its workforce, the roles assigned to each, and the corresponding access that each role enables for your practice’s facilities, information systems, electronic devices, and ePHI?

A18 – §164.308(a)(3)(i) Required Does your practice know all business associates and the access that each requires for your practice’s facilities, information systems, electronic devices, and ePHI?

A19 – §164.308(a)(3)(i) Required Does your practice clearly define roles and responsibilities along logical lines and assures that no one person has too much authority for determining who can access your practice’s facilities, information systems, and ePHI?

A20 – §164.308(a)(3)(i) Required Does your practice have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?

A21 – §164.308(a)(3)(i) Required Has your practice chosen someone whose job duty is to decide who can access ePHI (and under what conditions) and to create ePHI access rules that others can follow?

A22 – §164.308(a)(3)(ii)(A) Addressable Does your practice define roles and job duties for all job functions and keep written job descriptions that clearly set forth the qualifications?

A23 – §164.308(a)(3)(ii)(A) Addressable Does your practice have policies and procedures for access authorization that support segregation of duties?

A24 – §164.308(a)(3)(ii)(A) Addressable Does your practice implement procedures for authorizing users and changing authorization permissions?

A25 – §164.308(a)(3)(ii)(A) Addressable Do your practice’s policies and procedures for access authorization address the needs of those who are not members of its workforce?

A26 – §164.308(a)(3)(ii)(B) Addressable Does your organization have policies and procedures that authorize members of your workforce to have access to ePHI and describe the types of access that are permitted?

A27 – §164.308(a)(3)(ii)(B) Addressable Do your practice’s policies and procedures require screening workforce members prior to enabling access to its facilities, information systems, and ePHI to verify that users are trustworthy?

A28 – §164.308(a)(3)(ii)(C) Addressable Does your practice have policies and procedures for terminating authorized access to its facilities, information systems, and ePHI once the need for access no longer exists?

A29 – §164.308(a)(3)(ii)(C) Addressable Does your practice have formal policies and policies and procedures to support when a workforce member’s employment is terminated and/or a relationship with a business associate is terminated?

A30 – §164.308(a)(4)(i) Standard Do your practice’s policies and procedures describe the methods it uses to limit access to its ePHI?

A31 – §164.308(a)(4)(ii)(B) Does your practice have policies and procedures that explain how it grants access to ePHI to its workforce members and to other entities (business associates)?

A32 – §164.308(a)(4)(ii)(C) Addressable Do the roles and responsibilities assigned to your practice’s workforce members support and enforce segregation of duties?

A33 – §164.308(a)(4)(ii)(C) Addressable Does your practice’s policies and procedures explain how your practice assigns user authorizations (privileges), including the access that are permitted?

A34 – §164.308(a)(5)(i) Standard Does your practice have a training program that makes each individual with access to ePHI aware of security measures to reduce the risk of improper access, uses, and disclosures?

A35 – §164.308(a)(5)(i) Standard Does your practice periodically review and update its security awareness and training program in response to changes in your organization, facilities or environment?

A36 – §164.308(a)(5)(i) Standard Does your practice provide ongoing basic security awareness to all workforce members, including physicians?

A37 – §164.308(a)(5)(i) Standard Does your practice provide role-based training to all new workforce members?

A38 – §164.308(a)(5)(i) Standard Does your practice keep records that detail when each workforce member satisfactorily completed periodic training?

A39 – §164.308(a)(5)(ii)(A) Addressable As part of your practice’s ongoing security awareness activities, does your practice prepare and communicate periodic security reminders to communicate about new or important issues?

A40 – §164.308(a)(5)(ii)(B) Addressable Does your practice’s awareness and training content include information about the importance of implementing software patches and updating antivirus software when requested?

A41 – §164.308(a)(5)(ii)(B) Addressable Does your practice’s awareness and training content include information about how malware can get into your systems?

A42 – §164.308(a)(5)(ii)(C) Addressable Does your practice include log-in monitoring as part of its awareness and training programs?

A43 – §164.308(a)(5)(ii)(D) Addressable Does your practice include password management as part of its awareness and training programs?

A44 – §164.308(a)(6)(i) Standard Does your practice have policies and procedures designed to help prevent, detect and respond to security incidents?

A45 – §164.308(a)(6)(ii) Required Does your practice have incident response policies and procedures that assign roles and responsibilities for incident response?

A46 – §164.308(a)(6)(ii) Required Does your practice identify members of its incident response team and assure workforce members are trained and that incident response plans are tested?

A47 – §164.308(a)(6)(ii) Required Does your practice’s incident response plan align with its emergency operations and contingency plan, especially when it comes to prioritizing system recovery actions or events to restore key processes, systems, applications, electronic device and media, and information (such as ePHI)?

A48 – §164.308(a)(6)(ii) Required Does your practice implement the information system’s security protection tools to protect against malware?

A49 – §164.308(a)(7)(i) Standard Does your practice know what critical services and ePHI it must have available to support decision making about a patient’s treatment during an emergency?

A50 – §164.308(a)(7)(i) Standard Does your practice consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation?

A51 – §164.308(a)(7)(i) Standard Does your practice regularly review/update its contingency plan as appropriate?

A52 – §164.308(a)(7)(ii)(A) Required Does your practice have policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster?

A53 – §164.308(a)(7)(ii)(B) Required Does your practice have policies and procedures for contingency plans to provide access to ePHI to continue operations after a natural or human-made disaster?

A54 – §164.308(a)(7)(ii)(C) Required Does your practice have an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation?

A55 – §164.308(a)(7)(ii)(D) Addressable Does your practice have policies and procedures for testing its contingency plans on a periodic basis?

A56 – §164.308(a)(7)(ii)(E) Addressable Does your practice implement procedures for identifying and assessing the criticality of its information system applications and the storage of data containing ePHI that would be accessed through the implementation of its contingency plans?

A57 – §164.308(a)(8) Standard Does your practice maintain and implement policies and procedures for assessing risk to ePHI and engaging in a periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of your practice’s ePHI?

A58 – §164.308(a)(8) Standard Does your practice periodically monitor its physical environment, business operations, and information system to gauge the effectiveness of security safeguards?

A59 – §164.308(a)(8) Standard Does your practice identify the role responsible and accountable for assessing risk and engaging in ongoing evaluation, monitoring, and reporting?

A60 – §164.308(b)(1) Standard Does your practice identify the role responsible and accountable for making sure that business associate agreements are in place before your practice enables a service provider to begin to create, access, store or transmit ePHI on your behalf?

A61 – §164.308(b)(1) Standard Does your practice maintain a list of all of its service providers, indicating which have access to your practice’s facilities, information systems and ePHI?

A62 – §164.308(b)(1) Standard Does your practice have policies and implement procedures to assure it obtains business associate agreements?

A63 – §164.308(b)(2) Required If your practice is the business associate of another covered entity and your practice has subcontractors performing activities to help carry out the activities that you have agreed to carry out for the other covered entity that involve ePHI, does your practice require these subcontractors to provide satisfactory assurances for the protection of the ePHI?

A64 – §164.308(b)(3) Required Does your practice execute business associate agreements when it has a contractor creating, transmitting or storing ePHI?

O1 – §164.314(a)(1)(i) Standard Does your practice assure that its business associate agreements include satisfactory assurances for safeguarding ePHI?

O2 – §164.314(a)(2)(i) Required Do the terms and conditions of your practice’s business associate agreements state that the business associate will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the practice and timely report security incidents to your practice?

O3 – §164.314(a)(2)(iii) Required If your practice is the business associate of a covered entity do the terms and conditions of your practice’s business associate agreements state that your subcontractor (business associate) will implement appropriate security safeguards to protect the privacy, confidentiality, integrity, and availability of ePHI that it collects, creates, maintains, or transmits on behalf of the covered entity?

PO1 -§164.316(a) Standard Do your practice’s processes enable the development and maintenance of policies and procedures that implement risk analysis, informed risk-based decision making for security risk mitigation, and effective mitigation and monitoring that protects the privacy, confidentiality, integrity, and availability of ePHI?

PO2 – §164.316(b)(1)(i) Standard Does your practice assure that its policies and procedures are maintained in a manner consistent with other business records?

PO3 – §164.316(b)(1)(ii) Standard Does your practice assure that its other security program documentation is maintained in written manuals or in electronic form?

PO4 – §164.316(b)(2)(i) Required Does your practice assure that its policies, procedures, and other security program documentation are retained for at least six (6) years from the date when it was created or last in effect, whichever is longer?

PO5 – §164.316(b)(2)(ii) Required Does your practice assure that its policies, procedures and other security program documentation are available to those who need it to perform the responsibilities associated with their role?

PO6 – §164.316(b)(2)(iii) Required Does your practice assure that it periodically reviews and updates (when needed) its policies, procedures, and other security program documentation?

Security Safeguards

T1 – §164.312(a)(1) Standard Does your practice have policies and procedures requiring safeguards to limit access to ePHI to those persons and software programs appropriate for their role?

T2 – § 164.312(a)(1) Standard Does your practice have policies and procedures to grant access to ePHI based on the person or software programs appropriate for their role?

T3 – §164.312(a)(1) Standard Does your practice analyze the activities performed by all of its workforce and service providers to identify the extent to which each needs access to ePHI?

T4 – §164.312(a)(1) Standard Does your practice identify the security settings for each of its information systems and electronic devices that control access?

T5 – §164.312(a)(2)(i) Required Does your practice have policies and procedures for the assignment of a unique identifier for each authorized user?

T6 – §164.312(a)(2)(i) Required Does your practice require that each user enter a unique user identifier prior to obtaining access to ePHI?

T7 – §164.312(a)(2)(ii) Required Does your practice have policies and procedures to enable access to ePHI in the event of an emergency?

T8 – §164.312(a)(2)(ii) Required Does your practice define what constitutes an emergency and identify the various types of emergencies that are likely to occur?

T9 – §164.312(a)(2)(ii) Required Does your practice have policies and procedures for creating an exact copy of ePHI as a backup?

T10 – §164.312(a)(2)(ii) Required Does your practice back up ePHI by saving an exact copy to a magnetic disk/tape or a virtual storage, such as a cloud environment?

T11 – §164.312(a)(2)(ii) Required Does your practice have back up information systems so that it can access ePHI in the event of an emergency or when your practice’s primary systems become unavailable?

T12 – §164.312(a)(2)(ii) Required Does your practice have the capability to activate emergency access to its information systems in the event of a disaster?

T13 – §164.312(a)(2)(ii) Required Does your practice have policies and procedures to identify the role of the individual accountable for activating emergency access settings when necessary?

T14 – §164.312(a)(2)(ii) Required Does your practice designate a workforce member who can activate the emergency access settings for your information systems?

T15 – §164.312(a)(2)(ii) Required Does your practice test access when evaluating its ability to continue accessing ePHI and other health records during an emergency?

T16 – §164.312(a)(2)(ii) Required Does your practice effectively recover from an emergency and resume normal operations and access to ePHI?

T17 – §164.312(a)(2)(ii) Addressable Does your practice have policies and procedures that require an authorized user’s session to be automatically logged-off after a predetermined period of inactivity?

T18 – §164.312(a)(2)(ii) Addressable Does a responsible person in your practice know the automatic logoff settings for its information systems and electronic devices?

T19 – §164.312(a)(2)(ii) Addressable Does your practice activate an automatic logoff that terminates an electronic session after a predetermined period of user inactivity?

T20 – §164.312(a)(2)(iv) Addressable Does your practice have policies and procedures for implementing mechanisms that can encrypt and decrypt ePHI?

T21 – §164.312(a)(2)(iv) Addressable Does your practice know the encryption capabilities of its information systems and electronic devices?

T22 – §164.312(a)(2)(iv) Addressable Does your practice control access to ePHI and other health information by using encryption/decryption methods to deny access to unauthorized users?

T23 – §164.312(b) Standard Does your practice have policies and procedures identifying hardware, software, or procedural mechanisms that record or examine information systems activities?

T24 – §164.312(b) Standard Does your practice identify its activities that create, store, and transmit ePHI and the information systems that support these business processes?

T25 – §164.312(b) Standard Does your practice categorize its activities and information systems that create, transmit or store ePHI as high, moderate or low risk based on its risk analyses?

T26 – §164.312(b) Standard Does your practice use the evaluation from its risk analysis to help determine the frequency and scope of its audits, when identifying the activities that will be tracked?

T27 – §164.312(b) Standard Does your practice have audit control mechanisms that can monitor, record and/or examine information system activity?

T28 – §164.312(b) Standard Does your practice have policies and procedures for creating, retaining, and distributing audit reports to appropriate workforce members for review?

T29 – §164.312(b) Standard Does your practice generate the audit reports and distribute them to the appropriate people for review?

T30 – §164.312(b) Standard Does your practice have policies and procedures establishing retention requirements for audit purposes?

T31 – §164.312(b) Standard Does your practice retain copies of its audit/access records?

T31 – §164.312(b) Standard Does your practice retain copies of its audit/access records?

T32 – §164.312(c)(1) Standard Does your practice have policies and procedures for protecting ePHI from unauthorized modification or destruction?

T33 – §164.312(c)(2) Addressable Does your practice have mechanisms to corroborate that ePHI has not been altered, modified or destroyed in an unauthorized manner?

T34 – §164.312(d) Required Does your practice have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?

T35 – §164.312(d) Required Does your practice know the authentication capabilities of its information systems and electronic devices to assure that a uniquely identified user is the one claimed?

T36 – §164.312(d) Required Does your practice use the evaluation from its risk analysis to select the appropriate authentication mechanism?

T37 – §164.312(d) Required Does your practice protect the confidentiality of the documentation containing access control records (list of authorized users and passwords)?

T38 – §164.312(e)(1) Standard Does your practice have policies and procedures for guarding against unauthorized access of ePHI when it is transmitted on an electronic network?

T39 – §164.312(e)(1) Standard Do your practice implement safeguards, to assure that ePHI is not accessed while en-route to its intended recipient?

T40 – §164.312(e)(2)(i) Addressable Does your practice know what encryption capabilities are available to it for encrypting ePHI being transmitted from one point to another?

T41 – §164.312(e)(2)(i) Addressable Does your practice take steps to reduce the risk that ePHI can be intercepted or modified when it is being sent electronically?

T42 – §164.312(e)(2)(i) Addressable Does your practice implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted from one point to another?

T44 – §164.312(e)(2)(ii) Addressable Does your practice have policies and procedures for encrypting ePHI when deemed reasonable and appropriate?

T45 – §164.312(e)(2)(ii) Addressable When analyzing risk, does your practice consider the value of encryption for assuring the integrity of ePHI is not accessed or modified when it is stored or transmitted?

The HIPAA Security Rule 164.308(a)(7)(i)

We can help! TechWorks Inc meets or beats the serious requirements under HIPAA security rule 164.308(a)(7)(i) as it relates to data backup and disaster recovery. This rule identifies Contingency Plan as a standard under Administrative Safeguards. Whether you are a medical group practice, clinic, outpatient facility or a long term care facility TechWorks Inc will help keep stay compliant!

Data Backup Plan 164.308(a)(7)(ii)(A): “The objective of the data backup plan is to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information”.

– TechWorks Inc can provide you daily offsite backup.
Benefits of file compression

Disaster Recovery Plan 164.308(a)(7)(ii)(B): “The objective of a disaster recovery plan is to establish (and implement as needed) procedures to restore any loss of data. A disaster recovery plan is the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.”

– A healthy service provides two recovery options; 1) Onsite directly from the server and 2) Recovery from the TechWorks Inc Datacenter.

Testing & Revision Procedures 164.308(a)(7)(ii)(D): “The objective of testing and revision procedures is to implement procedures for periodic testing and revision of contingency plans.”

– With TechWorks Inc, customers can choose to perform test restores as frequently as their procedures require.

Data Backup and Storage 164.310(d)(2)(iv): “The covered entity must create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. Continual and consistent backup of data is required…”

– TechWorks Inc will provide AUTOMATED continual daily backups to help you cover this section.

Application & Data Criticality Analysis 164.308(a)(7)(ii)(E): “The objective of applications and data criticality analysis is to assess the relative criticality of specific applications and data in support of other contingency plan components……..This procedure begins with an application and data inventory.”

– TechWorks Inc will provide daily backup status reports, and backup job detail reports. For more information on Health Information Privacy, please visit the U.S. Department of Health and Human Services.

Privacy Safeguards

PH1 – §164.310(a)(1) Standard Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?

PH2 – §164.310(a)(1) Standard Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility.

PH3 – §164.310(a)(1) Standard Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility.

PH4 – §164.310(a)(1) Standard Do you have physical protections in place to manage physical security risks, such as a) locks on doors and windows and b) cameras in nonpublic areas to monitor all entrances and exits?

PH5 – §164.310(a)(2)(i) Addressable Do you plan and coordinate physical (facilities) and technical (information systems, mobile devices, or workstations) security-related activities (such as testing) before doing such activities to reduce the impact on your practice assets and individuals?

PH6 – §164.310(a)(2)(i) Addressable Have you developed policies and procedures that plan for your workforce (and your information technology service provider or contracted information technology support) to gain access to your facility and its ePHI during a disaster?

PH7 – §164.310(a)(2)(i) Addressable If a disaster happens, does your practice have another way to get into your facility or offsite storage location to get your ePHI?

PH8 – §164.310(a)(2)(ii) Addressable Do you have policies and procedures for the protection of keys, combinations, and similar physical access controls?

PH9 – §164.310(a)(2)(ii) Addressable Do you have policies and procedures governing when to re-key locks or change combinations when, for example, a key is lost, a combination is compromised, or a workforce member is transferred or terminated?

PH10 – §164.310(a)(2)(ii) Addressable Do you have a written facility security plan?

PH11 – §164.310(a)(2)(ii) Addressable Do you take the steps necessary to implement your facility security plan?

PH12 – §164.310(a)(2)(iii) Addressable Do you have a Facility User Access List of workforce members, business associates, and others who are authorized to access your facilities where ePHI and related information systems are located?

PH13 – §164.310(a)(2)(iii) Addressable Do you periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access?

PH14 – §164.310(a)(2)(iii) Addressable Does your practice have procedures to control and validate someone’s access to your facilities based on that person’s role or job duties?

PH15 – §164.310(a)(2)(iii) Addressable Do you have procedures to create, maintain, and keep a log of who accesses your facilities (including visitors), when the access occurred, and the reason for the access?

PH16 – §164.310(a)(2)(iii) Addressable Has your practice determined whether monitoring equipment is needed to enforce your facility access control policies and procedures? 40
PH17 – §164.310(a)(2)(iv) Addressable Do you have maintenance records that include the history of physical changes, upgrades, and other modifications for your facilities and the rooms where information systems and ePHI are kept?

PH18 – §164.310(a)(2)(iv) Addressable Do you have a process to document the repairs and modifications made to the physical security features that protect the facility, administrative offices, and treatment areas?

PH19 – §164.310(b) Standard Does your practice keep an inventory and a location record of all of its workstation devices?

PH20 – §164.310(b) Standard Has your practice developed and implemented workstation use policies and procedures?

PH21 – §164.310(b) Standard Has your practice documented how staff, employees, workforce members, and non-employees access your workstations?

PH22 – §164.310(c) Standard Does your practice have policies and procedures that describe how to prevent unauthorized access of unattended workstations?

PH23 – §164.310(c) Standard Does your practice have policies and procedures that describe how to position workstations to limit the ability of unauthorized individuals to view ePHI?

PH24 – §164.310(c) Standard Have you put any of your practice’s workstations in public areas?

PH25 – §164.310(c) Standard Does your practice use laptops and tablets as workstations? If so, does your practice have specific policies and procedures to safeguard these workstations?

PH26 – §164.310(c) Standard Does your practice have physical protections in place to secure your workstations?

PH27 – §164.310(c) Standard Do you regularly review your workstations’ locations to see which areas are more vulnerable to unauthorized use, theft, or viewing of the data?

PH28 – §164.310(c) Standard Does your practice have physical protections and other security measures to reduce the chance for inappropriate access of ePHI through workstations? This could include using locked doors, screen barriers, cameras, and guards.

PH29 – §164.310(c) Standard Do your policies and procedures set standards for workstations that are allowed to be used outside of your facility?

PH30 – §164.310(d)(1) Standard Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed? 76
PH31 – §164.310(d)(1) Standard Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device?

PH32 – §164.310(d)(1) Standard Do you maintain records of the movement of electronic devices and media inside your facility?

PH33 – §164.310(d)(1) Standard Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI?

PH34 – §164.310(d)(2)(i) Required Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal?

PH35 – §164.310(d)(2)(ii) Required Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used?

PH36 – §164.310(d)(2)(iii) Addressable Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility?

PH37 – §164.310(d)(2)(iii) Addressable Do you maintain records of employees removing electronic devices and media from your facility that has or can be used to access ePHI?

PH38 – §164.310(d)(2)(iv) Addressable Does your organization create backup files prior to the movement of equipment or media to ensure that data is available when it is needed?