Storage Best Practices
General
- Physical access controls, such as locked facilities and visual monitoring
- Intrusion detection and alarm systems
- Environmental controls, fire detection and suppression systems
- Appropriate security for electronic data, such as encryption, authentication and passwords
- Redundant infrastructure for data centers
- Duplicate copies of data for disaster recovery purposes
- Data integrity checks to detect file corruption
- Dedicated resources to monitor protection systems
- Special management of archived data and disaster recovery
Migration to EHR
- Centralized location or vendor for storage of physical records and conversion services
- Centralized location has appropriate technology, access controls and encryption protocols in place
- Full disaster recovery backup of all records at separate location
Information Destruction
- Retention schedules that encompass federal and state requirements
- Consistent information disposal policies and procedures
- Proof of employee training, ongoing communications, enforcement and program monitoring
- Secure shredding for paper and other hardcopy media
- Audit trail and documentation that both physical and electronic materials have been destroyed to a nonrecoverable form
- Secure chain of custody if information is transported for destruction
- Secure destruction of electronic records in accordance with retention policies
Employee Best Practices
- Screening of all employees using comprehensive background checks
- Training employees to properly handle Protected Health Information
- Documenting and monitoring workflows
- Ensuring that employees access only the minimum information necessary to complete a specific job or task
Access Controls
General
- Accurate inventory of Protected Health Information and who can access it
- Policy of accessing and retrieving only the minimum information needed to perform a specific job or task
- Written protocols, distributed to all relevant workers, for handling Protected Health Information
Electronic Access
- Designate a person or department to authorize and supervise password assignments
- Passwords that combine upper and lower case letters, special characters and numbers
- Policy for changing passwords frequently (at least every 90 days) and keeping them in a secure location
- Use of login timeouts to avoid leaving live screens unattended
- Locking of user accounts after too many failed login attempts
- Deactivate login credentials for terminated employees
Contingency Planning
General
- A formal risk analysis for securing digitally stored information
- An adequate and reasonable disaster recovery plan that addresses the risks
- Policies and procedures for backup, storage and recovery
- Secure archiving of backup records offsite
- Separation of primary and backup data in geographically dispersed data centers
- Avoiding use of the same infrastructure for primary and backup sites
- Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) that meet service level and budget considerations for your organization
- “Full deployment” testing at least once a year, covering disaster recovery plans, processes, people and infrastructure
Variable resource loads
- Evaluation of the resource load required to meet various disaster recovery situations
- Planning for “worst-case” requirements
- Engagement of an outside vendor to manage disaster recovery if needed, to ensure resource availability
Transportation/Transmission Best Practices
Physical Security
- Securing information before transport
- Ensuring that no damage occurs during transport
- Packaging of loose materials and fragile items in a secure manner
- Use of opaque wrapping when transporting medical records to protect Protected Health Information
- Encryption of removable media, such as tapes, prior to transport
- Loading and locking of tapes in a container before an exchange takes place
- Avoiding use of obvious lock combinations such as ‘000’ or ‘123’
Vehicle Security
- Vehicle security and vehicle process controls
- Driver screening and background checks
- Standard operating procedures to prevent common vehicle-related errors
Chain of Custody
- Fully documented chain of custody for all patient information that is moved
- Tracking of specific activities of handling, including who handles information and when
- Verifying condition of material at departure and arrival
- Audit trail maintained and available for review
Transmission of Electronic Protected Health Information
- Public key encryption for mutual authentication
- To avoid breach notification requirements, implement encryption according to NIST Special Publication 800-111, including at least AES 128-bit algorithms
- Appropriate security procedures to protect your encryption keys