Tunabear HIPAA Guidelines

Storage Best Practices


  • Physical access controls, such as locked facilities and visual monitoring
  • Intrusion detection and alarm systems
  • Environmental controls, fire detection and suppression systems
  • Appropriate security for electronic data, such as encryption, authentication and passwords
  • Redundant infrastructure for data centers
  • Duplicate copies of data for disaster recovery purposes
  • Data integrity checks to detect file corruption
  • Dedicated resources to monitor protection systems
  • Special management of archived data and disaster recovery

Migration to EHR

  • Centralized location or vendor for storage of physical records and conversion services
  • Centralized location has appropriate technology, access controls and encryption protocols in place
  • Full disaster recovery backup of all records at separate location

Information Destruction

  • Retention schedules that encompass federal and state requirements
  • Consistent information disposal policies and procedures
  • Proof of employee training, ongoing communications, enforcement and program monitoring
  • Secure shredding for paper and other hardcopy media
  • Audit trail and documentation that both physical and electronic materials have been destroyed to a nonrecoverable form
  • Secure chain of custody if information is transported for destruction
  • Secure destruction of electronic records in accordance with retention policies

Employee Best Practices

  • Screening of all employees using comprehensive background checks
  • Training employees to properly handle Protected Health Information
  • Documenting and monitoring workflows
  • Ensuring that employees access only the minimum information necessary to complete a specific job or task

Access Controls


  • Accurate inventory of Protected Health Information and who can access it
  • Policy of accessing and retrieving only the minimum information needed to perform a specific job or task
  • Written protocols, distributed to all relevant workers, for handling Protected Health Information

Electronic Access

  • Designate a person or department to authorize and supervise password assignments
  • Passwords that combine upper and lower case letters, special characters and numbers
  • Policy for changing passwords frequently (at least every 90 days) and keeping them in a secure location
  • Use of login timeouts to avoid leaving live screens unattended
  • Locking of user accounts after too many failed login attempts
  • Deactivate login credentials for terminated employees

Contingency Planning


  • A formal risk analysis for securing digitally stored information
  • An adequate and reasonable disaster recovery plan that addresses the risks
  • Policies and procedures for backup, storage and recovery
  • Secure archiving of backup records offsite
  • Separation of primary and backup data in geographically dispersed data centers
  • Avoiding use of the same infrastructure for primary and backup sites
  • Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) that meet service level and budget considerations for your organization
  • “Full deployment” testing at least once a year, covering disaster recovery plans, processes, people and infrastructure

Variable resource loads

  • Evaluation of the resource load required to meet various disaster recovery situations
  • Planning for “worst-case” requirements
  • Engagement of an outside vendor to manage disaster recovery if needed, to ensure resource availability

Transportation/Transmission Best Practices

Physical Security

  • Securing information before transport
  • Ensuring that no damage occurs during transport
  • Packaging of loose materials and fragile items in a secure manner
  • Use of opaque wrapping when transporting medical records to protect Protected Health Information
  • Encryption of removable media, such as tapes, prior to transport
  • Loading and locking of tapes in a container before an exchange takes place
  • Avoiding use of obvious lock combinations such as ‘000’ or ‘123’

Vehicle Security

  • Vehicle security and vehicle process controls
  • Driver screening and background checks
  • Standard operating procedures to prevent common vehicle-related errors

Chain of Custody

  • Fully documented chain of custody for all patient information that is moved
  • Tracking of specific activities of handling, including who handles information and when
  • Verifying condition of material at departure and arrival
  • Audit trail maintained and available for review

Transmission of Electronic Protected Health Information

  • Public key encryption for mutual authentication
  • To avoid breach notification requirements, implement encryption according to NIST Special Publication 800-111, including at least AES 128-bit algorithms
  • Appropriate security procedures to protect your encryption keys