HIPAA Security: Computing Devices and Electronic Storage Media Policy

I. Scope & Applicability

This policy applies to computing devices and electronic storage media that are used by Stanford University HIPAA Components (SUHC) workforce members and business associates to create, access, or store electronic protected health information (ePHI).

Information systems, including computing devices and electronic storage media, that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.

II. Policy Statement

SUHC will implement reasonable and appropriate measures designed to ensure that computing devices and electronic storage media covered by this policy will be installed, located, and used in a way that minimizes the unauthorized or incidental disclosure of ePHI. SUHC workforce and business associates will employ reasonable and appropriate safeguards when receiving, storing, using, transferring, or disposing of computing devices or electronic storage media that store ePHI.

III. Principles

1. Installation and Configuration. All computing devices will be installed and configured to restrict ePHI access to only authorized users.
   1. Acquisition. SUHC will only acquire computing devices that meet or exceed current minimum configuration requirements for that type of device (e.g., server, workstation, mobile).
   2. Configuration. Computing devices will be configured with all required software for that type of device and will be updated promptly to install new versions of software, fix problems, and update security settings.
   3. Modifications. Only System Administrators are authorized to change the security configurations and policy settings on computing devices under their administration.
2. Use of Computing Devices and Electronic Storage Media.  Users of computing devices and electronic storage media will protect ePHI from unauthorized access by adhering to the following principles:
   1. ePHI will only be stored, reviewed, created, updated or deleted using computing devices that meet the security requirements for that type of device.
   2. If ePHI is stored on a non-portable computing device (e.g., server, desktop workstation), the data will be encrypted unless all of the following requirements are met:
      1. The computing device is located in a SUHC facility that meets the requirements set forth in the SUHC HIPAA Security: Facilities Security Policy; and
      2. The ePHI is protected by the access controls required by the SUHC HIPAA Security: Information Access Controls Policy.
   3. When stored on portable or mobile computing devices (e.g. laptops, smartphones, tablets, etc.) or on removable electronic storage media (e.g. thumb drives, etc.), ePHI will be encrypted.
   4. Original (source), or the sole copy of, PHI will not be stored on portable computing devices.
   5. Before leaving a computing device unattended, users will log off or otherwise lock or secure the device or applications to deter unauthorized access to ePHI.
   6. Users will not disable hardware or software (e.g., anti-virus, anti-spyware, firewall, intrusion detection) that protects against attacks.
3. Repair and Maintenance of Computing Devices. PHI will be protected from unauthorized use or disclosure when a computing device that contains ePHI is being serviced in accordance with the following standards:
   1. Repairs or maintenance will be performed by a workforce member or business associate who is authorized to access the ePHI, unless the ePHI has been removed from the device in accordance with the requirements of Section III.E of this policy; or
   2. If servicing is performed on a computing device and the only potential access to ePHI is considered to be incidental, then the servicing can be performed by someone who is neither a business associate nor a workforce member authorized to access the ePHI only if, at all times, an authorized workforce member or business associate supervises the work.
4. Physical Placement and Security.
   1. Computing devices, particularly those in public access areas, will be located and oriented so that information on displays is not easily viewable by unauthorized persons.  If displays cannot be positioned to deter viewing, then accessories such as “privacy filters” will be utilized.
   2. When computing devices are not located in areas where they can be adequately secured when unattended (e.g., in locked offices, cabinets, drawers, racks), cables or other locking accessories will be employed to deter unauthorized removal of or tampering with the device.
5. Receipt, Transfer, and Disposal of Hardware and Electronic Storage Media. When computing devices containing ePHI, including hardware and electronic storage media, are moved within, into, or out of a facility, the following principles will be followed:
   1. Receipt or Transfer of Hardware or Electronic Storage Media Containing ePHI. If hardware or electronic storage media containing ePHI is physically transferred into, within, or outside of a facility (e.g., when relocating a workforce member and their equipment, when sending a thumb drive to a business associate, when taking a laptop home), SUHC will:
      1. Evaluate whether it is necessary to retain the ePHI on the computing device or electronic storage media when the device or media is received or moved. If not, securely remove the ePHI from the computing device or electronic storage media.
      2. If transfer of the ePHI with the computing device or electronic storage media is necessary:
         1. Make a retrievable, exact copy of the ePHI before transfer;
         2. Use a deliver mechanism that provides an audit trail (e.g., internal or external courier or movers, registered mail, FedEx, UPS); and
         3. While pending transfer, maintain the inactive computing device or electronic storage media in view of the responsible person, or stored in a secure (e.g., locked, monitored) area.
   2. Disposal or Re-use of Hardware or Electronic Storage Media Containing ePHI. Computing devices containing ePHI, including hardware and electronic storage media, will be disposed of or transferred for re-use only after the ePHI has been removed from the device according to the SUHC HIPAA Security: Data Sanitization Policy.

Pending removal or destruction of ePHI, inactive hardware or electronic storage media will remain in view of the responsible person, or stored in a secure (e.g., locked, monitored) area.

1. Tracking. Unless ePHI has been removed or encrypted, a log or equivalent record will be maintained documenting the disposal, movement, or receipt of hardware and electronic storage media. This record will identify the person responsible for the equipment or media.

IV. Procedures

Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

V. Exceptions

Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.

VI. Related Documents

1. SUHC HIPAA Security: Facilities Security Policy
2. SUHC HIPAA Security: Information Access Controls Policy
3. SUHC HIPAA Security: Data Sanitization Policy

VII. Document Information

1. Legal Authority/References
   ​Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.310(b); §164.310(c); §164.310(d)
2. Contact for Questions Related to this Policy
   Stanford University Chief Information Security Officer
   ​ securityofficer@stanford.edu
3. Document Review History

   Version	Date	Modified	Comments
   1.0	05/26/2005	Yes
   1.1	12/07/2015	Yes	Reviewed and updated by Aaron Arutunian

This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.