Computer Forenics Associates Data Recovery HIPAA Compliance Provisions
Subject: Computer Forensics Associates Compliance with HIPAA Security Rule
Many questions have arisen as to the compliance of Computer Forensics Associates to HIPAA Regulations as they apply towards the HIPAA Security Rule. Addressed below is the HIPAA Security Rule wherein lies our service.
HIPAA Security Rule
4.13 Device & Media Controls ($164.310 (d)(1))
KEY ACTIVITIES #3:
Maintain Accountability for Hardware & Electronic Media
(1) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
(2) Ensure the EPHI is not inadvertently released or shared with any unauthorized party.
(3) Ensure that an individual is responsible for, and records the receipt and removal of, hardware and software with EPHI.
We will require all customers who will qualify as a Covered Entity under Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (HIPAA) to complete a Chain of Custody paperwork that will track all movements of the hardware device(s) within and without our facilities. This will be in addition to any FEDEX or other public/private courier service tracking paperwork so that any hardware device(s) that Computer Forensics Associates has been contracted to perform work upon by said Covered Entity has a record of movement from the moment that the hardware device(s) leaves the Covered Entity Facility until it is returned to said facility.
- Computer Forensics Associates to limit access to PHI based on need to know
- Computer Forensics Associates cannot use PHI in a way that would be a violation of regulations if done by covered entity
- Computer Forensics Associates can use PHI only as permitted under the agreement
- Computer Forensics Associates must protect the integrity and availability of data/information
- Standard confidentiality provisions:
- Computer Forensics Associates can make no further dissemination without approval
- Computer Forensics Associates will implement and maintain appropriate safeguards to prevent inappropriate use or release
- Computer Forensics Associates will inform of breach and cooperate in mitigation
- Computer Forensics Associates will return/destroy PHI at termination
- Computer Forensics Associates will retain no copies
- Computer Forensics Associates will make PHI available as if a covered entity
- Computer Forensics Associates must comply with applicable provisions of regulations
- Computer Forensics Associates will make internal practices, books, and records available to HHS
- Computer Forensics Associates will incorporate corrections to PHI
- Termination for:
- Material breach
- Repeated non-material breach
- Information about whom information pertains are third-party beneficiaries
- Computer Forensics Associates bound by covered entity’s notice of information practices
- Covered entity can audit contractor to confirm and monitor compliance
- Revision based on change to law/regulations
- Compliance with transaction standards (if business associate)
- Amend agreement as HIPAA regulations are modified
- All of above provisions flow down to subcontractors
- Injunction not exclusive remedy