HHA HIPAA Security Risk


The Office of the National Coordinator for Health Information Technology (ONC) recognizes that conducting a risk assessment can be a challenging task. That’s why ONC, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), developed a downloadable SRA Tool  to help guide you through the process. HHA HIPAA security risk assessment tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment.

The HHA HIPAA security risk assessment Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions.

Our Safe Harbor Express “SHE” Scheduled Secure EPHI Data Destruction Service allows you to respond positively to 6 requirements of the HHS HIPAA Security Risk Assessment tool.

Physical Security Section of SRA Tool

PH30 – §164.310(d)(1) Standard. Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed? 

Our contracted SHE service provides secure containers and a bar code inventory system to control and secure all loose data media potentially storing EPHI.

PH31 – §164.310(d)(1) Standard. Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device? 

The SHE service provides onsite NIST compliant data destruction by either shredding or degaussing your media containing EPHI.

PH32 – §164.310(d)(1) Standard Do you maintain records of the movement of electronic devices and media inside your facility? 

The SHE service provides an inventory tracking tool that is validated by our service technicians prior to the destruction and disposal of the data media. All validating inventory exhibits are countersigned by your project supervisors and our technicians.  These records are provided to you as well as uploaded to a secure cloud based record archive (our proprietary “Compliance Library” ) where all records of all your destruction/disposal projects are maintained.

PH33 – §164.310(d)(1) Standard Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI? 

Our SHE contractual agreement represents your agreed upon policy and procedure for the HIPAA  and NIST compliant disposal of EPHI on to be disposed of data media.

PH34 – §164.310(d)(2)(i) Required Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal? 

The SHE Agreement and the attached Statement of Services states that all recorded data will be destroyed in compliance to NIST standards prior to leaving your facility.

PH36 – §164.310(d)(2)(iii) Addressable Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility?

The SHE handling procedures include a strict “Chain of Possession” protocol that requires a countersigned affidavit for every transfer of possession within the secure destruction process.