§164.310(d)(2)(i): Implement policies and procedures to address the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.
Audit Inquiry
Does the entity have policies and procedures that address the disposal ePHI data, hardware or electronic media on which it is stored?
Does the entity address the disposal ePHI data, hardware or electronic media on which it is stored?
Obtain and review policies and procedures related to disposal of any electronic media that stores ePHI. Evaluate the content in relation to the specified performance criteria for the disposal of hardware, software, and ePHI.
Elements to review may include but are not limited to:
• How the disposal of ePHI and or the hardware or electronic media that stores ePHI is managed and documented
• Identification of how the sanitization process of information system media is managed and documented
• Workforce members’ roles and responsibilities in the device and media disposal process
• Identification of how the disposition of previous stored ePHI and/or the hardware or electronic media is verified
• Identify the types of devices and media that store ePHI
Obtain and review documentation demonstrating how the disposal of hardware, software, and ePHI data is completed, managed, and documented. Evaluate and determine if process is being followed appropriately and is in accordance with related policies and procedures.
Obtain and review documentation demonstrating how the sanitization of electronic media is completed, managed, and documented. Evaluate and determine if process is being followed appropriately and is in accordance with related policies and procedures.
Required/Addressable
Required