Equipment Control (into and out of site): A procedure for bringing hardware and software into and out of a facility and for maintaining a record of that equipment. This includes, but is not limited to, the marking, handling and disposal of hardware and storage media.

• Equipment control policy
• Record management policy
• Asset tagging or bar coding procedure
• Handheld/Wireless device control

• Equipment Control Policy would state the following information:
  • Equipment to be transferred on and off site; including but not limited to computers, hard drives, mobile phones, handheld computer, pagers, wireless phones, laptop computers, health equipment, i.e.; mobile cath labs, EKG carts, any device containing or storing PHI
  • Serial number, asset tag number, detailed description of equipment, if wireless the encryption type and wireless setup, date requested, date submitted, date of approval, time of departure, length of time requesting, trail of where the equipment is going or went, date and time of return, authorization by, person requesting, requestor id, requestor department, manager or supervisor
  • If requesting certain media this would also need the above information but would be bar coded or asset tagged to identify what it is
  • A database would be used to log this information as it is more secure and stores unique id's
  • Document all access levels, equipment, accountability, and file mappings
• Record Management Procedure will include how these records are stored
  • This should be stored on a secure server or workstation with access given to the administrator of the database and the user(s)
  • This access code will be unique to each individual involved in maintaining the records
  • The database will be mapped and documented in paper form in a log. The paper log is to ensure that in the event of a loss of power one can still check out equipment and have a paper trail. An electronic backup is advised. This log will be updated with each piece of equipment leaving the facility
  • In the event of a piece of equipment leaving for an extended period of time only one record will be needed with approximate travel descriptions
  • There may be multiple databases linked with a switchboard or linking connection or shortcuts. These may be setup for different types of users but, every piece of equipment that contains PHI, can contain PHI, or will contain PHI needs to be documented
  • Document all changes to the database and have a master file
  • After documenting all changes have the user sign a disclosure document verifying the information
• Asset tagging or bar coding
  • Some type of asset tagging or bar coding is recommended to simplify inventory and check in/out processes
  • When a piece of equipment is checked in/out, one would only have to scan the barcode or enter the asset tag to confirm the equipment. Said equipment will already be in the database and one can cross check the data
  • Document all changes made to the system and have a master file

• Media Control Policy: This policy should include the following information:
  
  • Type of media
  • Attached system or types of systems that can use said media
  • Rewritable media should be authorized
  • Secure access to backup tapes, authorize movement of tapes or backup media by enforcing a procedure linked to this policy
  • No personal media and only authorized individuals can purchase media
  • Impose discipline on violators
  • Note the risks involved in using different types of media
  • Include disposal of media procedures
  • Include authorization and access for those individuals responsible for disposing of media
  • Document all access levels and their responsibilities and check out all media by having the user sign a release
• Handheld Devices Policy This policy should state the following:
  
  • Type of device
  • Serial number
  • Date of removal or entry to facility
  • Wireless option
  • Password
  • Storage capacity
  • Encryption type
  • File structure and mapping
  • Transfer mechanism
  • Responsible party and department
  • Verify that no PHI leaves with the device by having the user sign a disclosure document

• Policy regarding equipment coming in/out
  • Procedure outlining database usage, reporting and verification
• Policy regarding media control
  • Procedure giving access to move, create, order or destroy media
  • Procedure enforcing this policy by exacting disciplinary sanctions
• Policy regarding the use of handheld devices
  • Procedure to password protect, verify software and encryption, verify no PHI exists or was on system, have a signed document releasing the facility of any recourse because of PHI being on the device

• Physical controls
  • Lock down mechanisms
  • Bar code labeling to track the equipment. Maker software and equipment will not be accessible to the public or end users
  • A database to track equipment as it leaves and returns and a procedure to verify the software and PHI
  • All physical controls will be reviewed and approved by the Security officer or other appointed person
• Accountability
  • Each piece of equipment needs to be assigned to an individual, department and have a documented line of accountability
  • Anyone using a piece of equipment is accountable for all data, hardware, storage, viewing and removal of data
  • Upon check in or out a manager or assigned person will verify the data and assure the individual is aware of their accountability
  • Clear lines of accountability will be reviewed and approved by the Security officer or assigned person
• Data backup
  • Each piece of equipment will be backed up before being checked out. This will be done with a verification backup to ensure data integrity
  • Upon return the data will be verified by the backup software and checked back in upon approval
  • Data backup is configured by Information Systems and should be automated to relieve the user
  • On other systems data backup will be performed daily to a central server or source of media
  • All database files will be copies with the master files residing on a fileserver
  • The security officer or someone assigned will verify the backup configurations and ensure the functionality of the backup
• Data Storage
  • Data assigned to equipment will stay with that equipment until it is checked in and whenever it is attached to the network
  • Information systems will configure the equipment in such a way that there is no way to store information on diskette, cd, dvd or any other means except as described by this policy or with a written request
• Disposal
  • All data will be disposed of at the check out station
  • All data will be documented, time and date stamped before leaving the equipment
  • All data will be inspected and verified upon check out and check in
  • Disposal of any information will be handled under disposal policies of the company
  • Disposal can mean throwing away documents, media, or emailing information. Destroying media by electronic or magnetic means, shredding of paper, documents or records, or removing information will be considered disposal
  • Any unauthorized disposal should have some ramifications built in
• Disaster Recovery
  • A disaster will be detailed under the disaster recovery policy for the company
• Emergency Mode Operation
  • In the event of emergency mode all equipment will be checked in or accounted for immediately or the equipment should fall under the equipment mode operation policy
• Maintenance Records
  • All equipment should have maintenance records
  • Equipment should be regularly checked for faulty devices and documented if found
  • This would be a procedure under the equipment use policy