42 CFR § 3.106 - Security requirements.
(a) Application. A PSO must secure patient safety work product in conformance with the security requirements of paragraph (b) of this section. These requirements must be met at all times and at any location at which the PSO, its workforce members, or its contractors receive, access, or handle patient safety work product. Handling patient safety work product includes its processing, development, use, maintenance, storage, removal, disclosure, transmission and destruction.
(b) Security framework. A PSO must have written policies and procedures that address each of the considerations specified in this subsection. In addressing the framework that follows, the PSO may develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization.
(1) Security management. A PSO must address:
(i) Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is received, accessed, or handled; and to monitor and improve the effectiveness of such policies and procedures, and
(ii) Training of the PSO workforce and PSO contractors who receive, access, or handle patient safety work product regarding the requirements of the Patient Safety Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.
(2) Distinguishing patient safety work product. A PSO must address:
(i) Maintenance of the security of patient safety work product, whether in electronic or other media, through either physical separation from non-patient safety work product, or if co-located with non-patient safety work product, by making patient safety work product distinguishable so that the appropriate form and level of security can be applied and maintained;
(ii) Protection of the media, whether in electronic, paper, or other media or format, that contain patient safety work product, limiting access to authorized users, and sanitizing and destroying such media before their disposal or release for reuse; and
(iii) Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is received, accessed, or handled.
(3) Security control and monitoring. A PSO must address:
(i) Identification of those authorized to receive, access, or handle patient safety work product and an audit capacity to detect unlawful, unauthorized, or inappropriate receipt, access, or handling of patient safety work product, and
(ii) Methods to prevent unauthorized receipt, access, or handling of patient safety work product.
(4) Security assessment. A PSO must address:
(i) Periodic assessments of security risks and controls to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.
(ii) System and communications protection, to monitor, control, and protect PSO receipt, access, or handling of patient safety work product with particular attention to the transmission of patient safety work product to and from providers, other PSOs, contractors or any other responsible persons.