42 CFR 3.106 - Security requirements.
(a) Application. A PSO must secure patient safety work product in conformance with the security requirements of paragraph (b) of this section. These requirements must be met at all times and at any location at which the PSO, its workforce members, or its contractors receive, access, or handle patient safety work product. Handling patient safety work product includes its processing, development, use, maintenance, storage, removal, disclosure, transmission and destruction.
(b) Security framework. A PSO must have written policies and procedures that address each of the considerations specified in this subsection. In addressing the framework that follows, the PSO may develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization.
(i) Maintenance and effective implementation of written policies and procedures that conform to the requirements of this section to protect the confidentiality, integrity, and availability of the patient safety work product that is received, accessed, or handled; and to monitor and improve the effectiveness of such policies and procedures, and
(ii) Training of the PSO workforce and PSO contractors who receive, access, or handle patient safety work product regarding the requirements of the Patient Safety Act, this Part, and the PSO's policies and procedures regarding the confidentiality and security of patient safety work product.
(i) Maintenance of the security of patient safety work product, whether in electronic or other media, through either physical separation from non-patient safety work product, or if co-located with non-patient safety work product, by making patient safety work product distinguishable so that the appropriate form and level of security can be applied and maintained;
(ii) Protection of the media, whether in electronic, paper, or other media or format, that contain patient safety work product, limiting access to authorized users, and sanitizing and destroying such media before their disposal or release for reuse; and
(iii) Physical and environmental protection, to control and limit physical and virtual access to places and equipment where patient safety work product is received, accessed, or handled.
(i) Identification of those authorized to receive, access, or handle patient safety work product and an audit capacity to detect unlawful, unauthorized, or inappropriate receipt, access, or handling of patient safety work product, and
(i) Periodic assessments of security risks and controls to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.
Title 42 published on 2014-10-01
no entries appear in the Federal Register after this date.