This brings up the issue of proper data-handling practices. Basically, if the records are digitized, then proper controls must be in place to dictate who can access the information. Maybe that means having proper security set up on file shares. Perhaps these CDs and DVDs should be kept in a safe so they aren't accessible to everyone. Encrypting the data should also be considered, to make sure that even if the data is accessible, it's not readable without the key.
Of course, it is good practice to implement procedures to protect against data corruption and unauthorized changes, so storing the data on write-once media isn't a bad idea. But since you would only be storing a point in time backup (or replication) of the data in question, there is a cost there.
Based on my understanding of HIPAA, these types of storage mechanisms would be acceptable. Yet as with any regulation, that is ultimately going to be a judgment call of the examiner that shows up to assess your organization.
For more information:
Dig Deeper on HIPAA
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.