Recently, to provide HIPAA covered entities and business associates with assistance in completing their risk assessments, the Office for Civil Rights (OCR) released guidance. The OCR guidance lays out a detailed list of IT asset inventory steps that should be taken when completing a risk analysis. More details on the OCR guidance are discussed below.
OCR Guidance: Keeping an IT Asset Inventory
In the past, OCR has issued millions of dollars in fines to organizations that failed to conduct thorough and accurate risk assessments. This is largely due to organizations failing to understand where all of their electronic protected health information (ePHI) is held. When organizations are unaware of where their ePHI is held, they cannot adequately safeguard the data.
OCR stated, “Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.”
To ensure that your safeguards maintain the confidentiality, integrity, and availability of ePHI, your organization must have a complete IT asset inventory. Your IT asset inventory must list all devices that may have contact with ePHI. Your IT asset inventory should include a thorough description of the type of data stored on the device, what kind of device it is (name and version), and who uses and is responsible for maintaining the device.
The OCR guidance states:
“Conducting a risk analysis… is not only a Security Rule requirement, but also is fundamental to identifying and implementing safeguards that comply with and carry out the Security Rule standards and implementation specifications. Although the Security Rule does not require it, creating and maintaining an up-to-date, IT asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance.”
“By comparing its inventory of known IT assets against the results of network scanning discovery and mapping processes, an organization can identify unknown or ‘rogue’ devices or applications operating on its network. Once identified, these previously unknown devices can be added to the inventory and the risks they may pose to ePHI identified, assessed, and mitigated.”
To read more about the OCR guidance, please click here.