In its Summer 2020 Cybersecurity Newsletter, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) expressed a concern that organizations lacked sufficient understanding as to the location of their electronic protected health information (ePHI). Although not required by the Security Rule, OCR now recommends that an organization develop an information technology (IT) asset inventory to assist in developing a comprehensive, enterprise-wide risk analysis.
OCR recommends that the IT asset inventory include a listing of an organization’s IT assets, the version of the assets, person accountable for the assets and location of the assets. When creating an IT asset inventory, OCR recommends that organizations include:
-
Hardware assets, which include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers
-
Software assets, including anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems
-
Data assets, including ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media
While an IT asset inventory is not required for an organization to be compliant with the Security Rule, this tool can assist an organization to improve its risk analysis and generally improve its HIPAA compliance. Maintaining an IT asset inventory will not only help prevent a security incident, but also demonstrate an organization’s compliance with HIPAA should a breach occur.