In its Summer 2020 Cybersecurity Newsletter, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) expressed a concern that organizations lacked sufficient understanding as to the location of their electronic protected health information (ePHI). Although not required by the Security Rule, OCR now recommends that an organization develop an information technology (IT) asset inventory to assist in developing a comprehensive, enterprise-wide risk analysis.
OCR recommends that the IT asset inventory include a listing of an organization’s IT assets, the version of the assets, person accountable for the assets and location of the assets. When creating an IT asset inventory, OCR recommends that organizations include:
While an IT asset inventory is not required for an organization to be compliant with the Security Rule, this tool can assist an organization to improve its risk analysis and generally improve its HIPAA compliance. Maintaining an IT asset inventory will not only help prevent a security incident, but also demonstrate an organization’s compliance with HIPAA should a breach occur.
For questions about the IT asset inventory, please contact one of the authors of this alert.