OCR Recommends IT Asset Inventory List for HIPAA-Covered Entities and Business Associates

In its recent cybersecurity newsletter, the Office of Civil Rights (OCR) recommended that HIPAA-covered entities and business associates develop information technology (IT) asset inventory lists to assist with tracking electronic health information (“ePHI”) throughout their organizations in order to satisfy risk analysis compliance requirements under the HIPAA Security Rule.

According to the OCR, organizations should include the following IT assets:

Hardware assets that comprise physical elements, including electronic devices and media, which make up an organization’s networks and systems. This can include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.

Software assets that include programs and applications that run on an organization’s electronic devices. These software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems. Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory.

Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.

In addition, the OCR advised that IT asset inventories should also include other IT assets that may not be directly involved in the storing or processing of ePHI but may provide a cybersecurity risk through unauthorized access.

The list of assets that should be included in an organization’s system-wide IT asset inventory includes enough descriptive data to aid the organization in identifying the location of ePHI, including asset names and types, software versions, locations, and individuals responsible for each asset. 

The ERISA attorneys at Hall Benefits Law help our clients manage legislative and regulatory changes to employee benefit plans. To get help with your plans today, call 678-439-6236.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)

%d bloggers like this: