HIPAA Covered Entities and Business Associates Need an IT Asset Inventory List, OCR Recommends

Joseph J. Lazzarotti and Maya Atrakchi of JacksonLewis write:

Last week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance. OCR investigations often find that organizations “lack sufficient understanding” of where all of their ePHI is located, and while the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards – which are HIPAA Security Rule requirements.

British institutions to be banned from paying ransoms to Russian hackers
Missouri Adopts New Data Breach Notice Law
North Country Healthcare responds to Stormous's claims of a breach
Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
Texas Enacts Electronic Health Record Data Localization Law
70% of healthcare cyberattacks result in delayed patient care, report finds

Related: