HIPAA Covered Entities and Business Associates Need an IT Asset Inventory List, OCR Recommends

Joseph J. Lazzarotti and Maya Atrakchi  of JacksonLewis write:

Last week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance.  OCR investigations often find that organizations “lack sufficient understanding” of where all of their ePHI is located, and while the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards – which are HIPAA Security Rule requirements.

Read more on Workplace Privacy, Data Management & Security Report

About the author: Dissent

Comments are closed.