OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020
OCR Highlights Asset Log as Key HIPAA Recommendation Blog

Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern.

Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements. 

What does an Asset Log entail?

We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include:

  • Hardware assets, including devices, media, servers, routers, or mobile devices.
  • Software assets, all programs and applications that run on an electronic device within your practice. These could include your electronic health record (EHR) system, anti-malware tools, and email server. 
  • Any data assets involved in the creation, receipt, transmission, or maintenance of ePHI (this might mean medical imaging devices or other IoT enabled devices).

When documenting these assets, Abyde recommends including all the following information: 

  • Identification data for the asset, for example, the type of device and a unique ID or name
  • The operating system or version of the asset (for example, if it is a computer running Microsoft Windows 7)
  • The staff member and/or location the asset is assigned to
  • If the devices are encrypted and what type of encryption was implemented
  • How the device accesses ePHI

Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations. 

No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.