Medical Practices and Covered Entities are often surprised when they discover that they did NOT know of various IT equipment and software. This is usually due to changes in staff and management who leave little to no documentation or reporting.
HIPAA requires covered entities and business associates to conduct a risk analysis of all potential risks and vulnerabilities and availability of its ePHI. However, multiple OCR investigations are finding most entities don’t document their full Inventory.
The article breaks it down in simple terms; “Although the Security Rule does not require it, creating and maintaining an up-to-date, IT asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored”
Article supplied by
GSG Compliance, LLC