HIPAA Asset Management


August 17, 2019 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Lost Laptop Puts 1,500 Patients at Risk — Pointing to Need for HIPAA Asset Management

An employee of Philadelphia’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) lost an unencrypted laptop on public transportation. The laptop contained the PHI of 1,500 patients including information such as name, date of birth, MCI number, and information regarding Medicaid waiver services. Many of the laptops used by DBHIDS were encrypted, however, the laptop in question was not.

Spokeswoman for the organization Alicia Taylor, stated, “DBHIDS is thoroughly investigating causes of this incident and taking appropriate corrective actions, including re-training the employees involved, providing additional privacy/security training to the DBHIDS workforce, and continuing to review practices and implement additional controls to prevent this type of incident from occurring in the future. Immediately after the incident occurred, the DBHIDS IT team ensured all other laptops currently in use were encrypted.”

Although the decision to encrypt devices is at the discretion of individual organizations, laptops that are removed from an organization’s physical site should always be encrypted. Had the organization had an effective asset management program, the data breach could have been avoided.

What is Asset Management?

Asset management, in regards to HIPAA, refers to tracking and maintaining any device that stores or accesses electronic protected health information (ePHI). Although not explicitly mandated by HIPAA law, asset management addresses several aspects required under HIPAA. The HIPAA Security Rule requires organizations to maintain a record of the movements of hardware and electronic media and any person responsible therefore. Part of asset management is taking an inventory of all devices accessing ePHI and which person(s) use that device.

Additionally, the HIPAA Security Rule requires an organization to identify where ePHI is stored, maintained, received, or transmitted; asset management addresses this as well. In the event of a HIPAA audit, the Office of Civil Rights (OCR) will inquire of management as to how the location and movement of media and hardware containing ePHI is tracked, and obtain and review policies and procedures and evaluate the content relative to the specified criteria regarding tracking the location of ePHI media and hardware.

What is an Effective Asset Management Program?

Developing an effective asset management program allows an organization to track and maintain devices. An asset inventory list should be updated whenever a new device or employee is added to an organization. The inventory list should include the device name, employee(s) name(s) that use the device, and the age of the device. Including the device age will facilitate business operations as it ensures that outdated systems, that are no longer supported with updates, are replaced in a timely manner.

Using an outdated operating system, such as Windows XP, puts patient data at risk. Since Microsoft no longer supports Windows XP with updates, the risk of experiencing a data breach is highly likely when using this system.

This is Part VI of the XI-part blog series. You can also read Parts I to V below:

  • Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the sixth of which is access management. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).
Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...