Special LIVE Event: HIPAA Compliant Cybersecurity: Practical Implementation Tips See Details

Telehealth.org_white_TM-pjv6xsrnwgp9iomadwb59h909wk53rjdzvgh9xqs6c

HIPAA Asset Management

by | Aug 17, 2019 | 0 comments

HIPAA Asset ManagementLost Laptop Puts 1,500 Patients at Risk — Pointing to Need for HIPAA Asset Management

An employee of Philadelphia’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) lost an unencrypted laptop on public transportation. The laptop contained the PHI of 1,500 patients including information such as name, date of birth, MCI number, and information regarding Medicaid waiver services. Many of the laptops used by DBHIDS were encrypted, however, the laptop in question was not.
Spokeswoman for the organization Alicia Taylor, stated, “DBHIDS is thoroughly investigating causes of this incident and taking appropriate corrective actions, including re-training the employees involved, providing additional privacy/security training to the DBHIDS workforce, and continuing to review practices and implement additional controls to prevent this type of incident from occurring in the future. Immediately after the incident occurred, the DBHIDS IT team ensured all other laptops currently in use were encrypted.”
Although the decision to encrypt devices is at the discretion of individual organizations, laptops that are removed from an organization’s physical site should always be encrypted. Had the organization had an effective asset management program, the data breach could have been avoided.

What is Asset Management?

Asset management, in regards to HIPAA, refers to tracking and maintaining any device that stores or accesses electronic protected health information (ePHI). Although not explicitly mandated by HIPAA law, asset management addresses several aspects required under HIPAA. The HIPAA Security Rule requires organizations to maintain a record of the movements of hardware and electronic media and any person responsible therefore. Part of asset management is taking an inventory of all devices accessing ePHI and which person(s) use that device.
Additionally, the HIPAA Security Rule requires an organization to identify where ePHI is stored, maintained, received, or transmitted; asset management addresses this as well. In the event of a HIPAA audit, the Office of Civil Rights (OCR) will inquire of management as to how the location and movement of media and hardware containing ePHI is tracked, and obtain and review policies and procedures and evaluate the content relative to the specified criteria regarding tracking the location of ePHI media and hardware.

What is an Effective Asset Management Program?

Developing an effective asset management program allows an organization to track and maintain devices. An asset inventory list should be updated whenever a new device or employee is added to an organization. The inventory list should include the device name, employee(s) name(s) that use the device, and the age of the device. Including the device age will facilitate business operations as it ensures that outdated systems, that are no longer supported with updates, are replaced in a timely manner.
Using an outdated operating system, such as Windows XP, puts patient data at risk. Since Microsoft no longer supports Windows XP with updates, the risk of experiencing a data breach is highly likely when using this system.

This is Part VI of the XI-part blog series. You can also read Parts I to V below:

Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the sixth of which is access management. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience).

What Are Your Thoughts?

Please leave your comments below.

Cyber Security

Would TBHI Telehealth Training Help You?

Cybersecurity

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: The Telebehavioral Health Institute (TBHI Telehealth.org) offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Terms and Conditions and Privacy Policy.

0 Comments

Submit a Comment

Your email address will not be published.

HIPAA Compliant Cybersecurity
HIPAA Compliant Cybersecurity
HIPAA Compliant Social Media

Blog Categories