August 28, 2020

OCR Releases Guidance on IT Asset Inventories

OCR released guidance this week related to incorporating IT asset inventories into HIPAA Security Rule risk assessments. The guidance notes that “[a]lthough the Security Rule does not require it, creating and maintaining an up-to-date, [IT] asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance.” Such IT asset inventories can include hardware assets, software assets, and data assets, and should also consider assets that do not directly store or process ePHI, such as Internet of Things devices, as these assets can represent vulnerabilities to the portions of an organization’s network that do directly store or process ePHI. The guidance concludes with the benefits of maintaining a thorough inventory, which include: (1) aiding with the creation of policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility, as required under HIPAA; and (2) facilitating the preemptive management of security vulnerabilities.