Document all servers, computers, laptops, tablets, diagnostic machines, network devices, portables and mobile devices that store electronic Protected Health Information (ePHI) or sensitive data, for all offices/locations. Taking the time to know what you have makes it easier to know what needs replacement at the end of the device’s life cycle. This can also help identify where a breach may have occurred.
Include home office computers and devices that access ePHI, and may have been added during COVID-19 work-from-home restrictions.
Unless physical assets containing ePHI are documented there is no accountability for this inventory. In addition to documenting all inventory, review lists regularly and always when there are staff or management changes.
If a device is no longer used/needed the ePHI or sensitive data stored on the device needs to be wiped, degaussed and/or properly disposed of.
Talk to your IT provider about how they can help you manage your inventory.
Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.