In its August Cyber Security Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Considerations for Securing Electronic Media and Devices.” In this guidance document, OCR reminds HIPAA covered entities and business associates that they are required, under the HIPAA Security Rule, to implement policies and procedures that: (1) limit physical access to the organization’s electronic information systems and the facilities in which they are housed and (2) govern the receipt and removal of hardware and electronic media containing electronic PHI (“ePHI”) into and out of an organization’s facility and their movement within a facility.

OCR sets forth the following considerations for covered entities and business associates to take into account when developing policies and procedures regarding device and media controls:

  • “Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles?”
  • “Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?”
  • “Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?”
  • “Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?”

OCR explains that an organization should use its risk analysis and risk management processes to identify and implement appropriate electronic device and media controls. Moreover, an organization should consider the following factors when determining what security measures to implement: (1) “[i]ts size, complexity, and capabilities;” (2) “[i]ts technical infrastructure, hardware, and software security capabilities;” (3) “[t]he costs of security measures;” and (4) “[t]he probability and criticality of potential risks to ePHI.”

Finally, OCR notes that an organization that has implemented an electronic asset inventory and tracking system will be better positioned to identify and manage risks associated with such devices and media and to respond to and recover from security incidents and breaches.

OCR’s August Cyber Security Newsletter can be found here.

Our take

Healthcare organizations use a variety of different electronic devices and media, including laptops, tablets, smartphones, and USB drives, in their day-to-day activities. Without appropriate processes in place to track and safeguard these devices, organizations are at greater risk of experiencing loss, theft, and the potential breach of PHI. Therefore, such organizations should review their existing electronic devices and media security policies and procedures while taking into account the various considerations set forth above.