Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

October 15, 2018

OCR Issues Further Guidance on Electronic Media and Devices

The US Department of Health and Human Services’ Office of Civil Rights published its August 2018 cybersecurity newsletter focusing on security considerations in the receipt, removal, and movement of electronic media and devices. These devices include laptops, smartphones, servers, desktops, and tablets as well as electronic storage devices, such as hard drives, USB drives, CDs and DVDs, tapes, and memory cards.

These devices and media are commonly used by many health care organizations to process, transmit, and store sensitive protected health information (PHI). Those who have physical access to these devices and media could potentially change configurations or information, install malicious programs, or access sensitive information––all of which could adversely affect the confidentiality, integrity, or availability of PHI.

The OCR reminded covered entities that they must implement policies and procedures governing the movement of hardware and electronic media containing electronic PHI (ePHI) in and out of an organization’s facility as well as internally to reduce the risk of loss, theft, and potential PHI breaches.

Health care organizations should consider the following questions when developing policies and procedures regarding device and media controls:

  • Is there a record that tracks the location, movement, modifications, repairs, and disposition of devices and media throughout their lifecycles?
  • Does the organization’s record of device and media movement include the individuals responsible for these devices and media?
  • Are workforce members, including management, trained on the proper use, transportation, and handling of devices and media to safeguard ePHI?
  • Are appropriate technical controls, such as access controls, audit controls, and encryption, in use?

HIPAA covered entities and business associates are required to have a security-management process in place that includes conducting a risk analysis and implementing a risk-management process to reduce risks and vulnerabilities. Asset inventory and tracking can help organizations identify, analyze, and manage risks associated with the devices and media used within their environments. Device and media inventory and tracking controls can also help organizations respond to and recover from security incidents and breaches. An organization’s risk analysis and risk-management processes should guide it to identify and implement its approach to appropriate device and media controls.

If you have questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.comor another member of the firm’s Health Care & Human Services Practice Area.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out