Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

October 15, 2018

OCR Issues Further Guidance on Electronic Media and Devices

The US Department of Health and Human Services’ Office of Civil Rights published its August 2018 cybersecurity newsletter focusing on security considerations in the receipt, removal, and movement of electronic media and devices. These devices include laptops, smartphones, servers, desktops, and tablets as well as electronic storage devices, such as hard drives, USB drives, CDs and DVDs, tapes, and memory cards.

These devices and media are commonly used by many health care organizations to process, transmit, and store sensitive protected health information (PHI). Those who have physical access to these devices and media could potentially change configurations or information, install malicious programs, or access sensitive information––all of which could adversely affect the confidentiality, integrity, or availability of PHI.

The OCR reminded covered entities that they must implement policies and procedures governing the movement of hardware and electronic media containing electronic PHI (ePHI) in and out of an organization’s facility as well as internally to reduce the risk of loss, theft, and potential PHI breaches.

Health care organizations should consider the following questions when developing policies and procedures regarding device and media controls:

  • Is there a record that tracks the location, movement, modifications, repairs, and disposition of devices and media throughout their lifecycles?
  • Does the organization’s record of device and media movement include the individuals responsible for these devices and media?
  • Are workforce members, including management, trained on the proper use, transportation, and handling of devices and media to safeguard ePHI?
  • Are appropriate technical controls, such as access controls, audit controls, and encryption, in use?

HIPAA covered entities and business associates are required to have a security-management process in place that includes conducting a risk analysis and implementing a risk-management process to reduce risks and vulnerabilities. Asset inventory and tracking can help organizations identify, analyze, and manage risks associated with the devices and media used within their environments. Device and media inventory and tracking controls can also help organizations respond to and recover from security incidents and breaches. An organization’s risk analysis and risk-management processes should guide it to identify and implement its approach to appropriate device and media controls.

If you have questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.comor another member of the firm’s Health Care & Human Services Practice Area.

Featured Media

Alerts

Second Circuit Upholds New York State's Ivory Law, but Holds Display Restriction Unconstitutional

Alerts

$175 Million of Federal Funds Available for Electric Vehicle Chargers in New York State

Alerts

USFWS Issues Final Guidance on Northern Long-Eared Bat and Tricolored Bat

Alerts

IRS Guidance Excludes VA Service-Connected Disability Benefits From Certain Income Determinations for Qualified Residential Rental Projects

Alerts

Second Department: Objective Evidence Required to Establish Trivial Defect Defense

Alerts

NYS Department of Health Issues Consumer Protection Guidance on Payments for Health Care Services

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out