Required Inventory Tracking under HIPAA

A regulated entity must perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Conducting this risk analysis inherently requires maintaining an inventory of assets that handle ePHI.

Items Requiring Inventory Tracking

The inventory process primarily focuses on identifying and documenting every device and component that interacts with or stores Protected Health Information (PHI).

Regulated entities must have policies and procedures for Device and Media Controls that govern the receipt, removal, movement, and final disposition of hardware and electronic media that contain ePHI. This includes ensuring ePHI is removed from electronic media before the media are made available for re-use.

Devices with Access to Sensitive Data:

• Laptops, workstations, and phones, tablets, and mobile devices
  • This includes personal employee devices used for work, often necessitating a "Bring Your Own Device" (BYOD) policy
• Printers and computers

Data Storage and Hosting Solutions:

• Tracking systems used for storing PHI is essential.
• Cloud environments and dedicated servers
  • Common cloud providers mentioned that require tracking and associated Business Associate Agreements (BAAs) include AWS, Azure, and Google Cloud (GCP).
• On Premise Servers

Decryption Tools/Keys

Confidential processes or keys used for encrypting and decrypting PHI must be stored on a device or at a location separate from the data they are used to encrypt or decrypt.

Media Containing Hard Copy Protected Health Information (PHI)

While the Security Rule focuses on ePHI, the Privacy and Breach Notification Rules apply to PHI in any form or media, whether electronic, paper, or oral. Proper destruction methods are required for media that store PHI:

• Paper, film, or other hard copy media
  • These must be shredded or destroyed such that the PHI cannot be read or reconstructed.