OCR: August 2018 Cyber Security Newsletter for HIPAA-Covered Entities

The HHS Office of Civil Rights (OCR) released its August 2018 Cyber Security Newsletter, which focuses on considerations for securing electronic media and devices. As a reminder, HIPAA-covered entities and business associates are required to implement policies and procedures to limit physical access to their electronic information systems and the facilities in which they are housed. Often, employer plan sponsors consider their HIPAA security obligations only in regards to their servers and office desktop computers. Consequently, they overlook the risks associated with devices such as laptops, smartphones and tablets as well as electronic media including hard drives, USB drives, CDs and DVDs, tapes and memory cards.

The newsletter offers practical recommendations to covered entities on how to safeguard electronic PHI (ePHI) stored on such devices and media. Covered entities should remember to:

  • Implement a policy and procedure to track the location, movement, modifications or repairs and disposition of devices and media throughout their lifecycle
  • Train workforce members, including management, on the proper use and handling of devices and media to safeguard ePHI
  • Implement appropriate technical controls including access controls, audit controls and encryption

Employer plan sponsors who are responsible for the safeguarding of ePHI for their group health plans should review the newsletter and revise their policies and procedures as necessary.

OCR August 2018 Cyber Security Newsletter »