In addition to enforcing compliance with the Privacy and Security Rules, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services issues guidance for HIPAA covered entities in the form of newsletters. The August 2018 Cybersecurity Newsletter may have gotten lost in the end-of-summer vacation and Labor Day shuffle, but given the near daily stories of data breaches resulting from internal staff errors, hackers and technical failures, the physical safeguard vulnerabilities of portable media and devices merit review.
In the newsletter, the OCR concedes healthcare organizations deploy myriad electronic devices, including hardware such as desktop workstations, laptops, smartphones, and tablets; as well as electronic media storage devices, like hard drives, USB/thumb drives, CDs/DVDs, tapes and memory cards. With the possible exception of larger hardware like servers and desktops, theft or loss is a risk. The PHI contained on devices and media can also be compromised by improper disposal. The newsletter also offers suggestions on questions covered entities should ask internally when developing policies and procedures to reduce risks of loss, theft, and/or breach of PHI through appropriate Physical Safeguards and device/media tracking.