30 Days of Compliance Q&As #25: Does This Device Need To Be Monitored for HIPAA e-PHI Compliance?

Independent of the size of the organization, internal regulations, or the number of subject matter experts on staff, it seems like the same old questions always comes up, “Does this device need to be monitored for HIPPA compliance?”.

As a general rule, all servers and devices that are part of the creation, receiving, maintaining, storing, or transmitting e-PHI data are subject to HIPAA compliance. The answer to this question is more often “yes” then “no”, but may call in the “it depends” category.

1. Let¹s start with creation and receiving. This includes all applications that are involved in the creations, editing, or viewing of e-PHI data. This includes, but is not limited to desktop computer, tablet computers, laptops, PDAs, all other devices wired, wireless, and portable that perform similar functions, and electronic media stored in its immediate environment.
2. Transmission of e-PHI data occurs next. This includes all devices involved in getting the e-PHI data to and from the storage and the creation/receiving device. This includes, but is not limited to all servers and devices (applications, servers, switches, routers, firewalls…) that are part of the transmission.
3. Storage and maintenance of data is the final requirement, and includes databases and storage devices, software, and hardware.

The sole purpose of HIPAA is to identify and protect against reasonably anticipated threats to the security or integrity of PHI data including the impermissible use or disclosure of such data by the trusted workforce.

To facilitate your HIPAA compliance, start by understanding where the entire flow of where your e-PHI data is created, used, transmitted, used, and stored. All devices involved along this path are subject to HIPPA compliance because they could potentially be exploited.

To reasonably anticipated threats:

1. Think like a hacker … “How could I get data from this app/server/device?”

If you can think of a potential way of getting e-PHI data from a server or device, then it is most likely subject to HIPAA compliance.

2. Think like a trusted insider with malicious intent

“How can I circumvent the existing policies and procedures to gain access to, and retrieve the desired data?

If you are still unsure about a server or device because of a special circumstance, or a non-standard procedure or flow, consult with your HIPPA auditor. Your auditors will have the final say. It is also easier to get your auditors involved early so that it is done right the first time.

AccelOps’ out-of-the-box HIPAA Business Service and HIPAA compliance suite gives you full stack visibility into the applications, servers, network, and devices that are subject to HIPPA security, performance, availability, and change compliance.

Contact us if you would like to see our full stack-monitoring platform in action, or if you have any other questions. We’re here to help!