The first step in conducting a HIPAA security compliance audit is to “take inventory” of the electronic protected health information (ePHI) environment. The ePHI environment is that portion of the IT environment where ePHI is created, received, maintained, or transmitted. It is the environment that HIPAA’s Security Rule is meant to protect. Consequently, any application that is involved in the creation, receipt, maintenance, or transmission of ePHI is subject to HIPAA’s security requirements. We refer to these as “ePHI applications.” These applications and the supporting IT infrastructure define the scope of a typical HIPAA security assessment and can include databases, servers, network devices, security appliances, etc.
An organization should complete its inventory of the ePHI environment and identify the applications that create, receive, maintain, or transmit ePHI. For the healthcare provider, the list of applications should include the patient admissions, management, and billing applications as well as those used for clinical purposes. For the health insurer, it will include the core insurance applications such as claims processing. For everyone, including business associates, it may include applications like the email system, data warehouse, file shares, and even the problem ticketing system. For example, we recently included a software bug tracking application in a client’s inventory because their developers had attached ePHI-laden screen shots to the software defect record.
In summary, the ePHI environment defines the scope of a HIPAA security compliance audit and it is as large or small as the path of ePHI through the organization.