Risk: Lack of procedures defining the use of electronic devices
Explanation: Different electronic devices are used to access ePHI. These devices include desktops, laptops, mobile devices and tablets. These electronic devices may be used within the practice building, or from homes and other places. If there is not defined procedure on how to use these devices to access ePHI, including what not to do using these devices, then there is a risk of ePHI being compromised.
Major Mitigation: Specific policies and procedures must be defined that spells out how ePHI needs to be accessed. In other words, a clear description of what can be done and what cannot be done in the devices that are used to access ePHI. For example, it can be defined that in the devices that are used to access ePHI, no other software program without prior permission can be installed and used. Or it can be defined that no personal emails or social media sites can be accessed through these devices. These policies can be defined to the level of detail as deemed appropriate. For example, a policy can just define what can be done or what cannot be done by the device types. Or it can very specific, detailing each electronic device by their ID, and describing how it must be used. Also separate policies must exist for those devices which are used to access ePHI remotely. Also the scenarios where the staff brings in their own devices to the workplace needs to considered, and policies governing their use must be defined.
Secondary Mitigation: The environment surrounding the devices used to ePHI is also to be considered. Policies and procedures describing how the environment must be that houses the devices when they are used to access ePHI must be written down. For example, a policy can be defined that privacy filters needs to be installed on desktop monitors to so that ePHI is not visible to others nearby. Another example is, a policy that mentions that all ePHI information access is done only on a particular floor of the building, where unauthorized persons will not have entry.
Success Criteria: Regular audits and reports of these audits along with the risk assessment reports can be used to know whether there is risk of ePHI being compromised in this manner.