Step 2: Assess

Consider how mobile devices affect the risks (threats and vulnerabilities) to the health information your organization holds.

Conduct a risk analysis to identify the risks to your organization. If you are a solo provider, you may conduct this risk analysis yourself. If you work in a larger organization, the organization may conduct the risk analysis.

A risk analysis will help determine the safeguards, policies, and procedures your organization needs. It should include reviewing risks created by all mobile devices used to communicate with your internal networks or systems, regardless whether the devices are personally owned or provided by the organization.

Perform a risk analysis periodically and whenever there is a new mobile device, a lost or stolen device, or suspected compromised health information.

After conducting a risk analysis, document:

  1. Which mobile devices are being used to communicate with your organization’s internal networks or system (e.g., the EHR system or Health Information Exchange (HIE)),
  2. What information is accessed, received, stored, and transmitted by or with the mobile device, and
  3. HHS OCR HIPAA Security Series Basics of Risk Analysis and Risk Management