Q&A: Accessing PHI in public locations

Q: Workers will likely remain remote for the foreseeable future, but as coffee shops and restaurants begin to reopen, it’s possible that employees may be accessing protected health information (PHI) in these locations. While it is best practice to avoid doing this altogether, what should employees do to avoid exposing PHI in this scenario?

A: If employees may be accessing PHI from a public location, it is important to provide training on social engineering. Tips like, “Sit with your back facing the wall and make sure no one can stand behind you and see your screen” can help reduce the risk of social engineering and breaches of PHI. Employees need to protect their mobile devices from loss or theft by keeping their devices with them, making sure they are encrypted, and making sure to not leave them in vehicles, where a passerby could view them. Employees need to be instructed to not leave their mobile devices unattended, even for a minute or two, when working in a public area such as a restaurant or coffee shop.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.