EHR Access Controls and Credential Management
What it is
Electronic Health Record systems hold the most sensitive data in your organization, yet access controls are often loosely configured. Shared provider login credentials. Staff accounts never deactivated after departure. Generic admin accounts with no individual accountability. The principle of minimum necessary access — meaning each user should only see the PHI they need to do their job — is routinely violated in day-to-day practice workflows because it slows things down.
The impact
When a breach occurs and OCR investigates, the first thing they audit is access logs. If your EHR shows 15 people sharing the "Dr. Smith" account, you cannot prove who accessed what data or when. That ambiguity alone triggers a presumptive finding of non-compliance. Beyond OCR: a single compromised shared credential gives an attacker full access to every patient record in the system. Anthem's 79-million-record breach — one of the largest healthcare breaches in history — began with a compromised individual account.
One fix
Enforce unique user accounts for every person with EHR access — no exceptions. Map each role to the minimum necessary PHI scope. Implement automatic deprovisioning tied to your HR system so access is revoked within 24 hours of termination. Enable MFA on the EHR and your identity provider. Then run a quarterly audit of active accounts against your staffing roster — it takes 20 minutes and catches the orphaned accounts that pile up silently.
Vendor and Third-Party Risk Management
What it is
Your EHR vendor. The billing clearinghouse. The appointment reminder service. The IT MSP that manages your servers. The company that handles your medical records scanning. Every one of these vendors touches PHI — and HIPAA holds you responsible for all of them. Most practices have 15-30 vendors with some degree of PHI access, and the majority have never been through a formal Business Associate Agreement review or security assessment. "We signed a BAA" is not the same as "we've verified their security posture."
The impact
The Change Healthcare breach (2024) disrupted the entire US healthcare payment system and exposed data for potentially hundreds of millions of patients — not because Change Healthcare itself was negligent, but because a single unsecured Citrix portal served as a gateway to their entire network. Your practice's PHI is only as secure as the weakest vendor in your chain. OCR has levied multi-million-dollar fines specifically against covered entities for vendor security failures — the fine doesn't go to the vendor, it goes to you.
One fix
Maintain an active inventory of every vendor that touches PHI. For each vendor: current BAA on file, confirmed completion of a security questionnaire or audit in the last 12 months, documented point of contact and breach notification process. Prioritize vendors with broad network access or large PHI datasets. For the 3-5 vendors handling your most sensitive data, a 30-minute review of their SOC 2 report or security documentation is a disproportionately high-value activity for the time invested.
Mobile Device Policies and Endpoint Security
What it is
Practice managers and clinicians access the EHR from personal phones. Providers check patient records on tablets at home. The front desk team uses a shared laptop that hasn't had a security update in six months. Mobile devices with access to PHI are the most uncontrolled attack surface in most medical practices — not because anyone made a bad decision, but because no one formalized the policy or enforced it systematically. "We tell staff not to do that" is not a mobile device policy.
The impact
Lost and stolen devices are one of the most common sources of HIPAA breach reports. A provider's unencrypted phone with EHR access gets left in an Uber — if that device has any pathway to patient data, it's a reportable breach requiring OCR notification within 60 days. The fines are tiered by the level of negligence, and unencrypted mobile devices fall into the highest tier. Beyond loss: if a personal device running clinical apps is also used to browse untrusted sites or download sideloaded apps, it becomes a direct entry point into your PHI environment.
One fix
Write a formal mobile device policy covering: approved devices for PHI access, mandatory device encryption, screen lock requirements, MDM enrollment for anything accessing clinical data, and a remote wipe procedure for lost/stolen devices. Enforce via your EHR's mobile management settings or a lightweight MDM solution. The goal isn't to block mobile access — it's to ensure that if a device goes missing, you can render the PHI on it inaccessible within minutes, not hours.
Incident Response Planning (or Lack Thereof)
What it is
HIPAA requires a written incident response procedure — a documented process for what happens when you suspect a breach. Most practices have something vaguely resembling this in a policy binder that hasn't been updated in three years. Very few have a tested, actionable plan that covers: who makes the call to contain, how you preserve evidence without contaminating it, what to say to patients, when to bring in breach counsel, and what the OCR notification timeline looks like. The 60-day breach notification deadline is unforgiving — and it starts the moment you "discover" the breach, not the moment you confirm it.
The impact
The difference between a well-handled breach and a catastrophic one is often the first 24 hours. Practices that discover a breach with no response plan spend that time scrambling — calling the wrong people, making statements that contradict later findings, and worst of all, missing the 60-day notification window. OCR has imposed fines specifically for untimely breach reporting. The Premera Blue Cross breach (2014) exposed 11 million patient records partly due to delayed response — initial unauthorized access occurred months before discovery, and the delayed detection itself became a compliance finding.
One fix
Write a one-page incident response plan covering: who owns the initial containment decision (name, title, personal phone), who you call within the first hour (breach counsel, cyber insurance carrier, MSP), what you disconnect first (EHR, email), and how you communicate with staff and patients when the usual channels may be compromised. Test it in a 30-minute annual tabletop walkthrough. OCR doesn't expect a perfect plan — they expect a documented, executable plan that's been reviewed.
Unsecured Email and Text Communication with Patients
What it is
Sending appointment reminders via personal Gmail. Emailing lab results to a patient on an unencrypted link. Texting prescription refill requests through an unencrypted SMS gateway. Staff communicating patient information over WhatsApp because it's faster. HIPAA's minimum security standards for ePHI transmission are explicit — every transmission must be secured — but the pressure of daily clinical operations makes unencrypted channels the path of least resistance. And the moment you send ePHI over an unsecured channel, you've technically violated the Security Rule, whether or not a breach occurred.
The impact
OCR has consistently fined practices for unsecured electronic communications containing PHI, even when no data was actually breached. The enforcement logic: if you sent unencrypted ePHI, the risk of unauthorized disclosure existed, and you're required to document and address that risk. A 2023 OCR settlement with a medical practice included a $50,000 fine for sending patient information via unencrypted email — not because the email was intercepted, but because the transmission was unprotected. Beyond fines: if staff are using personal phones for clinical communication and those devices are lost or compromised, there's no way to audit or contain the exposure.
One fix
Audit every channel staff use to communicate about patient care. Migrate patient communications to a HIPAA-compliant messaging platform (many EHR vendors offer this built-in). If you use email for clinical communication, ensure it's encrypted end-to-end — and get patient acknowledgment that they understand the security limitations of unencrypted email when they provide their address. Document your transmission security policies and run a quick staff refresher. The goal isn't to eliminate email — it's to ensure every ePHI transmission is intentional and accounted for.
Missing Access Audits and System Activity Reviews
What it is
Your EHR logs every access event — who looked at which record, when, and from what device. This audit trail is one of HIPAA's most consistently enforced requirements: you must track and review system activity. Most practices have audit logging enabled but never review it. The data is there, but no one's looking at it. This matters because insider threats — a staff member accessing records they have no clinical reason to view — are a documented category of healthcare breach, and audit logs are your only detection mechanism for this category.
The impact
OCR has issued guidance specifically emphasizing that audit log review is not optional — it's a mandatory administrative safeguard. Practices that cannot demonstrate any audit log review activity face unfavorable inference during investigations. Beyond compliance: the 2022 Okta breach involved an insider accessing a support case management system without authorization — audit logs exist precisely to catch this type of behavior. Without a review process, you have no visibility into whether your own staff are accessing records appropriately.
One fix
Configure automated alerting for anomalous access patterns (a single user accessing an unusually high number of records, or records outside their normal patient panel). Run a monthly spot-check of audit logs — even 15 minutes reviewing outliers catches most abuse. Document each review: date, reviewer, findings, actions taken. If your EHR doesn't offer meaningful audit reporting, that's a security gap worth flagging to your vendor — and a risk to document in your risk assessment.
Know your HIPAA exposure before OCR does.
Stratavise's free technology risk assessment covers access controls, vendor management, incident response, and the other gaps that don't show up on checklists. Get a prioritized finding report in under 10 minutes.
Run Your Free Risk Assessment → Takes under 10 minutes · Instant results · No signup required