There are many benefits of allowing staff to work from home but there are many risks too. The Office for Civil Rights (OCR) has fined many companies that have not properly managed this process.

An employee losing equipment and data containing Protected Health Information to theft while traveling cost one company hundreds of thousands of dollars in fines. Courts have ruled against companies that do not have the proper policies in place to protect information.

Here are some best practices for permitting working from home or on the road:

  • The company's HIPAA Policies and Procedures must contain the relevant parts regarding staff working from home.
  • Have a listing of staff members which are permitted to work from home or on the road. Have an inventory of what information they are allowed to have and/or access.
  • Ensure that all access and data transmissions are encrypted with the latest technologies.
  • Ensure all passwords have been changed from when they were first issued including default and temporary passwords.
  • All devices that access Protected Health Information should be set up by qualified technical personnel.
  • Ensure that anti-virus and anti-malware are in use at all times and get daily updates.
  • Ensure that staff only work from authorized locations and connect using authorized networks. This means no public Wi-Fi without the proper safeguards.
  • Staff should not use personal equipment to connect or use Protected Health Information. Corporate owned laptops and phones should be used.
  • Friends and family of staff members should never use the issued corporate devices.
  • Appropriate agreements should be in place with staff, such as Confidentiality Agreements, to assure they understand the need to protect sensitive information.
  • Staff members which are allowed to take physical document home must have adequate security in place to protect the documents.
  • Remote workers must disconnect from networks and application which have access to or contain sensitive information when they have completed their assignments.
  • Staff members must not use personal devices such as USB drives to store Protected Health Information.
  • Access logs must be monitored for unauthorized or improper access and attempts.
  • Accounts must be immediately restricted, removed or disabled when staff members leave the company or their remote access is no longer required.
  • Finally, don't forget your Business Associates. Most work from outside your locations and the appropriate agreements, policies and procedures, and monitoring must be in place.

Although not an all-inclusive list, this should help get you started with allowing staff to work from home, hotels or anywhere else, and protect your organization from having a data breach and the potential for bad publicity and fines.



We love to talk about what we do. CONTACT US

All services provided under the direction of a Certified Chief Information Security Officer (C|CISO) and a Certified HIPAA Compliance Officer (CHCO).