Q. Can an employee work from home under HIPAA?
A. Yes, as long as you implement the appropriate security to protect data accessed from the employee's home.
Whether the remote employee connects directly into your practice network or accesses cloud-based software, the employee must be able to connect securely. The computer the employee uses to connect to your network or applications must meet the same security standards as the computers in your office - this includes installing antivirus software and security updates for the operating system and software applications.
How can you ensure you and your employees who work from home comply with HIPAA?
- Analyze your risk. Will the employee connect to the practice network or access a cloud-based system? Will the employee use his or her own computer, or will you provide the computer?
- Implement your policy. Some of the safeguards for remote connection and working at home may be different from those implemented in your practice. Make sure your policy is accurate! If you don't follow your written policy, you can be fined for willful neglect.
- Monitor and audit. Make sure you have processes in place to verify that your policy is being followed. Is the remote connection secure? Is the employee's home computer being updated with the latest security updates?
- Conduct ongoing risk management. If you install new software that a remote employee needs to access, you may need to update your policy to include the new software and update your process to include verifying the connection is secure.
Remember, if it isn't documented, it didn't happen. Make sure you are documenting your risk analysis, policy and implementation, monitoring, and ongoing risk management.
Visit the TMA HIPAA Resource Center to find tools, information, education, and consulting to help become HIPAA security compliant.
Published June 11, 2015
TMA Practice E-Tips main page
Last Updated On
May 30, 2019