Best Practices for Working Remotely


Working remotely has become a common practice for organizations to try to maximize the number of productive work hours in a day. The need for instant access to patient Protected Health Information (PHI) and the benefits working remotely provides has made the availability of working remotely a higher priority.  Allowing employees to work remotely allows for flexible work arrangements, enhances recruitment efforts of quality employees, increases employee’s job satisfaction, increases staff retention, and it can save the organization money by not having the employee on-site.



While working remotely can provide many benefits to employees and the organization, it is important for practices to implement appropriate safeguards to maintain the privacy and security of PHI.


What risks are there?

HIPAA requires that organizations develop mechanisms for addressing certain risks for remote working including:

  • Theft of unencrypted portable devices

  • Inappropriate access by family members or others at home or in remote locations

  • Unauthorized downloading of ePHI

  • Inadequate virus protection

  • Data corruption

  • System hacking

  • Inappropriate disposal of devices

  • Data moved to an external device outside the organization

  • Data intercepted during transmission


What controls can I put in place?

While it is impossible to take away all risks, some control can be attained by establishing technical and administrative safeguards.  Some controls practices can employ include:

  • Implementing 2-factor authentication

  • Utilizing a virtual network with controlled access

  • Proper clearance procedures to remote access

  • Proper training for employees

  • Specific policies and procedures for remote work

  • Session time-out controls

  • Firewall software in place

  • Continuously update security software in place

  • Track devices used remotely and the movement of those devices

  • Encryption, password management, virus protection, and patches that are continuously maintained and monitored

  • Proper data backup procedures

  • Crosscut shredder in place in remote locations

  • Change default off-site wireless router passwords to more difficult and complex ones


What else do I need to consider?

HIPAA requires the practice to put in place controls that are reasonable and appropriate for the practice.  This means the practice will need to evaluate their own need for off-site use or access to ePHI first when deciding security measures to use.  The practice should consider the following:

  • Size, complexity, and capabilities of their organization

  • Technical infrastructure of the organization

  • Costs of security measures

  • Probability and criticality of potential risks to ePHI



Health care data is a main target in today’s world.  Cybercriminals target Social Security Numbers,  insurance information, and any other data with market value.   It is vital to your organization’s success to have well thought out remote working controls in place.



If you find this information to be useful, please subscribe to our blog here.