In the past year, our workforce has become more mobile working on-site or from home. As a result, human service agencies are looking for guidance to address HIPAA security for remote computing. The Department of Health and Human Services (HHS) published guidance for protecting PHI in a remote environment.

HHS Guidance

Some highlights of the HHS document include:

  • Risk analysis and risk management strategy: How many employees work remotely? How do remote users connect to your network? What equipment do employees use to connect? Use this information to develop risk management strategies based on your findings. Develop processes to verify policies are being followed. Continue to evaluate and improve your risk management strategies regularly. As a result of these strategies. risks and vulnerabilities can be reduced to a reasonable and appropriate level.
  • Policies and procedures: Develop and implement policies and procedures to protect electronic PHI data stored on removable devices. According to HHS, covered entities must establish and enforce these policies and procedures. If there is no policy or a policy is not followed, it can be considered willful neglect on the part of the agency. These policies and procedures should address:
    • protecting PHI stored on portable devices and transportable media.
    • securing PHI transmitted over an electronic communications network.
    • authorizing access to PHI to ensure that only employees who have been trained and have proper clearance are granted access.
  • Security awareness and training: HHS requirements include implementing a workforce security awareness and training program to address vulnerabilities associated with remote access to PHI. The program should also include cybersecurity awareness training addressing password management procedures, remote device/media protection, and data security around open networks and public computers.

Cybersecurity Assistance

A good cybersecurity evaluation tool like the CyberSecure Toolkit powered by Simple Plan IT provides an easy way to assess your risk. It will also guide you to establish policies and procedures addressing any issues that are uncovered during the assessment. The CyberSecure Awareness Training powered by Simple Plan IT provides the security awareness training and testing needed to ensure the workforce understands why cybersecurity is so important. Together, these tools will help you implement the HHS Guidelines and reduce your cybersecurity risk.

Click here for the full document from the Department of Health and Human Services.