PHI Home Use Policy/Procedure

To customize this template document, replace all of the text that is presented in brackets (i.e. “[” and “]”) with text that is appropriate to your organization and circumstances. Many of the procedure statements below represent “best practices” for securing home use computing. These may not be feasible or available for your practice. Be sure this document reflects the actual practices and safeguards currently in place! Also remember to erase “notes” as needed.

NOTE: This sample policy and procedure is designed to support home use by workforce and contractors. A separate policy and procedure should be developed for “public setting” use such as at hotels, conferences, airports, coffee shops and so forth.

[Insert organization name]

Date Adopted:

Effective Date:

PHI Home Use Policies and Procedures

Purpose: To support secure access to ePHI and related systems from home by members of our workforce and to ensure appropriate security and privacy safeguards are in place.

Policy: It is the policy of [insert name] that remote access to paper or electronic PHI from workforce members’ homes adheres to appropriate security and privacy safeguards that ensure the privacy and confidentiality of this PHI.

It is also our policy to ensure that other forms of PHI that are accessed and used from workforce members’ homes are safeguarded and protected from unauthorized use or disclosure.

Privacy Procedures:

  1. Workforce members and/or contractors who wish to work with PHI at their homes or residences must have this approved in writing by the Privacy Official.
  2. Workforce members and/or contractors who wish to work with PHI at their homes or residences must have reviewed and signed this policy and procedure document and been trained on these procedures as well as any other related Acceptable Policies and Procedures.
  3. Paper forms of PHI that are removed from our office for home use must be signed out or otherwise documented prior to removal. The specific forms of documentation will follow the requirements set forth by the Privacy Official.
  4. Paper forms of PHI removed and transported out of the office for home use must be placed in a [secure and locking container] [Company issued or sanctioned container]; paper PHI cannot be carried or transported in a loose or unsecured state. This includes placement in purses or bags that do not provide a locking mechanism.[NOTE: Insert the appropriate type of transport containers or safeguards your organization has established--We recommend providing these for the workforce to ensure consistent use of an appropriate type of container.]
  5. Paper forms of PHI removed from this office and transported in your personal vehicle must be kept in your possession at all times; if you stop for an errand this PHI must be placed in the trunk if possible, or carried with you. Preferably, PHI should be placed into the trunk prior to departing from our organization’s parking area.
  6. If you are using public transportation the paper forms of PHI must be kept in your possession at all times.
  7. Once at home, paper forms of PHI must be secured in an area of your home that is not likely to be frequented by family members, friends, or others.
  8. Whenever paper forms of PHI are utilized at your home you will ensure that family and friends are not nearby or able to incidentally view the PHI. Whenever you leave the PHI it must be returned to the locked bag or container.
  9. Immediately report any loss, theft, or unauthorized access whether actual or suspected to the Privacy Official.

Administrative Safeguards:

  1. Immediately report any incident to the Security Official including:
  2. Personal or company computers or devices that exhibit unusual or unexpected behaviors such as:
  3. Operating more slowly than normal.
  4. Displaying unfamiliar or strange windows or icons.
  5. Unfamiliar websites that pop-up or open.
  6. Unfamiliar pop-up windows or alerts or prompts to re-enter passwords and user names.
  7. New programs in the start menu or menu bar.
  8. Unfamiliar error messages.
  9. Webcam (camera) activation (webcam light turning on) without your enabling this to occur.
  10. Sudden improvement in speed and operation.
  11. Unexpected computer failure.
  12. Loss or theft of smartphones, devices, storage drives, laptops, tablets or home computers if you have been allowed to use personal devices.
  13. Evidence of malware being installed and infecting your system.
  14. Inadvertent access to websites that are suspicious or falling victim to a phishing scheme email.
  15. Workforce members and contractors who wish to work with ePHI at their homes or residences must have reviewed and signed this policy and procedure document and been trained on these procedures as well as any other related Acceptable Policies and Procedures.
  16. NOTE FOR SECURITY OFFICIALS: Prior to allowing home use of ePHI it is recommended that you:
  1. Create clear Access protocols which will limit what data a remote user has access to based on their job description (this includes network files/folders, ePHI applications such as an EHR, Imaging systems, revenue cycle systems and so forth).
  2. Update internal audit protocols to incorporate periodic audit of home use access.

Physical Safeguards:

  1. Workforce members and/or contractors who wish to work with ePHI at their homes or residences must have this approved in writing by the Privacy and Security Official.
  2. Electronic forms of PHI that are removed from our office for home use must be signed out or otherwise documented prior to removal. The specific forms of documentation will follow the requirements set forth by the Security Official.
  3. Procedure 2 applies to ePHI that is on removable media such as USB memory drives, portable or removable hard drives and storage devices and other related devices.
  4. Before any portable or removable media is removed it must be encrypted using an encryption algorithmand key set up by the Security Official or their designee that provides a minimum of 256 AES encryption. Keys must also be secured (not written on the device or media or kept otherwise unsecured).NOTE TO SECURITY OFFICIAL: It is recommended that only company provisioned and properly secured devices and media be allowed. Furthermore all such devices and media must be inventoried and documented under this organization’s media and device control protocols.
  5. The workforce is not allowed to use their personal USB memory drives, or any personal device for storage of ePHI that is for removal or use. Home users may not copy ePHI while at home or remote onto other devices, including but not limited to:
  6. Personal USB drives
  7. Personal smartphones
  8. Personal computers
  9. Personal tablets
  10. Cloud storage such as personal dropbox or Google Drive
  11. ePHI removed and transported out of the office for home use, must be kept secure during transport and while at the home; ePHI cannot be carried or transported in a loose or unsecured state (this includes placement in purses or bags that do not provide a locking mechanism). Removable media and portable storage drives will be placed in [secure and locking container] [Company issued or sanctioned container]. NOTE: Insert the appropriate type of transport containers or safeguards your organization has established-We recommend providing these for workforce to ensure consistent use of an appropriate type of container]
  12. Laptops, tablets, and smartphones will similarly be kept in your possession and carried in locking computer bags where possible except for smartphones which will be kept on your person.
  13. ePHI removed from this office and transported in your personal vehicle must be kept in your possession at all times; if you stop for an errand this PHI must be placed in the trunk if possible, or carried with you. PreferablyePHI should be placed into the trunk prior to departing from our organization’s parking area. Since thieves will look for the removal and placement of laptops in your trunk at restaurants, service stations, shopping centers and so forth, it is especially critical to place laptops and tablets in the trunk before you leave our parking area or to carry these with you at all times. Smartphones shall not be left in plain view in a parked vehicle.
  14. If you are using public transportation the ePHI must be kept in your possession at all times.
  15. Once at home, ePHI must be secured in an area of your home that is not likely to be frequented by family members, friends or others.
  16. When ePHI is used at your home you will ensure that family and friends are not nearby or able to incidentally view the PHI on screens. Whenever you leave your workstation or device it must be logged off or set to a screen saver that requires a password for access.
  17. Whenever you leave your premises for an extended period of time all PHI and ePHI including devices shall be secured from possible theft or incidental use by house sitters, family, friends or others. If possible return all PHI and ePHI to the office prior to leaving unattended for an extended period of time.

Technical Safeguards:

  1. Follow all password and log in policies as instructed by the Security Official. Never share, write down, or show a password to any family, friend or others at your home.
  2. Devices used to access ePHI must be used only for that purpose. Workforce members are NOT allowed to use shared home or personal computers to access ePHI. [NOTE TO SECURITY OFFICIAL: You may find this a difficult procedure to enforce but it ensures that the devices in use to accessyour ePHI are only ones that you have assured are securely configured; if your organization cannot provision laptops or home devices (such as tablets) for home use, then include the following in this procedure:
  3. In order to utilize home devices that may be used by other members of your family, you must obtain written permission from the security official.
  4. The Security official will request proof that the home device requires a log in and password and that the password is complex with periodic change.
  5. The Security official will request proof that an up-to-date malware software is in place, and that the home device has a properly configured firewall installed. The malware software shall be configured for daily scans as well as virus signature updates at least daily.
  6. The Security official will request proof that the home device has been configured to automatically log off after the shortest period of time possible and in no case longer than [20] minutes.
  7. Encrypt laptop, tablet, or home-workstation where EMR will be accessed.
  8. Home devices shall not store any ePHI; this shall include a prohibition on storing company email (local outlook files or other), screen shots that are of ePHI, email attachments, or other ePHI. Workforce may only store ePHI to a local device if that device has been supplied and configured by the Security Official or their designee.
  9. The Security official may request the right to audit any home or personal computer used to access ePHI; access to this audit may not unreasonably be denied. Such an audit may be part of a formal investigation for a Security Incident or part of a periodic internal review process.]
  1. Home access through DSL, Cable, radio frequency, Mifi Cellular signals, or other broadband will require a strong method of wireless encryption. Wifi shall be set to WPA2 or higher with an encryption key of at least 10 complex characters.
  2. Home routers will have the default passwords changed and a complex password established.
  3. Workforce are not allowed to forward their company email to a personal email account.
  4. Workforce shall attempt to use their company issued DIRECT email accounts for transmission of ePHI wherever possible and practical.
  5. Workforce shall only access ePHI through secure sessions that have been established by the Security Official such as a VPN session, or a remote desktop session with a high level of security.
  6. At the request of the Security Official, workforce will provide access to any personal device if the Security Official needs access to investigate a security incident.
  7. At the discretion of the Security Official personal devices may be routinely reviewed and audited for suspicious activity or software.
  8. Follow all ePHI backup procedures as guided by your Security Official.

Note: Consider adding a signature line for workforce affirmation that they understand and accept these policies and procedures.

© 2014 PrivaPlan®Associates, Inc.

All rights reserved.