Whether you call it teleworking, remote access, or mobile access if you have any access to PHI outside of your office, you should have a HIPAA mobile access policy that applies to that activity. Any person that accesses your systems and data outside of your internal network should be trained and sign off on commitments to protect your PHI.
We’ve never specifically covered the topic of what should be included in a HIPAA mobile access policy. It is about time we did just that.
In this episode:
- HIPAA Boot Camp May 11/12, 2017 [1:20]
- Where’s Donna going next
- Mobile Access Policies [7:20]
- What controls do you need for your office? [12:58]
- What scenarios should your policies cover
- What should your staff be required to do for their remote access devices
HIPAA Mobile Access Policy Considerations
There are a lot things you should consider when defining your mobile access policy.
What kinds of controls do you need to have in place on your local network for remote access before you let others in?
- What resources will be accessible remotely?
- Cloud Apps directly or through your connection
- Use of open RDP SHOULD NOT BE USED ON PUBLIC IPs
- VPN for use on public wifi
- What devices are you going to allow to connect?
- Family computers used by kids?
- Public computers
What mobile access scenarios should the policy cover?
- Working from home (billing, transcription, accounting and reporting, clinical and diagnostics)
- Working in hotels and other public access locations.
- Working from other home networks (family visits, business partners)
What your staff must do to be eligible for remote access
- Device commitments
- Up to date software
Mobile access isn’t something you just do and not worry about it. So many things are opened up by allowing mobile access that you must consider, secure, and document.
Please remember to share us our on your favorite social media site and rate us on your podcasting apps, we need your help to keep spreading the word.
To help us out even more take our listener survey.