Corporate Compliance

Q&A: Processing PHI at home

Compliance Monitor, May 27, 2009

Q: Is taking PHI home to process it legal?

A: Yes, work force members may process electronic and nonelectronic PHI remotely from their homes. The HIPAA security and privacy rules do not prohibit this practice. However, the rules do require adoption of appropriate remote access policies, procedures, and practices that include transporting the PHI securely and reasonably ensuring that it is secure when processed remotely.

This practice represents an additional security risk, as does any work performed remotely that requires access to electronic or nonelectronic PHI. A significant risk exists when organizations fail to implement appropriate remote policies, procedures, and practices and fail to monitor remote access and PHI use regularly.

CMS published remote access guidelines in 2007 (available at, which facilities and their remote workers should follow. The guidelines do not address remote use of paper PHI, but they include guidelines to minimize risk. Taking any PHI home creates new environments that need to be secure (e.g., the mode of transportation a full- or part-time teleworker uses to carry PHI and the home where he or she accesses it).

This question was answered by Chris Apgar, CISSP in the June 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular