Health Information Management

HIPAA Q&A: Taking PHI home

HIM-HIPAA Insider, October 5, 2009

Q. Several weeks ago, some security specialists indicated that their staff members take paper PHI home with them to get caught up on their work. Is taking PHI home to process it legal?

. Yes, workforce members may process electronic and nonelectronic PHI remotely from their homes. The HIPAA security and privacy rules do not prohibit this practice. However, the rules do require adoption of appropriate remote access policies, procedures, and practices that include transporting the PHI securely and reasonably ensuring that it is secure when processed remotely.

Taking PHI home represents an additional security risk, as does any work performed remotely that requires access to electronic or nonelectronic PHI. A significant risk exists when organizations fail to implement appropriate remote policies, procedures, and practices and fail to monitor remote access and PHI use regularly.

CMS published remote access guidelines in 2007 that facilities and their remote workers should follow. The guidelines do not address remote use of paper PHI, but they include guidelines to minimize risk.

Taking any PHI home creates new environments that need to be secure—the mode of transportation a full- or part-time teleworker uses to carry PHI and the home where he or she accesses it.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular