Remote Employees, PHI, and COVID-19: HIPAA Security Checklist for Employers

Remote work accelerated by COVID-19 changed how teams access and handle Protected Health Information. This checklist helps you translate HIPAA’s administrative, technical, and physical safeguards into practical controls for distributed workplaces.

Use it to standardize decisions, reduce risk, and document due diligence. Each section aligns with core HIPAA expectations while addressing the realities of home offices, shared networks, and mobile devices.

Update Remote Work Policies

Start with clear, written policies that define how remote staff access, create, transmit, store, and dispose of PHI. Reaffirm the Minimum Necessary Standard so employees access only what they need to perform their roles.

What to clarify

• Authorized roles, systems, and data types employees may use remotely, including explicit approval for telework involving PHI.
• Bring Your Own Device (BYOD) rules, minimum device baselines, and monitoring/MDM enrollment requirements.
• Permitted storage locations, printing restrictions, and home-office physical safeguards.
• Use of Virtual Private Network, multifactor authentication, and HIPAA-Compliant Communication tools.
• Vendor use and Business Associate oversight for any service touching PHI.
• Reporting channels and timelines for lost devices, suspected incidents, or policy exceptions.

Enforce Device Security

Harden every endpoint that can touch PHI—laptops, tablets, phones, and remote desktops. Document your Encryption Standards and verify them through automated compliance checks.

Essential controls

• Full-disk encryption using strong, validated crypto; enforce secure boot and modern OS versions.
• MDM/EDR for configuration, patching, threat detection, remote lock/wipe, and inventory accuracy.
• Least-privilege local accounts, blocked admin rights, USB/media controls, and automatic screen locks.
• Application allowlisting for PHI-related workflows; disable risky browser extensions and personal email access for PHI.
• Secure, tested backups for critical systems; protect encryption keys and recovery material.

Utilize Secure Communication Tools

Select platforms that support HIPAA-Compliant Communication end to end. Require BAAs where applicable and validate the vendor’s security posture.

Messaging, email, and meetings

• Use encrypted messaging with access logs, retention controls, and role-based spaces for clinical vs. admin use.
• Enforce modern transport security for email, disable auto-forwarding to personal accounts, and apply DLP for PHI terms and patterns.
• For video, require authenticated participants, waiting rooms, host controls, and restricted recording; store recordings only in approved, encrypted repositories.
• Use secure file transfer or approved cloud storage with link expiration and Role-Based Access Control.

Strengthen Network Security

Assume home networks are semi-trusted. Create secure tunnels, validate device posture, and reduce exposure to internet threats.

Network protections

• Require a Virtual Private Network or zero trust network access for PHI systems, with MFA and device health checks.
• Enable host firewalls, DNS filtering, and safe browsing protections; block known malicious domains.
• Prohibit public Wi‑Fi for PHI unless using approved tethering or secure hotspots.
• Disable direct RDP and other inbound services; use brokered, logged access pathways.
• Centralize logs for network, identity, and endpoint events to support detection and investigations.

Implement Access Control

Map data access to job functions, then automate enforcement. Combine Role-Based Access Control with the Minimum Necessary Standard to keep permissions tight and auditable.

Access practices

• Use SSO with MFA for all PHI systems; include conditional access based on device trust and location.
• Provision on hire via standardized roles; remove access immediately on role change or separation.
• Apply just-in-time, time-bound elevation for special tasks; log and review all privileged activity.
• Segment environments (prod/test/support) and restrict service accounts with vaulted, rotated secrets.

Conduct Training and Awareness

Make remote-specific security habits second nature. Short, frequent touchpoints outperform annual lectures.

Focus areas

• Recognizing PHI, following the Minimum Necessary Standard, and using approved tools only.
• Phishing and social engineering simulations tailored to remote scenarios (delivery scams, MFA fatigue, QR codes).
• Secure meeting practices, privacy when speaking, and handling printed materials at home.
• How to report incidents quickly and what details to include.

Ensure Physical Security

Home offices must provide reasonable safeguards for PHI. Address visibility, access, and environmental risks.

• Use privacy screens, lockable storage, and clean-desk practices; avoid shared family devices.
• Position monitors away from windows; mute smart assistants; verify who can overhear calls.
• Secure courier processes for shipping devices and records; require signature and tamper‑evident packaging.

Manage Data Disposal

Apply defensible, consistent data lifecycle controls. Destruction must be irreversible and documented.

• Define retention for each PHI data set; prohibit local hoarding of files, screenshots, and exports.
• Use approved shredding for paper and certified wiping or physical destruction for media and devices.
• Enable remote wipe for lost or reassigned endpoints; verify and log successful sanitization.
• Ensure vendors follow equivalent disposal standards and provide certificates of destruction.

Establish Incident Response

Prepare for remote-first investigations. Your plan should specify roles, decision trees, communications, evidence handling, and Breach Notification Procedures.

Response steps

• Detect and triage quickly; isolate affected accounts/devices; preserve logs and artifacts.
• Perform a risk assessment for PHI exposure and document scope, data types, and affected individuals.
• Execute Breach Notification Procedures as required by HIPAA—notify impacted parties and regulators without unreasonable delay and, when applicable, no later than 60 days.
• Remediate root causes, verify fixes, and run a post‑incident review to strengthen controls and training.

Monitor Compliance

Trust, but verify. Continuous monitoring shows whether policies and controls work as designed and stay aligned with HIPAA requirements.

Operational oversight

• Automate checks for encryption, patching, MFA, and configuration drift across devices and apps.
• Review access logs, admin actions, and data movement; alert on anomalies and Minimum Necessary violations.
• Conduct periodic risk analyses, internal audits, and vendor reviews; track corrective actions to closure.
• Report KPIs to leadership (e.g., time to patch, training completion, incident MTTR, access review cadence).

Conclusion

By updating policy, hardening devices, securing communications and networks, tightening access, educating people, enforcing physical safeguards, disposing of data correctly, preparing for incidents, and monitoring continuously, you create a resilient, HIPAA-aligned remote work program that protects PHI wherever your team works.

FAQs.

What are the key HIPAA requirements for remote employees during COVID-19?

Remote staff must follow the same HIPAA Security Rule safeguards as on‑site teams: administrative (policies, training, risk analysis), technical (access control, audit logs, transmission security, strong Encryption Standards), and physical (workspace protections). Apply the Minimum Necessary Standard, use HIPAA-Compliant Communication tools, require MFA and secure tunneling, maintain audit trails, and ensure BAAs for any vendor handling PHI.

How should employers secure devices used for accessing PHI remotely?

Standardize device baselines with full‑disk encryption, current OS/patches, MDM/EDR, MFA, and automatic screen locks. Restrict admin rights and USB storage, separate personal and work data, and store PHI only in approved locations. Enable remote lock/wipe, verify backups, and inventory every endpoint that can reach PHI.

What steps should be taken in case of a PHI breach involving remote workers?

Contain quickly (isolate devices, reset credentials), preserve evidence, and assess what PHI was exposed and to whom. Execute documented Breach Notification Procedures, notifying affected individuals and regulators as required. Remediate root causes, reinforce training, and update controls to prevent recurrence.

How can employers ensure ongoing HIPAA compliance for remote work environments?

Adopt continuous monitoring for configurations, access, and data flows; perform regular risk analyses and access reviews; and track KPIs that reflect real control performance. Refresh training, test incident response, review vendors and BAAs, and update policies as technology and threats evolve. Role-Based Access Control and the Minimum Necessary Standard should guide every change.