What Is Included In A Mobile Access Policy

Mobile device policies for working outside the officeCall it teleworking, remote access, or mobile access if you have any access to PHI outside of your office, you should have a HIPAA mobile access policy that applies to that activity. Any person that accesses your systems and data outside of your internal network should be trained and sign off on commitments to protect your PHI.

We’ve never specifically covered the topic of what should be included in a HIPAA mobile access policy. It is about time we did just that.

HIPAA For MSPs by David Sims What is included in a mobile access policy
00:00:00 00:00:00

In this episode:

HIPAA Mobile Access Policy Considerations

There are a lot of things you should consider when defining your mobile access policy.

What kinds of controls do you need to have in place on your local network for remote access before you let others in?

  • What resources will be accessible remotely?
    • Email
    • Documents
    • EHR
    • PM
    • CRM
    • Cloud Apps directly or through your connection
  • Use of open RDP SHOULD NOT BE USED ON PUBLIC IPs
  • VPN for use on public wifi
  • What devices are you going to allow to connect?
    • BYOB?
      • Family computers used by kids?
    • Public computers

What mobile access scenarios should the policy cover?

  • Working from home (billing, transcription, accounting and reporting, clinical and diagnostics)
  • Working in hotels and other public access locations.
  • Working from other home networks (family visits, business partners)

What your staff must do to be eligible for remote access

  • Training
  • Device commitments
  • Audits
  • Up to date software

Mobile access isn’t something you just do and not worry about it.  So many things are opened up by allowing mobile access that you must