Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 2004 Do the Security Rule requirements for access control apply to employees that telecommute?

This guidance explains that covered entities that allow employees to telecommute or work out of home-based offices, and have access to e-PHI, must implement appropriate safeguards to protect the organization’s data.

Final

Issued by: Office for Civil Rights (OCR)

Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI)?

Answer:

Yes. Covered entities that allow employees to telecommute or work out of home-based offices, and have access to e-PHI, must implement appropriate safeguards to protect the organization’s data. The automatic logoff implementation specification is addressable, and must therefore be implemented if, after an assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment. If the entity decides that the logoff implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision. The information access management and access control standards, however, require the covered entity to implement policies and procedures for authorizing access to e-PHI and technical policies and procedures to allow access only to those persons or software programs that have been appropriately granted access rights.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.