How to Write a HIPAA-Compliant Remote Access Policy for Home Health Field Staff
remote access policy

How to Write a HIPAA-Compliant Remote Access Policy for Home Health Field Staff

A remote access policy is both an OCR requirement and a practical security control. Here is how to write one that actually works for a distributed home health workforce.

A remote access policy for a home health agency is not the same as a remote access policy for an accounting firm or a technology company — and yet most of the remote access policy templates circulating in the home health compliance community were adapted from exactly those kinds of organisations. A policy written for staff who work from designated home offices, on company-issued laptops, during defined business hours, and who never enter a patient's home does not address the actual remote access environment of a home health nurse who accesses the EHR from a patient's living room, over that patient's WiFi, on a personal tablet, between visit documentation tasks during a four-visit morning shift.

Writing a remote access policy that works for your actual workforce requires starting from the reality of how your staff access clinical systems — not from the template someone adapted from a legal or financial services firm.

The Eight Essential Provisions of a Home Health Remote Access Policy

Provision 1: Scope — Who This Policy Applies To

Define remote access as any access to agency clinical or administrative systems from a location that is not the agency's primary office. This includes: field nurses accessing the EHR from patient homes; administrative staff working from home offices; clinical supervisors accessing scheduling systems from their vehicles; and any staff member accessing work systems from any personal device in any location. The scope must explicitly include personal device access, because restricting the policy to agency-issued devices creates a gap that encompasses the majority of actual remote access in most home health agencies.

Provision 2: Approved Access Methods

Document the specific, approved methods through which remote access is permitted. For each method, specify the technical requirements: VPN access requires the agency-approved VPN client on an enrolled, compliant device; direct cloud application access (Microsoft 365, web-based EHR) requires MFA authentication and MDM-confirmed device compliance; mobile app access requires MDM container enrollment and biometric or PIN authentication for the container. Unapproved methods — personal email for clinical communication, unenrolled devices for EHR access, screen sharing through consumer platforms — should be explicitly listed as prohibited.

Provision 3: Authentication Requirements

State explicitly that MFA is required for all remote access to all agency systems containing patient information or business-critical data. This provision should not say that MFA is available or encouraged — it should say that MFA is required and that access is not permitted without it. Reference the specific MFA platform and method (Microsoft Authenticator with number matching, for example) so that staff understand exactly what is expected rather than what general compliance terminology describes.

Provision 4: Device Requirements

Define the minimum security requirements for any device used for remote access. For agency-issued devices: MDM enrollment, behavioral EDR, OS encryption, current patch status — all verified through MDM compliance reports before network access is granted. For personal devices used under a BYOD arrangement: MDM container enrollment (specifying the container application name), encryption verification for the container, and acceptance of the agency's acceptable use policy for the work container. Devices that do not meet these requirements must not be used for remote access to agency systems — this is a hard requirement, not a recommendation.

Provision 5: Network Security Requirements

Address the specific network environments where home health staff work: patient home WiFi networks (preferred approach: use cellular data for EHR access where coverage permits; if patient WiFi must be used, VPN is required); home office networks (VPN required for access to any system that does not use a dedicated HTTPS connection with modern TLS); public WiFi networks (prohibited for ePHI access without VPN; limited to non-clinical web browsing when VPN is not active); and cellular data networks (acceptable for EHR access without VPN given the inherent encryption of cellular data transmission).

Provision 6: Physical Security in Remote Environments

Address the physical security requirements for remote access that are specific to home health environments: device screen position during documentation in patient homes; device storage in vehicles when not in active use; paper PHI handling during field visits; and the prohibition on allowing non-agency individuals (family members, patients, caregivers) to use work devices for any purpose.

Provision 7: Incident Reporting Requirements

Specify the obligation to report any suspected security incident related to remote access — lost device, suspicious login attempt, potential phishing click — within a defined timeframe (four hours is reasonable for home health field staff) and through a specific reporting channel that reaches the security team or managed security provider directly. The reporting contact information must be accessible without internet access — saved in the personal phone, not in work email.

Provision 8: Policy Acknowledgement and Annual Review

Every staff member who uses remote access must sign an acknowledgement that they have read, understood, and agree to comply with the policy before being granted remote access credentials. The policy must be reviewed and updated annually at minimum — and immediately following any security incident that reveals a gap the policy did not address.

Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.

Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment

Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare

View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

Share this post

Topics

#remote access policy#HIPAA compliance#home health#field staff#MDM#How-To Guide
Free Security Assessment

Ready to Secure Your Business?

Don't let cyber threats put your business at risk. Discover how ShieldForce protects organizations like yours — 24/7.