Due to several security incidents related to the use of laptops, other portable and/or mobile devices and external hardware that store, contain or are used to access electronic protected health information (EPHI), the Centers for Medicare & Medicaid Services (CMS) has released guidance for EPHI remote use and access. All covered entities are required to be in compliance with the HIPAA Security Rule 1, which includes, among its requirements, reviewing and modifying, where necessary, security policies and procedures on a regular basis.

The guidance document has been prepared with the main objective of reinforcing some of the ways a covered entity may protect EPHI when it is accessed or used outside of the organization’s physical purview. In so doing, this document sets forth strategies that may be reasonable and appropriate for organizations that conduct some of their business activities through the use of portable media/devices (such as USB flash drives) that store EPHI and offsite access or transport of EPHI via laptops, personal digital assistants, home computers or other non corporate equipment.

Access the guidance at: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal.pdf