Do the HIPAA Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employee accesses electronic PHI?
Answer Yes. Covered entities that allow employees to telecommute or work out of home-based offices and have access to electronic protected health information (PHI), must implement appropriate safeguards to protect the organization’s data. The automatic logoff implementation specification is addressable, and must therefore be implemented if, after an assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its environment. If the entity decides that the logoff implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate, or if the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure. The information access management and access control standards, however, require the covered entity to implement pol
