HIPAA home page | Guidance (FAQ) | Telecommuting with PHI

Considerations for Working with PHI Offsite

Performance of Yale duties involving protected health information (PHI) offsite requires implementation of the same standards for privacy and security of PHI as is available on-campus (see and http://hipaa.yale.edu/security/index.html#prepare and http://www.yale.edu/its/security/secure-computing/physical/portable.html). In addition, arrangements for staff to temporarily telecommute must comply with all applicable institutional personnel practices (see http://info.med.yale.edu/finops/hr/Policies.html).

If it is decided that telecommuting is appropriate, the following items should be considered regarding the privacy and security of PHI:

  • Department business manager approval is required when staff is assigned to regularly work from home or other off-site location. Details of the telecommuting arrangement must be documented as described in the YSM Telecommuting guidelines (http://info.med.yale.edu/finops/hr/Policies.html).
  • HIPAA Privacy and Security training must be completed.
  • Protected Health Information must be transported in a secure manner (For example: locked case)
  • When transporting PHI, the vehicle must be secured during any stops along the way. (For example: locked trunk or locked doors). PHI or electronic devices should not be left visible in the car.
  • Protected Health Information must be stored in a secure place away from public or family exposure/access
  • Use of home computers for University business requires that antiviral and antispyware software be current.
  • Data stored on computers at home must be routinely backed-up.
  • VPN is REQUIRED for a connection:
    • Via a private ISP (Internet Service Provider) to access restricted services and resources on the University and Yale-New Haven Hospital (YNHH) network
    • Via wireless access points
    • To all Yale-New Haven Hospital resources
    • To Oracle, financial and business applications
    • To IDXv
    • To electronic medical record (EMR) systems
    • See also http://www.yale.edu/its/help/off-campus-access.html
  • Any University documents stored offsite, in the home or on a home computer or on any other electronic device must not be accessible to anyone other than the Yale employee. Password protection and automatic log-off procedures must be utilized on the off site device and paper records must be physically secured.
  • Any University documents that are printed on an offsite or home computer must be secured and properly disposed of in a closed secure receptacle according to Yale University policy (i.e. Shred-It containers).
  • At the conclusion of the telecommuting arrangement, any files on non-Yale computing devices must be returned to the University and then securely deleted.

Top of page.
     
Yale University.  
HIPAA at Yale Home.