Remote Access HIPAA Policy
Updated: January 3, 2019
The purpose of this policy is to establish uniform security requirements for all authorized users who require remote electronic access to the Bottleneck Medical Virtual Services (“BMVS”) network and information assets. The (“Organization”) is the contracted entity, also referred to or known as the Client (“Client”). The guidelines set forth in this policy are designed to minimize exposure to damages that may result from unauthorized use of BMVS resources and confidential information.
All users who work outside of the Organization’s environment, who connect to the Organization’s network systems, applications and data, including but not limited to applications that contain ePHI, from a remote location.
Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including providers, providers' offices, business associates and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.This policy applies to all authorized system users, including members of the workforce, business associates, and vendors, desiring remote connectivity to BMVS networks, systems, applications, and data. Users are frequently categorized in one of these user groups:
- Workforce members with permanent remote access.
These users may include Information Services (IS), executive, or specific administrative staff, business staff, providers, or teleworkers who may require 24-hour system availability or are called upon to work remotely. Their remote access offers the same level of file, folder and application access as their on-site access.
- Workforce members with temporary remote access.
These users typically request short-term remote access due to an extended time away from the office most frequently as a result of a short-term medical or family leave. Access for these users will be restricted to only that which is necessary for task completion during time away from the office and may be limited.
- Contractors and Vendors offering product support with no access to PHI (protected health information).
These users have varied access depending upon the systems needed for application or system support, but do not have access to any PHI in the applications or systems. These users access the system on an as needed, or as called upon basis for system troubleshooting.
- Contractors and Vendors offering product support and other Business Associates with access to PHI.
These users have varied access to PHI depending on the application or system supported and/or accessed. Appropriate Business Associate Agreements must be on file prior to allowing access, and all such access must be audited on a regular basis.
To establish guidelines and define standards for remote access to BMVS information resources (networks, systems, applications, and data including but not limited to, electronic protected health information (ePHI) received, created, maintained or transmitted by the organization). Remote access is a privilege, and is granted only to remote users who have a defined need for such access, and who demonstrate compliance with BMVS established safeguards which protect the confidentiality, integrity, and availability of information resources.
- Gaining Remote Access
- Workforce members shall apply for remote access connections through their immediate manager. Remote access is strictly controlled and made available only to workforce members with a defined business need, at the discretion of the workforce member’s manager, and with approval by the Security Officer.
- The workforce member is responsible for adhering to all of BMVS policies and procedures, not engaging in illegal activities, and not using remote access for interests other than those for BMVS.
- Business associates, contractors, and vendors may be granted remote access to the network, provided they have a contract or agreement with BMVS which clearly defines the type of remote access permitted (i.e., stand-alone host, network server, etc.) as well as other conditions which may be required, such as virus protection software. Such contractual provisions must be reviewed and approved by the Security Officer and/or legal department before remote access will be permitted. Remote access is strictly controlled and made available only to business associates and vendors with a defined business need, at the discretion of and approval by the Security Officer.
- It is the remote access user’s responsibility to ensure that the remote worksite meets security and configuration standards established by BMVS. This includes configuration of personal routers and wireless networks
- Equipment, Software, and Hardware
- The Organization may or may not provide all equipment or supplies necessary to ensure proper protection of information to which the user has access. The following assists in defining the equipment and environment required.
- Remote users will be allowed access through the use of equipment owned by or leased to the contracted entity, or through the use of the workforce member’s personal computer system provided it meets the minimum standards developed by BMVS as indicated above.
(i) User Provided:
(a) Broadband connection and fees
(b) Paper shredder
(c) Secure office environment isolated from visitors and family
(d) A lockable file cabinet or safe to secure documents when unattended
- Remote users utilizing personal equipment, software, and hardware are:
(i) Responsible for remote access. BVMS will bear no responsibility if the installation or use of any necessary software and/or hardware causes lockups, crashes, or any type of data loss.
(ii) Responsible for remote access used to connect to the network and meeting BMVS requirements for remote access
(iii) Responsible for the purchase, setup, maintenance or support of any equipment not owned by or leased to BMVS.
- Continued service and support of BMVS owned equipment is completed by BMVS workforce members. Troubleshooting of telephone or broadband circuits installed is the primary responsibility of the remote access user and their Internet Service Provider. It is not the responsibility of BMVS to work with Internet Service Providers on troubleshooting problems with telephone or broadband circuits not supplied and paid for by BMVS.
- The ability to print a document to a remote printer is not supported without the Organization’s approval. Documents that contain confidential business or ePHI shall be managed in accordance with the BMVS confidentiality and information security practices.
- Security and Privacy
- Only authorized remote access users are permitted remote access to any of BMVS computer systems, computer networks, and/or information, and must adhere to all of BMVS policies.
- It is the responsibility of the remote access user, including Business Associates and contractors and vendors, to log-off and disconnect from BMVS’ network when access is no longer needed to perform job responsibilities.
- Remote users shall lock the workstation and/or system(s) when unattended so that no other individual is able to access any ePHI or organizationally sensitive information.
- Remote access users are automatically disconnected from the BMVS’ network when there is no recognized activity for 15 minutes.
- It is the responsibility of remote access users to ensure that unauthorized individuals do not access the network. At no time will any remote access user provide (share) their user name or password to anyone, nor configure their remote access device to remember or automatically enter their username and password.
- Remote access users must take necessary precautions to secure all of BMVS’ equipment and proprietary information in their possession.
- Virus Protection software is installed on all BMVS computers and is set to update the virus pattern routinely. This update is critical to the security of all data, and must be allowed to complete, i.e., remote users may not stop the update process for Virus Protection, on organization’s or the remote user’s workstation. Any remote access user will install virus protection on the computer they use to complete all Client tasks.
- Copying of confidential information, including ePHI, to personal media (hard drive, USB, cd, etc.) is strictly prohibited, unless the organization has granted prior approval in writing.
- Remote access users maintains logs of all activities performed by remote access according to Client direction/instruction/workflows/processes/systems. Client system administrators review this documentation and/or use automated intrusion detection systems to detect suspicious activity. Accounts that have shown no activity for 30 days will be disabled.
- Electronic Data Security
- Backup procedures have been established that moves data to external media. If there is not a backup procedure established or if BMVS has external media that is not encrypted, contact the Client for assistance.
- Transferring data to remote access users requires the use of an encrypted connection to ensure the confidentiality and integrity of the data being transmitted. Users may not circumvent established procedures when transmitting data to the remote access user.
- Paper document security
- Remote users are discouraged from using or printing paper documents that contain PHI.
- Documents containing PHI must be shredded before disposal consistent with the policy and procedure “Use of PHI” (PR-115).
- Remote access users who violate this policy are subject to sanctions and/or disciplinary actions, up to and including termination of employment or contract. Termination of access by remote users is processed in accordance with BMVS’ termination policy.
- Remote access violations by Business Associates and vendors may result in termination of their agreement, denial of access to the BMVS network, and liability for any damage to property and equipment.