Table of contents

Common violationsRequirements and best practicesTools and resourcesChecklistFAQsAdditional resources

Get the industry’s fastest, most secure hosting ◦ 99.99% uptime
◦ Comprehensive security
◦ 24/7 support

HIPAA → Compliance and Remote Employees

HIPAA compliance for remote employees

Ever since the United States introduced the Health Insurance Portability and Accountability Act (HIPAA) in 1996, organizations that deal with health information have been greatly restricted in the way they store, transmit, and process data.

Until recently, for example, nearly every company in the health industry knew not to use unsecured networks, unencrypted devices, and shared data hosting in their work.

With the arrival of the COVID-19 pandemic, however, things changed.

Thousands of organizations were forced to transition their operations to the new decentralized environment (although some have even decided to stay that way indefinitely).

But what’s important to understand is that, remote or not, every regulated workplace is still required to stay HIPAA-compliant throughout.

So what does following HIPAA regulations mean for remote companies? And how can everyone ensure the way they work right now is fully compliant?

Let’s start with reviewing data requirements.

Get HIPAA-compliant hosting

Standalone servers in private data centers with industry-leading security

Explore HIPAA hosting

Common HIPAA violations by remote employees

Remote staff can unintentionally create HIPAA compliance risks through everyday actions. These violations are among the most common and costly.

Using unsecured Wi-Fi networks – Connecting to public or home networks without encryption can expose PHI (protected health information) to interception.
Accessing PHI on personal devices without safeguards – Using an unencrypted laptop or personal smartphone for patient records increases data breach risk.
Emailing PHI without encryption – Sending sensitive information over unsecured email platforms can result in unauthorized disclosure.
Improper disposal of physical records – Throwing away printed PHI without shredding or secure destruction can lead to data exposure.
Leaving PHI visible to unauthorized individuals – Having patient charts or data visible on-screen during a video call with non-authorized participants in the room.
Failure to log out of systems – Leaving EHR systems or cloud applications open when stepping away from a workstation creates an opportunity for unauthorized access.
Sharing credentials – Letting another person use a login for convenience violates HIPAA security rules and audit requirements.
Using unapproved cloud storage – Uploading PHI to personal Dropbox, Google Drive, or similar services not vetted for HIPAA compliance.
Not updating security patches – Running outdated operating systems or software creates vulnerabilities hackers can exploit.
Improper handling of telehealth sessions – Conducting patient calls in public spaces or recording without proper patient consent.

HIPAA requirements and best practices for remote employees

Compliance starts with embedding HIPAA requirements into the daily workflows of remote staff. Leadership can structure policies and training around four key areas.

It’s also recommended to have robust mobile device management (MDM) solution in place to oversee all the computers and be able to interfere (e.g. wipe them out) if required.

1. Secure devices and networks

Every remote device handling PHI should meet or exceed HIPAA’s technical safeguards.

Encryption at rest and in transit ensures PHI remains unreadable if stolen or intercepted.
Organization-managed VPNs create secure, encrypted tunnels between remote endpoints and internal systems.
Strong passwords and MFA help prevent credential theft, especially when combined with a password manager.
Anti-malware and endpoint protection detect and block malicious activity before it compromises patient data.
Secure Wi-Fi configurations—such as WPA3 encryption and changing default router passwords—prevent outsiders from accessing the home network.
Automatic screen locks reduce the risk of unauthorized viewing if a device is left unattended.

2. Secure physical workspaces

HIPAA compliance isn’t only about software—it extends to the physical environment where remote employees work.

Private, dedicated workspaces keeps PHI out of view of unauthorized individuals.
Limited access to the work area ensures only approved personnel or household members without PHI access are nearby.
Secure storage like locking filing cabinets protects physical PHI when not in use.
Privacy screens prevent shoulder-surfing or accidental viewing of sensitive information.
Device management practices, such as docking stations and secured laptops, reduce accidental movement and potential theft.

3. Policies and procedures

Written policies reinforce expectations and provide a compliance framework for all remote workers.

Annual HIPAA training tailored for remote employees keeps regulations top of mind.
Remote access policies define approved devices, networks, and access times.
Incident response protocols ensure prompt reporting and mitigation of suspected breaches.
Bring Your Own Device (BYOD) guidelines outline required security configurations for personal devices.
Confidentiality agreements create a formal acknowledgment of HIPAA responsibilities.

4. Leadership considerations

HIPAA compliance for remote work requires active oversight from leadership and IT teams.

Audit trails provide verifiable records of PHI access and are critical for breach investigations.
Regular monitoring of remote access logs helps detect suspicious behavior early.
Periodic risk assessments identify evolving vulnerabilities in home network and device configurations.
Evaluating hosting environments—including potential migration from cloud to dedicated server hosting—can increase control over PHI storage and reduce exposure to third-party risk.

Tools and resources for HIPAA-compliant remote workspaces

Technology can make HIPAA compliance more manageable for distributed teams. Selecting the right tools is critical to securing PHI in remote settings.

HIPAA-compliant video conferencing platforms – Services like Zoom for Healthcare or Doxy.me provide encrypted sessions and Business Associate Agreements (BAAs).
Encrypted email services – Solutions like Paubox Email Suite offer automatic encryption without requiring recipients to log into a portal.
Secure cloud storage – Box for Healthcare and Microsoft OneDrive with HIPAA compliance configured ensure safe file access.
Mobile device management (MDM) software – Tools like Microsoft Intune can enforce encryption, remote wipe, and access restrictions.
VPN services – Organization-managed VPNs like Cisco AnyConnect create secure connections for remote access to PHI systems.
Password managers – Platforms like 1Password or LastPass Business help employees generate and store strong credentials securely.
Security awareness training platforms – KnowBe4 or Proofpoint deliver phishing simulations and compliance modules.
Audit and monitoring software – Tools like Varonis help detect unusual PHI access or potential breaches.

HIPAA compliance for remote employees checklist

Remote HIPAA compliance FAQs

No. Working from home is not a violation by itself. HIPAA compliance depends on whether the remote environment, devices, and practices meet the security and privacy requirements for PHI.

Use HIPAA-compliant software, secure your devices with encryption, connect via a VPN, work in a private location, and follow your organization’s compliance policies.

HIPAA allows PHI disclosure without patient authorization for treatment, payment, healthcare operations, public health activities, and certain law enforcement purposes.

Implement encryption, MFA, secure storage, and strict access controls. Provide ongoing training and conduct regular compliance audits.

Any employee who handles PHI—whether they work in a clinical setting, administrative role, or healthcare SaaS support—must follow HIPAA regulations.

Yes. Telehealth platforms must meet HIPAA’s security standards and have BAAs in place with healthcare providers to protect PHI.

Next steps for HIPAA-compliant remote employees

Whether you’re just expanding to remote workspaces, or you’re catching up on compliance, go above and beyond to verify that all the tools (hardware, software) and rules (employee guidelines) are in place, and leave the server-side management to a hosting company that has already built its whole business around HIPAA compliance.

Need some extra help getting started? We created a roadmap that breaks the process down into four clear phases, so you can improve HIPAA compliance with your remote workforce without the extra headache. Download it here.

And that’s where Liquid Web comes in. We offer the industry’s fastest and most secure dedicated servers and private cloud solutions—for Windows or Linux, unmanaged or fully managed.

So when you decide that your company should go remote, you should go above and beyond to verify that all the tools (hardware, software) and rules (employee guidelines) are in place, and leave the server-side management to a hosting company that has already built its whole business around HIPAA compliance.

Click below to explore options or start a chat with one of our hosting experts now.

HIPAA compliant hosting solutions

Standalone servers
Private data centers
Uninterruptible power supplies

Explore solutions

Private cloud hosting solutions

Highly performant Fully managed
Acronis disaster recovery included

Explore solutions

Additional resources

What is HIPAA-compliant hosting? →

A complete beginner’s guide

HIPAA and HITECH →

The HITECH Act, how it compares, and what it means for your hosting

Are private clouds compliant? →

How private cloud compares to dedicated servers, and how to choose

Melanie Purkis is the Director of Liquid Web’s Managed Hosting Products & Services. Melanie has more than 25 years of experience with professional leadership, project management, process development, and technical support experience in the IT industry.