Skip to Content

HIPAA Compliance for Work-From-Home or Telehealth Programs: Five Frequently Overlooked Considerations

COVID-19 has challenged health care providers to change the way they offer services — from shifting to an increasingly remote workforce to diving into telehealth. These adjustments have privacy implications. The following are five of the most commonly overlooked steps that providers should take to remain compliant with applicable privacy laws.

  1. Complete a new HIPAA risk analysis.

HIPAA requires providers to perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of electronic protected health information (ePHI), as appropriate, to ensure the continuing security of that information. In light of providers’ rapid transition to employees working from home and the offering of telehealth services, a new HIPAA risk analysis (and documentation of that analysis) may be necessary. As an initial question, providers need to ask themselves, “Where is the ePHI within my organization?” If the answer shows that ePHI is now frequently found outside the protected realm of the provider’s existing HIPAA policies, it indicates the need to complete a full risk analysis. 

  1. Revise your policies accordingly.

Changes to the way your practice operates almost certainly mean that revisions to policies are required to ensure that you have sufficient physical, technical, operational, and administrative policies in place to meet HIPAA’s standards for your work-from-home employees and/or telehealth offerings. For some cybersecurity considerations to keep in mind, see our earlier alerts here and here. Given hackers’ current increased focus on targeting health care providers, incident response plans are likely one of the most urgent policy updates for any provider. 

  1. Test your contingency plans.

In addition to updating their policies, and also in light of hackers’ recent focus, providers should test their newly revised incident response and other contingency plans. This is one HIPAA requirement that may actually save money for providers. According to the Ponemon Institute, companies that have and extensively test their incident response plans save more than $1 million in costs after a breach. 

  1. Adjust your privacy notices and consents.

Make sure your privacy notices and consents accurately reflect any new methods of data collection, use, storage, and sharing. Also, if you’ve started using new vendors or technologies, you may be required to include certain disclosures in your privacy policy. Be sure to review the applicable contract and terms of use, and include any required disclosures in your privacy notices and consents. 

  1. Make sure your contracts are compliant with applicable privacy laws.

If new contracts were executed to support the rapid shift to remote work and telehealth programs, make sure you have required business associate agreements in place. While the Office for Civil Rights has temporarily relieved providers of the need to have such an agreement with some telehealth service providers, there was no such exemption made for work-from-home arrangements. Even with telehealth, having a business associate agreement in place is still wise for several reasons, from litigation risk to facilitating post-COVID HIPAA compliance. In addition, providers subject to the California Consumer Privacy Act (CCPA) and hoping to portray their new relationship as a “service provider” relationship, rather than a “sale,” should verify that their contracts for information outside the CCPA’s partial HIPAA exception include the required restrictions and certifications.


©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.