Remote Access
Workforce member access to an organization's information systems from outside the organization's networks.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Security
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
This sits inside the security risk analysis under 45 CFR 164.308(a)(1)(ii)(A) — workstation controls, EHR access roles, ePHI transmission encryption, audit logging, vendor risk, and incident response. Reviewers expect dated evidence of the control, not a policy PDF that says it exists.
Full definition
What it is in practice
NIST SP 800-46 covers remote-access controls including VPN, identity federation, MFA, and endpoint posture checks. Under HIPAA, remote access to ePHI must be evaluated as part of the risk analysis.
How it shows up in your practice
Require MFA on all remote-access sessions. Restrict remote desktop / RDP to VPN-only. Log and review remote-access sessions.
Sources
- NIST SP 800-46 — Telework and BYOD Securityhttps://csrc.nist.gov/pubs/sp/800/46/r2/final
- 45 CFR 164.312 — Technical safeguardshttps://www.ecfr.gov/current/title-45/section-164.312
Document remote-access controls in the Compliance Binder
Open compliance binder →Related terms
- SecurityMFA (Multi-Factor Authentication)Authentication requiring two or more independent factors — something you know, have, or are.
- SecurityBYOD (Bring Your Own Device)The practice of allowing workforce members to use personally-owned devices to access organizational information systems.
- SecurityAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- SecurityTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- GlossaryBYOD (Bring Your Own Device)The practice of allowing workforce members to use personally-owned devices to access organizational information systems.
- GlossaryMFA (Multi-Factor Authentication)Authentication requiring two or more independent factors — something you know, have, or are.
- GlossaryTechnical SafeguardsTechnology and the policy and procedures for its use that protect ePHI and control access to it.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- GlossaryEmail Encryption GatewayA system that automatically encrypts outbound email containing PHI based on content rules or recipient address.
- GlossaryEncryption at RestCryptographic protection of stored ePHI such that the data is unreadable without the decryption key.
- RegulationHIPAA Security Access Control (45 CFR 164.312(a))Technical policies and procedures for systems containing ePHI to allow access only to those granted access rights, with required specifications for unique user identification and emergency access.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.