According to AHA News:

The Centers for Medicare & Medicaid Services has released guidance
to help organizations comply with the Health Insurance Portability and
Accountability Act’s security standards when they allow remote access
to electronic protected health information through portable devices or
external systems or hardware. In general, CMS said HIPAA-covered
entities should be “extremely cautious” about allowing offsite use of
or access to EPHI, and must implement policies and procedures to
protect EPHI that is stored on remote or portable devices/media or
transmitted over an electronic communications network. The agency said
it may rely on the guidance in determining whether actions by a
HIPAA-covered entity are reasonable and appropriate for safeguarding
the confidentiality, integrity and availability of EPHI.

This is not rocket science, but the guidance document provides a good roadmap to make sure all your bases are covered.

[Hat tip: iHealthBeat]