What Is a Work From Home Policy?
A work from home policy is the written rule defining the terms under which employees may perform job duties from a location other than the employer's office. It addresses eligibility, schedule and core hours, equipment and reimbursement, workspace and ergonomic standards, FLSA hour tracking, cybersecurity, performance metrics, and revocation. It is no longer optional in any multi-state employer: FLSA recordkeeping (29 C.F.R. § 516.2) requires written hour tracking for non-exempt remote workers; California Lab. Code § 2802 and Illinois 820 ILCS 115/9.5 require reimbursement of necessary business expenses; the state-of-residence employment laws apply to remote workers; workers' compensation must be carried in each state of employment.
Multi-state compliance is the largest exposure. When a remote employee works from a state other than the employer's headquarters, the employee is covered by that state's wage and hour rules: minimum wage (CA $16.50, NY $16, WA $16.66 as of 2025), overtime, paid sick leave (CA Lab. Code § 246, NY Lab. Law § 196-b, IL Paid Leave for All Workers Act effective January 2024). Tax nexus follows the employee, triggering payroll-tax, unemployment-insurance, and frequently corporate-income-tax obligations in the new state; the convenience-of-the-employer rule applies in NY, NE, AR, DE, and PA, permitting the employer's home state to also tax the wages. Workers' compensation policies must be in force in each state. Failure exposes the employer to direct tort liability without the workers' compensation exclusivity defense.
Operational provisions determine whether the policy works. Performance measurement shifts from desk-time observation to output metrics (deliverables, milestones, customer outcomes). Communication protocols define core hours, response-time expectations, and meeting attendance. Cybersecurity controls protect data outside the corporate perimeter: mandatory VPN, MFA on all accounts, AES-256 disk encryption, automatic screen lock, WPA3 home Wi-Fi, and incident-reporting timelines. ADA reasonable accommodation under 29 C.F.R. § 1630.2(o) applies when employees request remote work as accommodation; the EEOC's enforcement guidance treats remote work as presumptively reasonable for many knowledge-worker positions following the pandemic-era expansion.
FLSA recordkeeping and state expense reimbursement
FLSA recordkeeping under 29 C.F.R. § 516.2 requires accurate hours for every non-exempt remote worker including off-clock email and after-hours messaging. Allen v. City of Chicago, 865 F.3d 936 (7th Cir. 2017), confirmed that the employer's actual or constructive knowledge of off-clock work creates compensability. Implement automated time-tracking with a written attestation procedure; manual time entry alone is insufficient when after-hours messaging is observable. State expense reimbursement: California Lab. Code § 2802 (Cochran v. Schwan's Home Service, 228 Cal. App. 4th 1137 (2014), required reimbursement of cell phone use even on unlimited plans), Illinois 820 ILCS 115/9.5 (effective January 2019), Massachusetts 454 CMR 27.04(4), Montana, New Hampshire, North Dakota, South Dakota, Iowa, and DC. Standard reimbursement structures: fixed monthly stipend ($30 to $75), actual-cost reimbursement (40 to 60 percent of personal bills), or full company provision.
Tax nexus, workers' comp, and cybersecurity controls
Remote employees create tax nexus for the employer in their state of residence: payroll withholding (immediate), unemployment insurance (immediate), and frequently corporate income tax (varies by state threshold under Wayfair-era economic nexus rules). The convenience-of-the-employer rule in NY 20 NYCRR § 132.18(a), Nebraska, Arkansas, Delaware, and Pennsylvania permits the employer's home state to also tax wages of remote workers, creating double-taxation exposure the employee must resolve. Workers' compensation: Verizon Pennsylvania Inc. v. WCAB, 900 A.2d 440 (Pa. Commw. 2006), is the canonical home injury case; carry coverage in every state of operation. Cybersecurity: mandatory VPN, MFA on all accounts (the Microsoft 2024 Digital Defense Report attributes 99 percent of identity attacks to absence of MFA), AES-256 disk encryption, WPA3 home Wi-Fi, EDR with automatic updates, and 1- to 4-hour incident-reporting windows. HIPAA Security Rule (45 C.F.R. § 164.312), GLBA Safeguards Rule (16 C.F.R. § 314), and NIST 800-171 apply in covered industries.
Hybrid Framework
Defines clear expectations for in-office vs. remote days with scheduling flexibility.
Cybersecurity
Mandates VPN, MFA, secure Wi-Fi, and device management for remote work environments.
Equipment and Ergonomics
Covers equipment provisions, expense reimbursement, and home office safety standards.
Work From Home Policy Preview
Remote Work and Telecommuting Policy
Effective Date: _______________
1. ELIGIBILITY AND APPROVAL
Remote work arrangements are available to employees in the following roles/departments: subject to manager approval.
2. SCHEDULE AND AVAILABILITY
Remote employees must be available during core hours of to in the time zone.
3. EQUIPMENT AND EXPENSES
The Company will provide: . Monthly stipend for internet/utilities: .
AUTHORIZED BY
EMPLOYEE ACKNOWLEDGMENT
Key Components
A defensible remote work policy contains the components below. Missing any one creates predictable failures: no FLSA recordkeeping protocol produces overtime liability under Allen v. City of Chicago; no reimbursement provision violates California Lab. Code § 2802; no workers' compensation coverage in the employee's state strips the exclusivity defense.
| Component | Purpose | Key Details |
|---|---|---|
| Eligibility Criteria | Defines who qualifies for remote work | Role suitability, performance standards, tenure requirements, manager approval process |
| Schedule and Availability | Sets communication and presence expectations | Core hours, time zone alignment, hybrid in-office days, response time requirements |
| Equipment and Expenses | Addresses tools and reimbursement obligations | Employer-provided hardware, internet stipend, furniture allowance, state reimbursement laws |
| Cybersecurity | Protects company data outside the office | VPN, MFA, Wi-Fi security, device encryption, incident reporting, data handling |
| Workspace and Safety | Manages ergonomic and workers' comp risks | Dedicated workspace, ergonomic assessment, injury reporting, home inspection rights |
| Performance Management | Ensures accountability for remote workers | Output metrics, check-in cadence, review process, revocation criteria |
How to Draft a Remote Work Policy
Map remote-employee locations and inventory state-law obligations
Identify every state and city where remote employees work. Inventory: minimum wage and overtime (CA $16.50, NY $16, WA $16.66 as of 2025), paid sick leave (CA Lab. Code § 246, NY Lab. Law § 196-b, IL PLAWA effective January 2024, paid leave in 18 states plus DC), expense reimbursement (CA § 2802, IL § 9.5, MA, MT, NH, ND, SD, IA, DC), income-tax withholding obligations triggered by the employee's state of residence, the convenience-of-the-employer rule in NY 20 NYCRR § 132.18(a) and similar states (NE, AR, DE, PA), corporate income-tax nexus thresholds under post-Wayfair economic-nexus rules, and workers' compensation coverage requirements in every state of operation.
Define eligibility, hybrid schedule, and approval procedure
Establish role-based eligibility (knowledge-worker positions versus customer-facing or operational roles). Define the hybrid schedule framework: fully remote, hybrid with specific anchor days (typically Tuesday and Thursday), or flexible hybrid with a minimum in-office requirement. Document the approval process: who approves, what criteria, and how decisions are communicated and appealed. Address ADA reasonable-accommodation requests under 29 C.F.R. § 1630.2(o)(3); remote work is presumptively reasonable for many knowledge-worker positions per EEOC guidance. State the employer's right to modify or revoke arrangements with 30-day notice for non-performance reasons. Confirm that remote work does not alter other employment terms; preserve at-will status with an explicit clause.
Set equipment, expense reimbursement, and workspace standards
Provide the equipment list: laptop with full-disk encryption and remote-wipe capability, monitor and peripherals, headset, VPN and MFA tokens, collaboration software licenses, home-office furniture stipend ($500 to $2,000 one-time) where workspace requires it. Define reimbursement: fixed monthly stipend ($30 to $75), actual-cost reimbursement (40 to 60 percent of personal bills), or full company provision. Comply with California Lab. Code § 2802 (Cochran v. Schwan's Home Service, 228 Cal. App. 4th 1137 (2014)) and Illinois 820 ILCS 115/9.5. Specify workspace requirements: dedicated work area, minimum internet connectivity (typically 50 Mbps down, 10 Mbps up), ergonomic self-assessment checklist on initial setup. Document the equipment-return procedure on separation; non-return triggers wage-deduction limits under state laws.
Codify cybersecurity controls calibrated to industry framework
Mandate VPN for all network access; MFA on all work accounts (Microsoft 2024 Digital Defense Report attributes 99 percent of identity attacks to absence of MFA); WPA3 home Wi-Fi with changed default router credentials; AES-256 full-disk encryption; automatic screen lock under 5 minutes; EDR with automatic updates; prohibition on public Wi-Fi without VPN; restriction on family member access to work devices; secure document handling and disposal; incident reporting within 1 to 4 hours of discovery. Industry-specific overlay: HIPAA Security Rule (45 C.F.R. § 164.312), GLBA Safeguards Rule (16 C.F.R. § 314), SOX § 404 financial-reporting controls, NIST 800-171 and CMMC 2.0 for federal contractors handling CUI. State the framework that applies and how each control is satisfied in the home environment.
Build performance, communication, monitoring, and revocation frameworks
Shift performance measurement from activity to output: deliverables, milestones, customer outcomes. Establish core hours, response-time expectations, weekly one-on-ones, and required meeting attendance. Set monitoring disclosures complying with Connecticut Gen. Stat. § 31-48d, Delaware 19 Del. C. § 705, and New York Civ. Rights Law § 52-c (effective May 2022): list every monitoring technology, data collected, business purpose, and obtain signed acknowledgment. Disclose camera-on expectations explicitly. Define revocation triggers (performance decline below documented metrics, repeated security violations, business need); document the 30-day transition-back notice. Train managers on supervising remote workers: structured one-on-ones, output-based evaluation, anti-presenteeism bias.
Frequently Asked Questions
Official Resources
Primary-source guidance from DOL, OSHA, NIST, IRS, and EEOC on remote-work compliance, multi-state law, and cybersecurity controls.
DOL - Fair Labor Standards Act
Department of Labor guidance on FLSA hour tracking, overtime, and compensable time for remote and teleworking employees.
OSHA - Home-Based Worksite Policy
OSHA policy on employer obligations for home office safety, inspections, and workers' compensation for remote injuries.
NIST - Telework Security Guide
NIST Special Publication 800-46 on securing remote access, telework infrastructure, and BYOD environments.
IRS - Multi-State Tax Guidance
IRS resources on employer tax obligations when employees work in multiple states including withholding and nexus.
EEOC - Remote Work as Accommodation
EEOC guidance on when remote work is a reasonable accommodation under the ADA for employees with disabilities.
SHRM - Remote Work Resources
Society for Human Resource Management resources on remote work policy development, compliance, and best practices.
Create Your Work From Home Policy
Formalize remote work with clear expectations for schedules, equipment, cybersecurity, and performance.
Create DocumentNo account required. Free to create and preview.