Contact Sales:     | Pay My BillClient SupportGet Started!

Staying HIPAA Compliant While Working from Home

While working from home may seem like a new trend to cope with COVID19,  the reality is that by the time of the pandemic approximately seven million people in the United States were already telecommuting.  That’s an astonishing jump of 44% since 2015. The healthcare industry has embraced the growing trend, with solutions such as telemedicine that allow doctors and mental health care professionals to “treat” non-emergent patients without ever seeing them in the office. Obviously, this raises a big question: how is the healthcare industry staying HIPAA compliant when working from home?

The Risks are Real

There are HIPAA rules and regulations governing all aspects of the healthcare industry, and telecommuting or telemedicine are no exceptions to these rules. Fall out of compliance, even accidentally, and your practice is facing big troubles.

Some specific areas of concern include:

  • Patient billing information, including ICD codes used on invoices
  • Patient information gathered and transcribed following home visits
  • Telecommuting/telemedicine app safety for office calls with patients
  • Patient financial and insurance information
  • Physical file safety
  • Digital data storage safety
  • Unauthorized access to Protected Health Information (PHI)
  • Bringing your own device work-from-home policies
  • Bringing your third-party vendors into HIPAA compliancy

It doesn’t matter what position your employees hold within your practice, staying HIPAA compliant while working from home is everyone’s responsibility.

Not Staying HIPAA Compliant When Working from Home Can Cost You…Big Time

If you think HIPAA doesn’t target remote workers, think again. Although some of these violations are relaxing in the face of the pandemic, practices must prove “good faith” in their duties by proving the steps they are taking to keep everything as secure as possible. Don’t be lulled into a sense of false security, though; once this pandemic has eased, fines and violations will be back in full force. Don’t be fooled into complacency. There are still very strict guidelines for applications that can be used, data and file storage, and other PHI.

One of the most important groups working to keep remote workforces HIPAA compliant is The Compliancy Group, a HIPAA compliancy software developer.

Paul Redding, VP Partner Engagement & Cyber Security at The Compliancy Group, is especially concerned for remote workers right now. As he explained to Iconic IT,

“The most important part about HIPAA in a remote work environment is understanding that nothing has changed…compliance doesn’t end at your office doors.”

Take for example the well-known Cancer Care Group (CCG) breaches in 2012. When an employee had his car stolen with his laptop (containing over 50,000 patient records in its storage banks) in it, his company was hit with $750,000 in fines due to a breach of the Device and Media Controls standard.

Not only was CCG hit with non-compliancy involving the stolen laptop, there were also fines levied for the healthcare group’s lack of written physical device security protections. Per the Device and Media Controls standard, healthcare companies must:

“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

In another case of bad judgement an employee of Lincare, a respiratory medical practice, was hit with a $240,000 fine when one of its employees left nearly 300 patient records in a car that was surrendered in a divorce. Her soon-to-be ex-husband reported her for leaving the records behind, and she was found to be negligent.

Under the Device and Media Controls standard, healthcare organizations should protect data that is stored outside the office or otherwise in transit to lower the risks of PHI breaches. Your organization should establish security rules and procedures guidelines and limit the access of private patient information to only the levels required by his or her position.

A good place to start would be a device audit listing every device, where it is being physically used, and what accesses the users have.

Steps to Take Right Now for Staying HIPAA Compliant When Working from Home

There are several steps your healthcare organization should be taking right now towards staying HIPAA compliant while working at home.

Policies and Procedures

The first step will involve creating policies and procedures for both digital and physical files that are removed from the office.

  • Develop an acceptable use policy that specifies who can and cannot use devices that are used for work
  • Have employees read and sign patient confidentiality paperwork, including HIPAA regulations
  • Monitor your remote employees’ accesses and activities
  • Ensure that employees are properly shredding/destroying any unnecessary physical files containing PHI
  • Make sure all employees log out of their devices after they stop working for the day
  • Make sure all remote employees have a secure, lockable cabinet for storing physical files

Securing Devices and Accessibility

Your next step will cover devices and remote access. It’s important to make sure all devices are secured, and simple cybersecurity best practices are followed to stay HIPAA compliant when working from home.

These policies will cover:

1. Data encryption

  • Encrypt all devices accessing the network
  • Encrypt all data sent to or from devices

2. Banning the use of public or “free” Wi-Fi connections

3. Password protection and best-practices (consider using a password manager)

  • Change passwords frequently
  • Change passwords on wireless routers
  • Never use the same passwords across multiple applications and platforms

4. Making sure all devices are configured properly

  • Encryption
  • Password protection
  • Multi-factor authentication
  • Only specific brands and updated versions of device are permitted access to the network
  • Firewall and security software, including anti-spam and anti-malware
  • Require automatic patching and security upgrades on all devices

5. Having a time-out feature that automatically logs the remote employee completely out of the network after a period of inactivity.

6. Only allowing access to networks through a secured VPN

Taking a Few Necessary Precautions will Help your Organization Remain Compliant

The reality of HIPAA compliance for remote workers is much the same as for those working in the office. All data must be kept secure and away from prying eyes. Failure to properly secure PHI will result in HIPAA issues, and that’s a whole world of investigations, headaches, fines, and loss of reputation for the organization involved.

Your employees and their devices are the front lines of this battle, and they should take this responsibility very seriously. Make sure you have all your bases covered in the fight for staying HIPAA compliant when working from home.

Check out some additional HIPAA Resources:

Download HIPAA BYOD Sample Policy
Download HIPAA Telecommuting Policy
Download Checklist!


Southwest Florida Business Today Awards & In the News

Iconic IT in the News in Bonita Springs FL

Iconic IT was profiled in Southwest Florida Business Today for how businesses remain positive following COVID-19. Chase Sonen, an account […]
Read Post
Sales and Marketing Team at Iconic IT - SMKO 2020 COVID-19

Creating the Best Future for Your Small to Medium-Sized Business After COVID19

Little by little, business will begin coming back after COVID19. Creating the best future for your small to medium-sized business after COVID19 starts now. With a little foresight and planning, you can come out of the starting gate far ahead of the competition and turn the pandemic into an amazing growth opportunity for your business.
Read Post
It Services in Telehealth and Technology COVID-19

Staying HIPAA Compliant While Working from Home

Your remote workers aren’t exempt from HIPAA regulations. Protect them and your organization from costly violations.
Read Post
Email Security COVID-19

Email Best Practices for Businesses in the Modern Workplace

If thieves manage to get a skeleton key, no room is safe; they can move from room to room and steal anything they please.
Read Post
Cybersecurity Awards & In the News

Iconic IT Warns of Disturbing Coronavirus Cybersecurity Threats: Remote Workers Especially Vulnerable

FOR IMMEDIATE RELEASE Contact: Gabriela Ramirez, Communication Manager Iconic IT is warning businesses of a disturbing new trend in cyber […]
Read Post
Stimulus Checks for IT Solutions Awards & In the News

Keep Your Stimulus Checks Safe, Warns Mike Fowler, CEO of Iconic IT

FOR IMMEDIATE RELEASE Contact: Gaby Ramirez, Iconic IT  Hackers and Scammers are Already Hard at Work Stealing Economic Impact Payment Checks  [April 10, […]
Read Post
Mike Fowler, CEO of Iconic IT COVID-19

From the Desk of Mike Fowler, Iconic IT CEO

In our effort to keep you informed, I wanted to update you on how Iconic IT is responding to this […]
Read Post
Iconic IT in the news in the Rochester NY Business Journal Awards & In the News

Iconic IT in the News in Rochester NY

Iconic IT was profiled in the Rochester Business Journal for its upgraded security services for its clients at no charge.  […]
Read Post
IT Support for Small to Medium Size Businesses COVID-19

Six Tips for Your Business to Survive Round Two of COVID-19

Looking for tips for your business to survive COVID-19? Here are six tips to keep your doors open during round […]
Read Post
Coronavirus - Financial and Healthcare Crisis COVID-19

COVID-19 Financial Resources Expire at the End of This Year: Here Is a List

COVID-19 has changed the face of business forever, especially small to medium-sized organizations. In times of uncertainty, it’s helpful to […]
Read Post