Staying HIPAA Compliant While Working from Home
While working from home may seem like a new trend to cope with COVID19, the reality is that by the time of the pandemic approximately seven million people in the United States were already telecommuting. That’s an astonishing jump of 44% since 2015. The healthcare industry has embraced the growing trend, with solutions such as telemedicine that allow doctors and mental health care professionals to “treat” non-emergent patients without ever seeing them in the office. Obviously, this raises a big question: how is the healthcare industry staying HIPAA compliant when working from home?
The Risks are Real
There are HIPAA rules and regulations governing all aspects of the healthcare industry, and telecommuting or telemedicine are no exceptions to these rules. Fall out of compliance, even accidentally, and your practice is facing big troubles.
Some specific areas of concern include:
- Patient billing information, including ICD codes used on invoices
- Patient information gathered and transcribed following home visits
- Telecommuting/telemedicine app safety for office calls with patients
- Patient financial and insurance information
- Physical file safety
- Digital data storage safety
- Unauthorized access to Protected Health Information (PHI)
- Bringing your own device work-from-home policies
- Bringing your third-party vendors into HIPAA compliancy
It doesn’t matter what position your employees hold within your practice, staying HIPAA compliant while working from home is everyone’s responsibility.
Not Staying HIPAA Compliant When Working from Home Can Cost You…Big Time
If you think HIPAA doesn’t target remote workers, think again. Although some of these violations are relaxing in the face of the pandemic, practices must prove “good faith” in their duties by proving the steps they are taking to keep everything as secure as possible. Don’t be lulled into a sense of false security, though; once this pandemic has eased, fines and violations will be back in full force. Don’t be fooled into complacency. There are still very strict guidelines for applications that can be used, data and file storage, and other PHI.
One of the most important groups working to keep remote workforces HIPAA compliant is The Compliancy Group, a HIPAA compliancy software developer.
Paul Redding, VP Partner Engagement & Cyber Security at The Compliancy Group, is especially concerned for remote workers right now. As he explained to Iconic IT,
“The most important part about HIPAA in a remote work environment is understanding that nothing has changed…compliance doesn’t end at your office doors.”
Take for example the well-known Cancer Care Group (CCG) breaches in 2012. When an employee had his car stolen with his laptop (containing over 50,000 patient records in its storage banks) in it, his company was hit with $750,000 in fines due to a breach of the Device and Media Controls standard.
Not only was CCG hit with non-compliancy involving the stolen laptop, there were also fines levied for the healthcare group’s lack of written physical device security protections. Per the Device and Media Controls standard, healthcare companies must:
“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
In another case of bad judgement an employee of Lincare, a respiratory medical practice, was hit with a $240,000 fine when one of its employees left nearly 300 patient records in a car that was surrendered in a divorce. Her soon-to-be ex-husband reported her for leaving the records behind, and she was found to be negligent.
Under the Device and Media Controls standard, healthcare organizations should protect data that is stored outside the office or otherwise in transit to lower the risks of PHI breaches. Your organization should establish security rules and procedures guidelines and limit the access of private patient information to only the levels required by his or her position.
A good place to start would be a device audit listing every device, where it is being physically used, and what accesses the users have.
Steps to Take Right Now for Staying HIPAA Compliant When Working from Home
There are several steps your healthcare organization should be taking right now towards staying HIPAA compliant while working at home.
Policies and Procedures
The first step will involve creating policies and procedures for both digital and physical files that are removed from the office.
- Develop an acceptable use policy that specifies who can and cannot use devices that are used for work
- Have employees read and sign patient confidentiality paperwork, including HIPAA regulations
- Monitor your remote employees’ accesses and activities
- Ensure that employees are properly shredding/destroying any unnecessary physical files containing PHI
- Make sure all employees log out of their devices after they stop working for the day
- Make sure all remote employees have a secure, lockable cabinet for storing physical files
Securing Devices and Accessibility
Your next step will cover devices and remote access. It’s important to make sure all devices are secured, and simple cybersecurity best practices are followed to stay HIPAA compliant when working from home.
These policies will cover:
- Encrypt all devices accessing the network
- Encrypt all data sent to or from devices
2. Banning the use of public or “free” Wi-Fi connections
3. Password protection and best-practices (consider using a password manager)
- Change passwords frequently
- Change passwords on wireless routers
- Never use the same passwords across multiple applications and platforms
4. Making sure all devices are configured properly
- Password protection
- Multi-factor authentication
- Only specific brands and updated versions of device are permitted access to the network
- Firewall and security software, including anti-spam and anti-malware
- Require automatic patching and security upgrades on all devices
5. Having a time-out feature that automatically logs the remote employee completely out of the network after a period of inactivity.
6. Only allowing access to networks through a secured VPN
Taking a Few Necessary Precautions will Help your Organization Remain Compliant
The reality of HIPAA compliance for remote workers is much the same as for those working in the office. All data must be kept secure and away from prying eyes. Failure to properly secure PHI will result in HIPAA issues, and that’s a whole world of investigations, headaches, fines, and loss of reputation for the organization involved.
Your employees and their devices are the front lines of this battle, and they should take this responsibility very seriously. Make sure you have all your bases covered in the fight for staying HIPAA compliant when working from home.