Remote work isn’t a new concept; in fact, before 2020 approximately seven million people in the United States were already telecommuting. That’s an astonishing jump of 44% since 2015. The healthcare industry has embraced the growing trend, with solutions such as telemedicine that allow doctors and mental health care professionals to “treat” non-emergent patients without ever seeing them in the office. Obviously, this raises a big question: how is the healthcare industry keeping remote workers HIPAA compliant ?
The Risks are Real
There are HIPAA rules and regulations governing all aspects of the healthcare industry, and telecommuting or telemedicine are no exceptions to these rules. Fall out of compliance, even accidentally, and your practice is facing big troubles.
Some specific areas of concern include:
- Patient billing information, including ICD codes used on invoices
- Patient information gathered and transcribed following home visits
- Telecommuting/telemedicine app safety for office calls with patients
- Patient financial and insurance information
- Physical file safety
- Digital data storage safety
- Unauthorized access to Protected Health Information (PHI)
- Bringing your own device work-from-home policies
- Bringing your third-party vendors into HIPAA compliancy
- Responding to cyber incidents
It doesn’t matter what position your employees hold within your practice, staying HIPAA compliant while working from home is everyone’s responsibility.
Not Keeping Remote Workers HIPAA Compliant Can Cost You…Big Time
If you think HIPAA doesn’t target remote workers, think again. Although some of these violations are relaxing for health agencies using a remote workforce, practices must prove “good faith” in their duties by proving the steps they are taking to keep everything as secure as possible. Don’t be fooled into complacency. There are still very strict guidelines for applications that can be used, data and file storage, and other PHI. There’s even verbiage about phone systems within the HIPAA.
One of the most important groups working to keep remote workforces HIPAA compliant is The Compliancy Group, a HIPAA compliancy software developer.
Paul Redding, VP Partner Engagement & Cyber Security at The Compliancy Group, is especially concerned for remote workers right now. As he explained to Integris,
“The most important part about HIPAA in a remote work environment is understanding that nothing has changed…compliance doesn’t end at your office doors.”
Take for example the well-known Cancer Care Group (CCG) breaches in 2012. When an employee had his car stolen with his laptop (containing over 50,000 patient records in its storage banks) in it, his company was hit with $750,000 in fines due to a breach of the Device and Media Controls standard.
Not only was CCG hit with non-compliancy involving the stolen laptop, there were also fines levied for the healthcare group’s lack of written physical device security protections. Per the Device and Media Controls standard, healthcare companies must:
“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
In another case of bad judgement an employee of Lincare, a respiratory medical practice, was hit with a $240,000 fine when one of its employees left nearly 300 patient records in a car that was surrendered in a divorce. Her soon-to-be ex-husband reported her for leaving the records behind, and she was found to be negligent.
Under the Device and Media Controls standard, healthcare organizations should protect data that is stored outside the office or otherwise in transit to lower the risks of PHI breaches. Your organization should establish security rules and procedures guidelines and limit the access of private patient information to only the levels required by his or her position.
A good place to start would be a device audit listing every device, where it is being physically used, and what accesses the users have.
Steps to Take for Keeping Remote Workers HIPAA Compliant
There are several steps your healthcare organization should be taking right now for keeping remote workers HIPAA compliant.
Policies and Procedures
The first step in keeping remote workers HIPAA compliant will involve creating policies and procedures for both digital and physical files that are removed from the office.
- Develop an acceptable use policy that specifies who can and cannot use devices that are used for work
- Have employees read and sign patient confidentiality paperwork, including HIPAA regulations
- Monitor your remote employees’ accesses and activities
- Ensure that employees are properly shredding/destroying any unnecessary physical files containing PHI
- Make sure all employees log out of their devices after they stop working for the day
- Make sure all remote employees have a secure, lockable cabinet for storing physical files
- Make sure all connections and devices are secure for all telehealth appointments
Securing Devices and Accessibility
Your next step for keeping remote workers HIPAA compliant will cover devices and remote access. It’s important to make sure all devices are secured, and simple cybersecurity best practices are followed to stay HIPAA compliant when working from home.
These policies will cover:
- Encrypt all devices accessing the network
- Encrypt all data sent to or from devices
2. Banning the use of public or “free” Wi-Fi connections
3. Password protection and best-practices (consider using a password manager)
- Change passwords frequently
- Change passwords on wireless routers
- Never use the same passwords across multiple applications and platforms
4. Making sure all devices are configured properly
- Password protection
- Multi-factor authentication
- Only specific brands and updated versions of device are permitted access to the network
- Firewall and security software, including anti-spam and anti-malware
- Require automatic patching and security upgrades on all devices
5. Having a time-out feature that automatically logs the remote employee completely out of the network after a period of inactivity.
6. Only allowing access to networks through a secured VPN
Taking a Few Necessary Precautions will Help in Keeping Remote Workers HIPAA Compliant
The reality of keeping remote workers HIPAA compliant is much the same as for those working in the office. All data must be kept secure and away from prying eyes. Failure to properly secure PHI will result in HIPAA issues, and that’s a whole world of investigations, headaches, fines, and loss of reputation for the organization involved.
Your employees and their devices are the front lines of this battle, and they should take this responsibility very seriously. Make sure you have all your bases covered in the fight for keeping remote workers HIPAA compliant.