How to be HIPAA Compliant when Working Remotely
Even before the COVID-19 pandemic required most people to transition to working from home for the foreseeable future, we had already begun to see many people switching to this new working arrangement. Over the past decade, there has been a steady growth in the number of people that work remotely as it can be more convenient for the employee and more cost-efficient for their employer. Since 2010, we have seen a 400% increase in the number of people that work from home at least one time per week (GetApp).
While a remote work environment can provide many benefits to all of the parties involved, it also can present significant challenges for organizations that need to remain HIPAA compliant. There are many privacy and security measures that need to be implemented in order to address the concerns and risks of maintaining HIPAA compliance in a work-from-home environment.
Important HIPAA Privacy Concerns in a Remote Environment
- Access to Protected Health Information (PHI) by unauthorized individuals
- One challenge that a work from home environment presents is that an employee’s spouse and family members might be able to view or access a patient's PHI in a way that they would not be able to if the employee was working on-site.
- These risks mean that employees should be careful to put technical and physical safeguards in place to protect this information within their home office.
- Bring Your Own Device (BYOD) may lessen technical safeguards
- When employees are using their own devices, there is a significant increase in the risk of a HIPAA breach. These own devices can also be more susceptible to malware attacks.
- Business Associate Agreements are required for online vendors
- Any organization or vendor that works with a covered entity and has access to any patient’s protected health information is considered a business associate. Covered entities need to have business associate agreements (BAAs) in place with each vendor that they work with.
Despite the many benefits of a work from home environment, organizations that need to be HIPAA compliant must also be aware of the significant privacy concerns that put them at risk for noncompliance. If you are looking for ways to prevent any of these privacy concerns from happening, below is a series of steps that can be taken by all parts of the organization to assure that you remain HIPAA compliant, even in a remote setting.
HIPAA Compliance Steps for IT Departments in Remote Settings
- Establish and update Virtual Private Networks (VPNs) — plus making sure any and all devices that are used in a remote work environment are equipped with the latest software updates and security configurations.
- Especially in light of widespread stay at home orders, IT security teams should monitor and test VPN limits to prepare for any increases in the number of users. Team members should also be aware of the potential need to make changes to adjust to their bandwidth requirements.
- Utilize multi-factor authentication on all platforms (if this isn’t possible, ensure that remote staff are using strong passwords).
- Ensure that laptops are equipped with firewalls and antivirus software to protect network access.
HIPAA Compliance Steps for Employees to take when working remotely
- Be sure to encrypt and password protect all personal devices that may be used to access PHI such as cellphones, tablets, and laptops.
- Encrypt all PHI before it is transmitted in any form.
- Require that the home wireless router’s default password is updated and ensure that it is encrypted.
- Protect PHI from friends and family within your house by using a privacy screen on your computer, locking the screen when you walk away, restricting their access to the devices that contain PHI, and being careful not to say PHI aloud in a place where anyone could overhear.
- Only print PHI if absolutely necessary & then be sure to keep all forms of PHI safe in a lockable file cabinet or safe. If printed information is shredded, make sure to dispose of it immediately.
- Don’t send PHI via email unless it is the only option and in these cases be sure to use all tools to encrypt emails.
- If copying PHI to external media, make sure that you are only using flash drives, hard drives or other materials that have been approved by the company.
- Reassess your security protocols frequently.
HIPAA Compliance Steps for Employers to take when allowing remote work
- In order to restrict access to only what is necessary, covered entities should make lists of all employees and specify what level of information each employee should have access to.
- Notify staff that phishing attempts will be even more common when working remotely.
- Require all employees to sign a Confidentiality Agreement upon hiring before they begin to work.
- Create a Bring Your Own Device (BYOD) Agreement, with clear usage rules for employees.
- Covered entities can also require employees to use specific brands and versions of devices in order to access PHI.
- Provide safes or lockable file cabinets for any employees that must store paper copies of PHI in their home offices.
- Train employees to disconnect from the company VPN when their daily work is complete. This can be enforced by implementing measures like IT configuring timeouts.
- Keep track of and regularly review logs of employee remote access activity.
COVID-19 Work from Home requirements
The past few months have seen cities across the country issue stay at home orders to prevent the spread of COVID-19, which has translated into most of the working population being required to transition to working from home for the time being. Although essential personnel, including many healthcare professionals, have continued to work in person, certain HIPAA covered entities and most business associates fall into the category of people that are working from home.
Within the last month, the Office for Civil Rights within the Department of Health and Human Services, who is responsible for enforcement of HIPAA violations, has released a few statements of expectations during this nationwide public health emergency. They announced that they would not impose penalties for noncompliance if covered health providers utilize common video chatting applications for telehealth purposes. Some of these applications include FaceTime, Google Hangouts, Zoom, Skype or Facebook Messenger video chat.
Although these applications are able to be utilized currently, it is important that providers enable all privacy and encryption modes available through these apps. Organizations should remember that they are still required to complete business associate agreements with these organizations. Certain applications, such as Zoom, have made these available for covered entities to complete. Again, this is only a temporary solution and covered entities should not expect it to continue past the current state of a nationwide public health emergency.