Since the advent of COVID a large section of the workforce has been forced to work from home. In most situations this has worked well except for the fact that Protected Health Information (PHI) is now at greater risk than ever before. Organizations are now placed in an awkward situation as they try to follow the HIPAA Privacy Rule while allowing employees to establish home offices.
There are many HIPAA privacy concerns in the remote setting not experienced while working in the office. Devices are frequently more susceptible to malware attacks and precautions must be taken. Phishing attempts will be even more common when working remotely. While working at home an employee’s spouse, family members or visitors might be able to view or access a patient’s PHI in a way that they would not be able to if the employee was working on-site.
There are many privacy and security measures that need to be implemented to address the concerns and risks to PHI in a work-from-home environment. There are many steps an employee and an IT Department can take to abide by the HIPAA Rule in remote settings and protect PHI.
Safeguards for the Home Setting:
Physical safeguards are very important in the home setting. PHI can be protected from the view of friends and family by locking the screen when you walk away, use a privacy screen on your computer, restrict access to the devices that contain PHI, and be careful not to mention PHI aloud in a place where someone could overhear.
Bring Your Own Device (BYOD) may become an issue in the home setting as it increases the need for technical safeguards. When employees use their own devices, there is a significant increase in the risk of a HIPAA breaches.
- Create a Bring Your Own Device (BYOD) Agreement, with clear usage rules for employees.
- Covered entities can also require employees to use specific brands and versions of devices to access PHI.
- Make sure all devices that are used in a remote work environment are equipped with the latest software updates and security configurations.
- Ensure that laptops are equipped with firewalls and antivirus software to protect network access.
- Be sure to encrypt and password protect all personal devices that may be used to access PHI such as cellphones, tablets, and laptops.
- Utilize multi-factor authentication on all platforms (if this isn’t possible, ensure that remote staff are using strong passwords).
Create Safe Networks
Prepare home networks to work effectively with your mobile devices ensuring they are fully functional and protected using your home Wi-Fi network. There are steps one can take to ensure this happens.
Require that the home wireless router’s default password is updated and ensure that WiFi is encrypted. Newer types of encryptions are WPA (Wi-Fi protected access) and the WPA2 which implements the latest security standards. These require the use of a password to access the network.
Establish and update Virtual Private Networks (VPNs). A VPN protects your internet connection and privacy online. It creates an encrypted setting for your information, keeps your identity hidden and even allows you to use public Wi-Fi hotspots safely.
IT should monitor and test VPN limits to prepare for any increases in the number of users. Team members should also be aware of the potential need to make changes to adjust to their bandwidth requirements. Train employees to disconnect from the company VPN when their daily work is complete. This can be enforced by implementing measures like IT configuring timeouts.
Staying in Contact Safely
Most employees who work for home will rely on meeting apps to maintain contact with clients and other team members by means of video calls. Some of these remote access apps include FaceTime, Google Hangouts, Zoom, Skype, Teams, or Facebook Messenger video chat. It is important that providers enable all privacy and encryption modes available on these apps.
Organizations are required to complete business associate agreements with these organizations. Make sure to contact your app provider to sign a business associate agreement.
An effective protection for PHI a company can use is encryption. Encrypt all PHI before it is transmitted in any form. This will help to prevent unauthorized disclosure of PHI.
Don’t send PHI via email unless it is the only option and in these cases be sure to use all tools to encrypt emails.
If copying PHI to external media, make sure that you only use flash drives, hard drives or other materials that have been approved by the company. These external media devices should be encrypted for best security.
Only print PHI if necessary & then be sure to keep all forms of PHI safe in a lockable file cabinet or safe. If printed information is shredded, make sure to dispose of it immediately. Provide safes or lockable file cabinets for any employees that must store paper copies of PHI in their home offices.
Reassess your security protocols frequently.
The new work from home setting will be a challenge for many organizations and will require special attention to effectively protect PHI and adhere to HIPAA compliance. Based on the experience of many companies it is likely this is a system which will be around for a long time and remote workers will remain as a major workforce.
Despite these challenges we must continue to maintain a safe working environment for the home office to safeguard PHI. Using the methods outlined it is likely an organization can stay out of harm’s way and follow the HIPAA Privacy Rule. For more information see us at HIPAA-Associates.org.
CMS, US Department of Health and Human Services, Office for Civil Rights, March 2016, Security Risk analysis Tip Sheet: Protect Patient Health Information, CMS.gov Center from Medicare & Medicaid Services. https://www.cms.gov/regulations-and-guidance/legislation/ehrincentiveprograms/downloads/2016_securityriskanalysis.pdf
US Department of Health & Human Services, Office for Civil Rights, July 26, 2013, Summary of the HIPAA Security Rule, HHS.gov, https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Al Lopez is the chief operations officer for HIPAA Associates. Dr. Lopez has passed board certification in internal medicine, pulmonary, and anesthesia and holds a degree as a medical coding specialist. Furthermore, he has served as a Compliance Director and Privacy Officer for over ten years. Moreover, he has experience dealing with HIPAA issues in the clinical setting, HIPAA security and operational issues. He has been part of the HIPAA Associates team for over 10 years. In addition, Dr. Lopez is certified in Healthcare Compliance and has held various leadership roles within the hospital staff and private practice.