Even before the recent onset of Covid-19, companies have increasingly preferred that employees telecommute as it results in higher productivity and lower operational costs. However, working from home can increase the risk and occurrence of violating the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA rules are in place to protect personal health information (PHI). These rules apply to all healthcare providers, covered entities that work with PHI, business associates that deal with PHI, and the employees of these organizations.
Companies need to implement work from home solutions to prevent costly and negligible HIPAA violations. According to HIPAA regulations, there are several requirements and guidelines that organizations must meet to ensure HIPAA compliance when working with PHI:
- Annual self-audits to determine if there are any administrative, technical, or physical gaps in compliance with HIPAA security and privacy standards
- The implementation of remediation plans to reverse compliance violations
- The implementation of compliance policies through procedures and employee training
- Documenting all efforts that an organization takes to become HIPAA-compliant
- Keeping a record of all vendors who can access PHI to ensure the secure handling of information and mitigate liability
- Implementing a process to document a data breach and notify patients that their information has been compromised according to the terms of the HIPAA Breach Notification Rule
What Qualifies as a HIPAA Violation?
A violation is the failure to comply with HIPAA standards and provisions. An organization can violate HIPAA rules in many ways. In most cases, a violation is a data breach that is the result of a deficient compliance program.
A data breach by itself does not constitute a violation. However, if an organization doesn’t have protocols in place to manage a data breach or they do not follow these standards of conduct or procedures, it can result in a HIPAA violation.
According to the HIPAA Breach Notification Rule, there are two kinds of data breaches. A minor breach affects fewer than 500 people in a single jurisdiction, and a meaningful breach affects more than 500 people in one jurisdiction.
An organization should gather all data on minor breaches that occurred throughout the year and report them to the Department of Health and Human Services (HHS) annually. Additionally, the organization should notify all affected individuals within 60 days of the discovery of a breach. The organization must disclose to each patient the specific information that was compromised, by whom it was obtained or viewed and the steps both the patient and organization should take next to safeguard their PHI and prevent a future reoccurrence. Failure to do so constitutes a breach.
In the case of a meaningful breach, the organization should additionally:
- Expedite reporting the breach to the HHS Office for Civil Rights review within 60 days
- Contact all local law enforcement agencies and issue a notice to the media
Failure to carry out the above steps can also be a HIPAA violation.
What is the Most Common HIPAA Violation for Remote Staff?
When it comes to telecommuting, one of the most common HIPAA violations is the failure to properly manage a remote worker’s access to PHI and electronic PHI.
In 2012, the Cancer Care Group (CCG,) an oncology practice in Indiana, suffered a data breach when a telecommuter lost their laptop and backup drive as the result of car theft. The laptop contained the personal health information of more than 50,000 patients.
Upon investigation, the Office for Civil Rights found that the Cancer Care Group failed to carry out an organization-wide risk assessment after the breach occurred. Despite that finding, the CCG didn’t see the need for stricter telecommunication measures.
Additionally, the CCG didn’t formulate and implement a policy to improve the protection and security of devices such as laptops. The failure to enforce a written policy is a clear violation of the HIPAA security rule. In 2015, the CCG had to settle with the Department for Health and Human Services for $750,000 for HIPAA non-compliance.
Another example of a failure to properly manage PHI access is the Lincare Breach case. A manager from Lincare, whom had remote access to PHI records of 300 patients, stowed the records in her car. She separated from her husband, who still had access to the vehicle and the documents.
After discovering the records, the manager’s husband contacted the Office for Civil Rights, and Lincare had to pay a settlement of $240,000.
How to Avoid HIPAA Compliance Violations with Remote Staff
There are several ways to improve the offsite management of patient information by employees and prevent HIPAA compliance violations.
- Clear policies and procedures should be formulated and implemented to manage patient information offsite, for example, at healthcare facilities or employees’ home offices. These policies and procedures should also address the remote accessing of PHI. Implementation of these policies and procedures should include thorough and regular training.
- Privacy and security of PHI should form part of the covered entities’ telecommuting policies.
- Covered entities should establish a written policy to ensure proper traction, monitoring, and the safe return of PHI by employees who are working from home.
- Employees who are working from home should segregate all PHI with password protection or encryption to make sure that people who have access to the same computer cannot view sensitive information.
- A provider’s overall risk analysis and risk management should include offsite access to PHI.
- Security policies and procedures should pertain to employees’ personal devices to prevent employees from downloading PHI to personal devices, such as laptops or hard drives.
- Health care facilities should promptly respond to a HIPAA privacy breach with a risk analysis, policy review, and modifications to reduce the risk of future violations.
- A HIPAA-compliant business continuity plan should be drawn up that does not allow employees to keep PHI in a vehicle or other unmonitored areas to mitigate the risk of a breach.
- Covered entities and business associates should make sure that all PHI policies are in place before employees take PHI offsite.
What Does a HIPAA Compliant Home Office Setup Look Like?
A HIPAA-compliant office should contain the following:
- A lockable file cabinet or safe for the secure storage of hard-copy PHI.
- A HIPAA-compliant shredder for the destruction of paper PHI that no longer serves a purpose – the company should have clear specifications on when the disposal of patient records is necessary.
Devices in a home office that contain PHI, for example, computers and hard drives, should be inaccessible by others. The employee should also take steps to protect the devices from theft, for example, by installing burglar bars and an alarm system. When the employee is not working in their office, they should lock the door.
Ways to enhance home device security include:
- Encrypting home wireless router traffic.
- Segregating personal devices that the employee uses to access PHI with encryption or password protection.
- Configuring all devices that connect to a home’s network with antivirus protection, a firewall, and passwords.
- Encrypting all PHI before transmission.
- Requiring the use of a Virtual Private Network (VPN) when employees want to access the company intranet from home.
Ensuring that employees’ home offices comply with HIPAA rules will significantly reduce the risk of a data breach, as well as the organization’s liability in the event of a compliance violation.
Work from Home Policy for Healthcare Employees
A work from home policy for healthcare employees is crucial to mitigating the risk of a data breach. This type of policy should:
- Prohibit employees from allowing other people to use devices that contain PHI.
- Require employees to sign a confidentiality agreement before they take PHI offsite.
- Include a Bring Your Own Device (BYOD) policy along with usage regulations.
- Include a media sanitization policy with sanctions for non-compliance.
- Require employees to disconnect from the company network upon completion of their work – the policy should also implement the configuration of timeouts.
- Make provision for the maintenance and routine review of remote access activity logs.
Taking these steps may seem redundant, but they are crucial to ensuring that a data breach does not occur. If a breach does occur, the covered entity or business associate who took these steps can rest assured that the breach does not constitute a HIPAA violation.