Our lives have changed so much in just a few short years, from how we think about germs to how we conduct our daily work. Some of us in the last year have returned fully to in-office work, while many are still in a form of hybrid work to keep numbers down and cut risk in the workplace. Let’s face it, some of us have really become accustomed to a limited commute and the ability to have a modicum of work-life balance for a change by working remotely. But what do healthcare entities and their employees need to consider about HIPAA compliance if they are working from home? As professionals that work closely with many businesses in the healthcare industry, we have a few suggestions for remaining in compliance while having a workforce that may not be back in the office quite yet.
What A HIPAA Violation Could Mean?
Before we take a look at a checklist of ways to make working from home more secure, let’s give a real-life example of what could happen to your organization if HIPAA compliance is not followed, even in a post covid world. The Department of Health and Human Services (HHS) enforces HIPAA compliance. Specifically, the department’s Office for Civil Rights (OCR) investigates reported HIPAA violations. The OCR has the power to fine violators and negotiates resolutions to ensure compliance in the future.According to HIPAA Journal, “24.5 million patient records were exposed or stolen after approximately 493 data breaches in the U.S. healthcare sector post-COVID-19 outbreak.” These breaches have led to fines as well as civil and occasionally criminal violations. Here you see a chart of the four-tiered levels of HIPAA violations. As a tangible example, the HIPAA Journal described what happened with the Cancer Care Group and its violation of the HIPAA Privacy Rule. After a remote employee lost a laptop and backup drive to car theft, the Cancer Care Group agreed to a settlement of $750,000. The laptop contained more than 50,000 patients’ Protect Health Information (PHI). The OCR determined that prior to the breach, Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule. They failed to conduct an enterprise-wide risk analysis when the breach originally occurred. OCR also found that Cancer Care Group did not have a written policy regarding the removal of hardware containing PHI into and out of its facilities.
Protecting PHI With Remote Workers
There are a number of ways that businesses can tighten security and remain in compliance with HIPAA Rules. Here is a quick list of things to consider for your remote workers.
Ensure all passwords for wireless routers are strong and changed from the initial default password.
Ask or require that employees use a VPN when they access the company’s Intranet remotely.
Have your IT department or Managed IT group ensure that all devices accessing your network are properly configured by IT.
Encrypt home wireless routers.
Confirm that all PHI must be encrypted before being transmitted.
If any paper files are being used a shredder must be used to destroy patient data. For these employees, a lockable cabinet must be used for all paper files remaining at the remote location.
Create a BYOD (Bring Your Own Device) agreement and have your IT department configure personal devices before allowing them access to the network.
Train remote employees that non-work personnel can not use the devices where client data is stored or transmitted as well as guidelines that include no copying of information to hard drives or flash drives.
For more security suggestions and ways to tighten your security for your remote employees in the healthcare field talk to our team about an assessment of your techniques for safeguarding private data.