HIPAA Compliance in a Remote Work World 

Our lives have changed so much in just a few short years, from how we think about germs to how we conduct our daily work. Some of us in the last year have returned fully to in-office work, while many are still in a form of hybrid work to keep numbers down and cut risk in the workplace.  Let’s face it, some of us have really become accustomed to a limited commute and the ability to have a modicum of work-life balance for a change by working remotely. But what do healthcare entities and their employees need to consider about HIPAA compliance if they are working from home? As professionals that work closely with many businesses in the healthcare industry, we have a few suggestions for remaining in compliance while having a workforce that may not be back in the office quite yet. 

HIPAA violation chart

What A HIPAA Violation Could Mean? 

Before we take a look at a checklist of ways to make working from home more secure, let’s give a real-life example of what could happen to your organization if HIPAA compliance is not followed, even in a post covid world.  The Department of Health and Human Services (HHS) enforces HIPAA compliance. Specifically, the department’s Office for Civil Rights (OCR) investigates reported HIPAA violations. The OCR has the power to fine violators and negotiates resolutions to ensure compliance in the future. According to HIPAA Journal, “24.5 million patient records were exposed or stolen after approximately 493 data breaches in the U.S. healthcare sector post-COVID-19 outbreak.” These breaches have led to fines as well as civil and occasionally criminal violations. Here you see a chart of the four-tiered levels of HIPAA violations.  As a tangible example, the HIPAA Journal described what happened with the Cancer Care Group and its violation of the HIPAA Privacy Rule. After a remote employee lost a laptop and backup drive to car theft, the Cancer Care Group agreed to a settlement of $750,000. The laptop contained more than 50,000 patients’ Protect Health Information (PHI).  The OCR determined that prior to the breach, Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule. They failed to conduct an enterprise-wide risk analysis when the breach originally occurred. OCR also found that Cancer Care Group did not have a written policy regarding the removal of hardware containing PHI into and out of its facilities. 

Protecting PHI With Remote Workers

There are a number of ways that businesses can tighten security and remain in compliance with HIPAA Rules. Here is a quick list of things to consider for your remote workers.  For more security suggestions and ways to tighten your security for your remote employees in the healthcare field talk to our team about an assessment of your techniques for safeguarding private data.