13 Aug How to Meet HIPAA Requirements If You Work Remotely?
Over the last 10 years, and even more so in the last year, the number of telecommuting employees in the United States has increased dramatically. Our ever-evolving technology is making it easier for employees interested in working remotely. This not only helps the employees who are able to work remotely, but for the employers who are able to save as much as $11,000 annually per employee who telecommutes.
While there are several advantages of working remotely, there is also an overwhelming risk for those that are obligated to comply with HIPAA. Some of these may include, keeping clients’ protected health information (PHI) safe, keeping clients’ personal files safe, and keeping clients’ billing information safe. HHS levies hefty financial penalties when entities fail to properly manage their telecommuters’ access and protection.
Some Real Life Examples
- Cancer Care Group agreed to a settlement of $750,000, after a remote employee lost a laptop and backup drive to car theft. This laptop contained more than 50,000 patients’ PHI. OCR determined that prior to the breach, Cancer Care Group was not compliant with the HIPAA Security Rule. They failed to conduct an enterprise-wide risk analysis when the breach originally occurred.
- A similar settlement cost respiratory medical group Lincare almost $240,000. A remote employee breached the PHI of 278 patients by exposing and abandoning their sensitive information. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information that was taken off-site despite the fact that employees who worked in patients’ homes routinely removed PHI from Lincare offices.
How To Protect Your Clients When Working Remotely
Below is a compiled list of documentation requirements and preventative actions you need to observe to protect you and your clients. However, if you have remote employees, you must set rules for them in your Security Policies and Procedures. You can use the following checklist as a guide for what to include in these requirements.
- Make a list of remote employees.
- Indicate the level of information to which they have access.
Equipment, Software and Hardware Requirements
- Encrypt home wireless router traffic using WPA2-AES. This is a pretty standard configuration, and most routers these days come pre-configured.
- Change default passwords for wireless routers to something difficult. This provides an extra layer of protection.
- Make sure that all devices accessing the company network are properly configured by IT. Devices must be encrypted, password protected, and installed with software firewalls and anti-virus software is installed.
- Require that employees use a VPN when they access the company’s Intranet remotely.
- All PHI must be encrypted before being transmitted. This can either be through the company’s Intranet or using the internal email encryption.
- Encrypt and password protect any personal devices employees use to access PHI.
- Have your IT department or vendor configure personal devices before allowing them access to the network. Specify what brands and versions of personal devices can access the company data.
Security and Privacy Requirements
- Employees should not allow any friends, family, etc. to use devices that contain PHI.
- Have each employee sign a Confidentiality Agreement to assure the utmost privacy when handling PHI.
- Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
- Employees who store hard copy (paper) PHI in their home office need a lockable file cabinet or safe to store the information.
- Employees need a shredder at their location for the destruction of paper PHI once it is no longer needed. The company needs to specify when it is ok to dispose of any paper records.
- Employees must follow the organization’s Media Sanitization Policy for disposal of all PHI or devices storing PHI.
- Make sure employees disconnect from the company network when work is finished. Usually, IT configuring timeouts take care of this.
- Employees cannot copy any PHI to external media not approved by the company. This includes flash drives and hard drives. You may require all PHI to stay on the company network.
- Keep logs of remote access activity, and review them periodically. IT should disable any accounts inactive for more than 30 days.
- Mandate that any employees in violation of these procedures will be subject to the company’s Sanction Policy and/or civil and criminal penalties.
Remote employees aren’t exempt from following HIPAA rules. It is in your best interest to define all remote employee guidelines and to ensure you have requirements and rules in place, that all remote employees have to follow. Taking the steps listed above will ensure compliance, and make sure HHS does not come calling!
Need help securing your own or your employees home work environment?
Here at Bunn Consulting, we offer a range of security measures for our clients. The services include but are not limited to Regulatory Compliance, Risk Intelligence Scanning and Data Backup and Recovery. For questions call us at 253.200.5286 or go to Contact Us.
Sources: HIPAA Compliance Working Remotely