The United States of America, similar to other countries, is experiencing a rise in the practice of work from home because of COVID-19. Many healthcare professional are now working from home using telehealth and telemedicine methods, and proper HIPAA compliance management is crucial for protecting a patient’s health information.
Whether a company is a HIPAA-covered entity or a business associate, their employees face unique security challenges when working from home. Unencrypted devices and unsecured networks are more vulnerable to hacks and breaches. Employees that are working from home need to be reminded of HIPAA Privacy and Security Rule for proper HIPAA compliance management.
As for telecommuting, it has increased by a staggering 115% in the last ten years in the U.S. With the Covid-19 pandemic, requiring many employees to work from home, the number of people telecommuting is climbing rapidly.Because of the current Covid-19 national emergency crisis, the Office for Civil Rights (OCR) has relaxed its enforcement policies for non-compliance with HIPAA regulations for telehealth practices.
That being said, telehealth care professionals should keep in mind that they are required to serve the general public in good faith, which includes taking necessary steps to protect patient information. This article will provide a few key steps for proper HIPAA compliance management while working from home to protect patients’ Protected Health Information (PHI).
Take these necessary steps to protect your clients PHI
The first and foremost step should be to identify your remote working employees and make a list of them, including the level of information to which they have access to. You must set the rules for them for your HIPAA Privacy and Security policies. The following checklist will also help individual telehealth practitioners to comply with HIPAA regulations while working from home.
Outline Equipment, Software, and Hardware requirements:
- Use WPA2-AES to encrypt home wireless router traffic: Most routers come pre-configured with this setting these days, and it is a standard configuration.
- Set difficult passwords for wireless routers: Setting complicated passwords will provide an extra layer of protection.
- IT should configure all devices accessing your network: Install firewall and antivirus software, and make sure all the devices are encrypted and password protected.
- Use a VPN: Require your employees to use a VPN when they remotely access the company’s Intranet.
- Encrypted PHI: All PHI must be encrypted before transmission, either by using internal email encryption or the company’s Intranet.
- Encrypted and password protected devices: All personal devices that employees use to access PHI should be encrypted and password protected.
- Have personal devices configured by the IT department or a vendor before allowing access to the network: Outline specific brands and devices that can be used to access the company’s network.
Outline the Privacy and Security Requirements:
- Use of PHI containing devices: Employees should not allow their family members, friends, or anyone else to use devices that contain PHI.
- Bring Your Own Device (BYOD) guidelines: Specify clear usage rules in a BYOD agreement.
- Paper Shredder: Employees need to have a shredder at their location to dispose of paper PHI when it is no longer needed. The company must specify when it is okay to destroy paper records.
- HIPAA compliant video/web conferencing tools: Look for a software that has proper encryption in place for your telehealth practice.
- PHI cannot be copied to any external media: Make sure employees do not copy PHI to any external devices, including flash drives and hard drives that are not approved by the company.
- Maintain logs of remote access activities: Disable accounts that have been inactive for 30 days and review your logs periodically.
- Disconnect devices after work: Employees should disconnect their devices from the company’s network when they are finished working each day.
- Develop guidelines: Develop clear instructions for employees. Make it clear employees who do not maintain these rules can be subjected to the company’s Sanction policies or a HIPAA violation.
Working from Home with HIPAAReady
HIPAA Ready is a cloud-based HIPAA compliance software that allows users to remotely access HIPAA related information by using mobile devices and web browsers. It is a platform where you can create a checklist of tasks, and add, edit or update policy and procedures according to the changes to HIPAA rules and regulations. With HIPAAReady, employees can easily be notified of policy changes and it allows them to follow the checklist of tasks that are required to comply with HIPAA. You can search and navigate relevant topics with just a few keystrokes and get instant access to up-to-date HIPAA policies and procedures. With HIPAAReady, your HIPAA compliance management becomes simpler even when having a remote workforce.