The Department of Health and Human Services (HHS) explains, “Telework has immediate and long-term benefits for healthcare organizations but security becomes even more critical.” To protect clients’ PHI, remote employees have to follow HIPAA rules, and healthcare organizations need to set clear guidelines for remote work. Keeping signed documents up-to-date and securely stored also helps organizations reduce the risk of HIPAA violations and stay prepared for audits.
Understanding HIPAA for remote employment
According to Upwork, by 2025, an estimated 32.6 million Americans—or about 22% of the workforce—will be working remotely. As telecommuting continues to grow, organizations should make certain that remote employees comply with HIPAA regulations. Although remote work brings many advantages, it also heightens the risk of exposing clients’ protected health information (PHI). Not meeting HIPAA requirements can lead to serious financial penalties.
Read also: What are the penalties for HIPAA violations?
How to protect clients' PHI
Organizations must establish clear guidelines and implement preventative actions for remote employees to ensure HIPAA compliance. The following checklist outlines documentation requirements and security measures:
Security policies and procedures
- Maintain an updated list of employees who work remotely.
- Specify the level of information to which remote employees have access.
Equipment, software, and hardware requirements
- Encrypt home wireless router traffic, change default passwords, and ensure proper configuration of all devices accessing the network.
- Mandate using a Virtual Private Network (VPN) when accessing the company's Intranet remotely.
- Encrypt all PHI before transmission through the company's Intranet or internal email encryption.
- Encrypt and password-protect personal devices used to access PHI, ensuring IT configuration and approval.
- Define approved brands and versions of personal devices that can access company data.
Security and privacy requirements
- Prohibit friends, family, or unauthorized individuals from using devices containing PHI.
- Confidentiality Agreement: Have each employee sign a confidentiality agreement to ensure privacy when handling PHI.
- Create a clear agreement with rules for the use of personal devices.
- Employees storing hard copy PHI in their home offices should have lockable file cabinets or safes.
- Require employees to have a shredder for proper disposal of paper PHI.
- Follow the organization's policy for disposing of PHI or devices storing PHI.
- Instruct employees to disconnect from the company network after work, utilizing IT-configured timeouts.
- Prohibit employees from copying PHI to unauthorized external media, such as flash or hard drives.
- Maintain logs of remote access activity and periodically review them for security purposes.
- Disable inactive accounts for more than 30 days and monitor account activity.
- Communicate that violations of procedures will result in company sanctions and potential legal consequences.
Read more: What is protected health information (PHI)?
Examples of negligence in remote work
Two notable cases highlight the importance of maintaining HIPAA compliance when working remotely:
- Cancer Care Group faced a settlement of $750,000 after a remote employee lost a laptop and backup drive to car theft. This incident exposed the PHI of over 50,000 patients. The Office for Civil Rights (OCR) found that Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule as they failed to conduct an enterprise-wide risk analysis. Additionally, the organization lacked a written policy regarding removing hardware containing PHI from their facilities.
- Lincare, a respiratory medical group, incurred a settlement cost of nearly $240,000 due to a remote employee breaching the PHI of 278 patients. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information taken off-site. Furthermore, the organization had an unwritten policy allowing certain employees to store PHI in their vehicles for extended periods. These incidents led to a class-action lawsuit against Lincare.
FAQs
What are HIPAA requirements for remote workers?
Remote workers should be certain that all protected health information (PHI) remains secure and confidential while accessing, storing, or transmitting it outside of the traditional office environment.
Do remote workers need secure internet connections?
Yes, remote workers should use secure, encrypted internet connections (like a Virtual Private Network or VPN) to protect PHI from unauthorized access when working from home or other locations.
How should remote workers handle devices containing PHI?
Remote workers must use password-protected devices and ensure that any laptops, tablets, or smartphones containing PHI are secured and encrypted to prevent unauthorized access.
Are there specific policies remote workers need to follow?
Yes, remote workers should follow their organization’s HIPAA policies and procedures, which may include guidelines on data access, sharing, and reporting potential security incidents.
What should remote workers do if they suspect a HIPAA violation?
Remote workers should report any suspected HIPAA violations or security breaches immediately to their organization’s privacy officer or compliance department to see that appropriate actions are taken.
See also: HIPAA Compliant Email: The Definitive Guide