HIPAA and Remote Work: A Refresher for Employers
Many employers now allow employees to work remotely, either all or part of the time. If your organization does and sponsors a health care plan, here’s a brief refresher on some of the rules regarding protected health information (PHI) and the Health Insurance Portability and Accountability Act (HIPAA).
The Privacy Rule
One major feature of HIPAA is its Privacy Rule. This is essentially a set of national standards for safeguarding PHI. Always keep in mind that PHI is much broader than details about diagnosis and treatment. It also includes demographic data such as participants’ addresses, phone numbers, email addresses and financial information, as well as details about their plan participation.
Some staff members — managers, in particular — may be able to access PHI. When working remotely, these employees should ideally:
- Have private workspaces where others can’t overhear conversations involving PHI,
- Use only employer-issued devices and never access electronic PHI (ePHI) on shared devices, and
- Put hard copies of PHI in a locked filing cabinet, shredding anything they can’t store securely.
Be sure to know which remote workers can access PHI. Each should be able to verify that there are proper measures in place to protect it.
The Security Rule
Another major HIPAA feature is its Security Rule, which is essentially a set of regulations for safeguarding ePHI. Every plan sponsor should conduct an organizational risk analysis and implement a risk management plan that addresses remote work. Doing so is even more important if, in recent years, you’ve seen a substantial increase in the number of remote workers. Your risk management plan should address the three prongs of the HIPAA Security Rule. These are:
1. Physical safeguards. Although the Security Rule applies to ePHI, physical safeguards are still important. Employers should track the location of each computer accessing ePHI. Lost or stolen computers may result in unauthorized disclosure of large amounts of ePHI, so making sure employees keep them in a secure room is critical.
In addition, employees need to report loss or theft immediately. Devices should never be left unattended in a vehicle or public space. Employees may be tempted to write down passwords and keep them near their computers. However, this practice is as unacceptable when working remotely as it is when working on-site.
2. Technical safeguards. Controlling access is key. This includes:
- Restricting access to the minimum-necessary ePHI for each employee’s job function,
- Requiring unique user IDs, passwords and multifactor authentication,
- Implementing automatic log off or lock screen, and
- Using robust encryption tools.
Advise employees to avoid downloading and storing ePHI on their computers. An individual machine often has weaker protection than a network — cloud storage may be more secure. Warn them against using portable storage media, such as thumb drives, from unknown or unauthorized sources. These items may install malware onto an employee’s computer.
3. Administrative safeguards. Implement procedures to supervise remote employees. Routinely monitor logins and system activity to identify potential security incidents, such as transfers or removal of large amounts of data. For new employees, or those new to remote work, mandate training on your organization’s policies and procedures.
Even with heightened awareness and safeguards, the nature of remote work increases the possibility of unauthorized use or disclosure of ePHI. Because the breach notification rules continue to apply, and you could incur HIPAA penalties if breach notification is inadequate or untimely, train employees to recognize and promptly report possible breaches.
Top of mind
Regular reminders and occasional retraining are good ways to keep HIPAA compliance top of mind for employees involved in plan administration, whether they work remotely or on-site. For help identifying and managing the costs and financial risks of your health care plan, contact us.
© 2024