Meeting HIPAA Requirements When Working Remotely
March 20, 2020
More and More Employees Are Working Remotely
In the last 10 years, the number of people telecommuting in the U.S. has increased by a staggering 115 percent.1 Ever-evolving technology is making it easier for employees interested in working remotely. This can save a company as much as $11,000 annually per telecommuting worker.
While there are several advantages of working remotely, there’s a monstrous risk for those that are obligated to comply with HIPAA: keeping clients’ protected health information (PHI) safe. Not convinced it’s a big deal? HHS levies hefty financial penalties when entities fail to properly manage their telecommuters’ access and protection of PHI.
Real Life Examples
Cancer Care Group agreed to a settlement of $750,000, after a remote employee lost a laptop and backup drive to car theft.
The laptop contained more than 50,000 patients’ PHI.
OCR determined that prior to the breach, Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule. They failed to conduct an enterprise-wide risk analysis when the breach originally occurred. OCR also found that Cancer Care Group did not have a written policy regarding the removal of hardware containing PHI into and out of its facilities.2
A similar settlement cost respiratory medical group Lincare almost $240,000. A remote employee breached the PHI of 278 patients by exposing and abandoning their sensitive information. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information that was taken off-site despite the fact that employees who worked in patients’ homes routinely removed PHI from Lincare offices.
Lincare also had an unwritten policy that required certain employees to store PHI in their vehicles for extended periods.3 The trouble didn’t end there for the company. Last October, former Lincare employees filed a class-action lawsuit against the company. The employees claiming negligence with regard to their personally identifiable information (PII) and that identity theft could result from a Lincare data breach.4
How To Protect Your Clients’ PHI When Working Remotely
What can you do to safeguard your organization from HIPAA violations?
We compiled a list of documentation requirements and preventative actions you need to observe to protect you and your clients.
First and foremost, if you have remote employees, you must set rules for them in your Security Policies and Procedures.
Use the following checklist as a guide for what to include in this section.
- Make a list of remote employees.
- Indicate the level of information to which they have access.
Describe Equipment, Software, and Hardware requirements:
- Encrypt home wireless router traffic using WPA2-AES. This is a pretty standard configuration, and most routers these days come pre-configured.
- Change default passwords for wireless routers to something difficult. This provides an extra layer of protection.
- Make sure that all devices accessing your network are properly configured by IT. Devices must be encrypted, password protected, and installed with software firewalls and anti-virus software is installed.
- Require that employees use a VPN when they access the company’s Intranet remotely.
- All PHI must be encrypted before being transmitted. This can either be through the company’s Intranet or using the internal email encryption.
- Encrypt and password protect any personal devices employees use to access PHI.
- Have your IT department or vendor configure personal devices before allowing them access to the network. Specify what brands and versions of personal devices can access the company data.
Describe Security and Privacy requirements:
- Employees should not allow any friends, family, etc. to use devices that contain PHI.
- Have each employee sign a Confidentiality Agreement to assure the utmost privacy when handling PHI.
- Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
- Employees who store hard copy (paper) PHI in their home office need a lockable file cabinet or safe to store the information.
- Employees need a shredder at their location for the destruction of paper PHI once it is no longer needed. The company needs to specify when it is ok to dispose of any paper records.
- Employees must follow the organization’s Media Sanitization Policy for disposal of all PHI or devices storing PHI.
- Make sure employees disconnect from the company network when they are done working. Usually, IT configuring timeouts take care of this.
- Employees cannot copy any PHI to external media not approved by the company. This includes flash drives and hard drives. You may require all PHI to stay on the company network.
- Keep logs of remote access activity, and review them periodically. IT should disable any accounts inactive for more than 30 days.
- Mandate that any employees in violation of these procedures will be subject to the company’s Sanction Policy and/or civil and criminal penalties.
Remote employees aren’t exempt from following HIPAA rules. It’s in your best interest to define all remote employee guidelines and to ensure all signed documents involving remote work are up-to-date, signed, and safely stored. Taking these steps will ensure you’re compliant should HHS come calling!
Need help securing your own or your employees home work environment?
Total HIPAA specializes in creating customized HIPAA-related documentation and training for our clients. We provide documents like Security Policies and Procedures, Disaster Recovery Policies, Confidentiality Agreements, and Bring Your Own Device (BYOD) Policies. For questions about policies, documentation, or best practices for remote employees, call us at 800.344.6381 or complete this form:
If you have specific concerns about COVID-19, please visit this page on our website. We have compiled all relevant blogs about working remotely and guiding your business through a crisis here.
Please see the latest CDC guildelines here.