Jason Karn, Total HIPAA’s Chief Compliance Officer, recently interviewed Erik Kangas, founder and CEO of LuxSci. LuxSci provides email encryption, web hosting, forms, and secure sending services for HIPAA compliant entities. The two discussed security practices to use while working remotely during COVID-19.
Erik offers helpful tips for keeping devices and networks secure. They also discuss BYOD policies, how to keep ePHI safe, and more. You can listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read our summary below.
What is LuxSci doing to help organizations respond to COVID-19?
While email is a convenient and very common form of electronic communication, it’s not always HIPAA compliant. This presents a problem for providers who, in the midst of a pandemic, need to communicate with patients clearly and efficiently.
Through October, LuxSci is providing free services to organizations that need to send COVID-19-related email communications in bulk. For example, a testing lab may perform tests for thousands of people a day and needs to get results back to people quickly. LuxSci can help organizations like this provide people with quick responses in COVID-19 related communications.
Security Concerns During COVID-19
One of the largest risks of a quick transition into an at-home work environment is the absence of an existing Bring Your Own Device (BYOD) policy. Companies need policies that set rules about sharing devices, passwords, patching, and network security.
Many parents working from home have children who are taking classes and doing school work online. It’s essential that there is a separation between work devices that access sensitive data and personal devices that family members may be using. People can choose not to share devices or create different user logins on their devices to prevent other family members from accessing their work data.
Now more than ever, it is especially important that companies institute access levels based on employees’ roles and establish cybersecurity standards based on the level of access. If you find it necessary to grant an employee temporary access to certain accounts, document it. If employees are furloughed, even temporarily, it’s crucial that you cut off their access to systems. Also, ensure that employees are using access logs and that there is clear documentation around the granting or revoking of access.
Securing PHI at Home
When it comes to securing PHI while working remotely, there are four principles you should rely on:
- Don’t share devices or passwords
- Lock away any physical media (ex: papers, devices, thumb drives, etc.) when you’re not working or using it
- Adopt a clean desk policy
- Take phone calls and video conferences in an isolated or closed-off space where you can’t be overheard
It’s also important to apply the minimum necessary rule. Ask yourself, what’s the minimum amount of information you need to give or receive to complete the task at hand?
Always think before you act. Many people are overwhelmed right now with work, parenting duties, and other responsibilities. Before you let a family member use your work device, consider the risks associated with that. Take a minute to think about whether what you’re about to do meets the device or access standards your company has set.
Continue to uphold the standards and best practices you’ve established. The U.S. Department of Health and Human Services (HHS) has issued a limited waiver of certain HIPAA sanctions and penalties during the pandemic. This does not mean companies should ignore existing security or documentation standards.
Put thought and effort into properly implementing work from home policies, choosing a video conferencing service, and making other necessary arrangements. That way, once the waiver is lifted, your company is prepared and fully HIPAA compliant.