remote work 1

HIPAA Compliance for Remote Work

When the pandemic hit, suddenly almost everyone was working from home and we had to make up procedures on the fly. But now at least part time remote work is here to stay. The shift has been seismic in healthcare.

A wide variety of jobs can be performed remotely. Hospital administrators, office managers, billing and coding professionals and IT staff all can work from home, at least part of the time. Telehealth now allows physicians, therapists, and home health workers to work remotely. Both covered entities and business associates have staff working from home.

HIPAA compliance still matters. Remote work presents new risks for safeguarding protected health information (PHI), so care needs to be taken to manage those risks and follow HIPAA.

Start with Risk Analysis and Risk Management

Risk Analysis is fundamental and everything follows from there. Every question asked in the HIPAA Risk Analysis for the main location needs to be asked for each location where staff works, whether a home workspace, a co-working shared space or on the road. Senior management should create a remote work checklist to help workers analyze the risks, from a HIPAA perspective, of every work space.

Create Remote Work Checklists for Risk Analysis and Risk Management

HIPAA compliance requires everyone in the organization to cooperate and contribute – staff and senior management both have responsibilities. The risk analysis for remote work should mirror the one for the main location – to evaluate how PHI is kept secure.

Risk Analysis for Remote Work

A Risk Analysis checklist should include answers to the following questions:

  • Where do you maintain PHI?
  • In what form or format do you maintain PHI?
  • Who has access to your workspace?
  • How do you protect the Privacy and Security of PHI?
  • How do you dispose of PHI when it is no longer needed?
  • How do you transmit PHI?
  • How do you protect the Privacy and Security of PHI during transmission?

Risk Management for Staff to Follow

The following checklist is for the home office or co-working space, remote from the main work location.

  • The workspace should be private
  • Use a locked file cabinet or drawer for paper records
  • All electronic devices should be encrypted and only for a single user, e.g., computer, thumb and backup drives, mobile devices, like tablets and cell phones
  • Staff should be connected to the main work location via a secure Virtual Private Network (VPN)
  • Encrypt emails and text messages
  • Use a crosscut shredder to dispose of paper PHI
  • Sanitize electronic devices before disposal

When working on the road, i.e., not at home and not in an office.

  • Never use public wi-fi
  • Use only encrypted electronic devices
  • Keep encryption key safely separate from encrypted device
  • Stay connected to the main work location via a secure Virtual Private Network (VPN)
  • Take care to prevent being overheard
  • Manage paper – keep your eyes and hands on it
  • Use a locked document case
  • Bring paper home to shred

Risk Management for Senior Management to Follow

Remote work policies and procedures for HIPAA compliance:

  • Provide, maintain and update all electronic devices
  • Encrypt, install protective software and all software updates
  • Remotely monitor electronic device activity
  • Establish organization secure Virtual Private Network
  • Maintain PHI in the organization’s secure cloud storage
  • Use encrypted email and text message services
  • Provide regular training – remote work privacy & security
  • Establish procedures for destruction of PHI

Help with Risk Analysis-Risk Management

The HIPAA rules are a blueprint for creating remote work checklists. HIPAA compliance is easy to do step-by-step, once you know the steps. For remote work, staff and senior management need to prioritize privacy and security, follow the checklists and communicate regularly.

If you need help with policies, procedures or risk analysis for the main office or remote work, The HIPAA E-Tool® has answers.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU