When the pandemic hit, suddenly almost everyone was working from home and we had to make up procedures on the fly. But now at least part time remote work is here to stay. The shift has been seismic in healthcare.
A wide variety of jobs can be performed remotely. Hospital administrators, office managers, billing and coding professionals and IT staff all can work from home, at least part of the time. Telehealth now allows physicians, therapists, and home health workers to work remotely. Both covered entities and business associates have staff working from home.
HIPAA compliance still matters. Remote work presents new risks for safeguarding protected health information (PHI), so care needs to be taken to manage those risks and follow HIPAA.
Start with Risk Analysis and Risk Management
Risk Analysis is fundamental and everything follows from there. Every question asked in the HIPAA Risk Analysis for the main location needs to be asked for each location where staff works, whether a home workspace, a co-working shared space or on the road. Senior management should create a remote work checklist to help workers analyze the risks, from a HIPAA perspective, of every work space.
Create Remote Work Checklists for Risk Analysis and Risk Management
HIPAA compliance requires everyone in the organization to cooperate and contribute – staff and senior management both have responsibilities. The risk analysis for remote work should mirror the one for the main location – to evaluate how PHI is kept secure.
Risk Analysis for Remote Work
A Risk Analysis checklist should include answers to the following questions:
- Where do you maintain PHI?
- In what form or format do you maintain PHI?
- Who has access to your workspace?
- How do you protect the Privacy and Security of PHI?
- How do you dispose of PHI when it is no longer needed?
- How do you transmit PHI?
- How do you protect the Privacy and Security of PHI during transmission?
Risk Management for Staff to Follow
The following checklist is for the home office or co-working space, remote from the main work location.
- The workspace should be private
- Use a locked file cabinet or drawer for paper records
- All electronic devices should be encrypted and only for a single user, e.g., computer, thumb and backup drives, mobile devices, like tablets and cell phones
- Staff should be connected to the main work location via a secure Virtual Private Network (VPN)
- Encrypt emails and text messages
- Use a crosscut shredder to dispose of paper PHI
- Sanitize electronic devices before disposal
When working on the road, i.e., not at home and not in an office.
- Never use public wi-fi
- Use only encrypted electronic devices
- Keep encryption key safely separate from encrypted device
- Stay connected to the main work location via a secure Virtual Private Network (VPN)
- Take care to prevent being overheard
- Manage paper – keep your eyes and hands on it
- Use a locked document case
- Bring paper home to shred
Risk Management for Senior Management to Follow
Remote work policies and procedures for HIPAA compliance:
- Provide, maintain and update all electronic devices
- Encrypt, install protective software and all software updates
- Remotely monitor electronic device activity
- Establish organization secure Virtual Private Network
- Maintain PHI in the organization’s secure cloud storage
- Use encrypted email and text message services
- Provide regular training – remote work privacy & security
- Establish procedures for destruction of PHI
Help with Risk Analysis-Risk Management
The HIPAA rules are a blueprint for creating remote work checklists. HIPAA compliance is easy to do step-by-step, once you know the steps. For remote work, staff and senior management need to prioritize privacy and security, follow the checklists and communicate regularly.
If you need help with policies, procedures or risk analysis for the main office or remote work, The HIPAA E-Tool® has answers.