Working from home has become essential for many covered entity and business associate employees across the world during the COVID-19 pandemic. For administrative staff who are not on the front line, remote work is becoming the norm, and it’s easy to comply with HIPAA, if you know the rules.
HIPAA rules are the same at home for employees working with protected health information as they are in the office. Do it right, and think about a plan for a home office that maintains your compliance.
Virtual Private Network (VPN) security
When employers began sending employees home to work in early March 2020, they created “Virtual Private Networks” to connect the office to home but these were sometimes set up hastily, and employers missed some security checks. Cybercriminals were able to take advantage.
On March 13, 2020 the Department of Homeland Security (DHS) issued an alert about Virtual Private Networks or VPNs. It was updated on April 15.
Read the one-page alert for a full explanation, but several key tips discussed are:
- Update and patch all software and all devices with the latest guidance
- Alert employees to phishing risks and review cybersecurity training
- Use Multi-Factor Authentication for all connections and strengthen passwords
The HIPAA Security Rule requires that workforce members of a HIPAA compliant organization who handle PHI:
- should have physical safeguards for a workstation that holds electronic PHI, and
- access to such workstations should be restricted only to those authorized. Under HIPAA “authorized” means someone authorized by the HIPAA compliant organization to read, write, or communicate about, PHI.
Under HIPAA “workstation” is defined as both an electronic device, like a computer, a laptop, or smartphone, but also includes electronic media, like flash drives, back up disks and hard drives.
As a practical matter, this means that work should not be done on a computer (or electronic media) which is shared with others in the household. Ideally, the workstation should either be in a private room, or if in a shared room at home, the screen should be shielded from view by others.
Other key tips:
- Electronic media stored in the immediate area of a workstation should be placed in a secure location, such as a locked drawer or cabinet when not being used by the authorized workforce member.
- The workstation (the computer or laptop) should have an automatic log-off set up, to help maintain security.
- The workstation should be turned off (not put to sleep) when the work is finished.
Ideally, an organization complying with HIPAA will supply company-owned devices to workforce members who work from home. Maintaining security on these devices is easier to manage and control. This also makes it easier for workforce members themselves to restrict access – to prevent family members from using their device.
Practically speaking though, many workforce members will use one or more of their own devices to do their work. They may use a laptop, an Ipad, other tablet, or a smartphone to conduct some work involving PHI. This is permitted under HIPAA, but the Security Rule requirements for workstation security are critically important.
At The HIPAA E-Tool® we have created a “Bring/Use Your Own Device” policy to make clear the requirements workforce members should agree to if their own device will maintain or transmit PHI. A workforce member must permit the HIPAA compliant organization to:
- Encrypt the electronic device;
- Install and maintain protective software;
- Install all available updates and security patches to software on the device;
- Make random, unannounced inspections of the device; and
- Sanitize the device (make data on it unusable, unreadable, or indecipherable), either
- Before the workforce member disposes of the device; or
- When no longer a workforce member.
We include other requirements of workforce members about restrictions on the use of their devices in the policy, like not transmitting PHI to unauthorized persons, using good password protections, reporting loss, etc.
Review Cybersecurity Training
All workforce members should regularly review cybersecurity training to stay aware of cybercriminals’ methods to trick people into letting them into the system. Phishing through email remains the top method that cybercriminals use to enter and steal data.
Review, refresh, review – how to recognize the most common methods still in use; an email whose sender looks familiar; a link inside the email, or an attachment you were not expecting. The basic rule is Think Before You Click!, but workforce members need more specific training at least once a year – this training helps them not only at work, but in their personal lives, since phishing and cybersecurity are issues everyone faces almost every day.
The HIPAA E-Tool® contains both basic HIPAA training and cybersecurity awareness training, designed for busy workforce members to learn how to recognize cybercrime, and what to do if it happens to them.
If you have questions about how to manage or improve privacy and security of PHI in a remote work environment, let us know! We have answers.