Federal enforcement agencies are increasingly focusing on HIPAA breaches which involve mishandling of PHI by telecommuters.  Two recent cases illustrate the liability exposure resulting from inadequate oversight of staff working remotely.

Medical equipment supplier Lincare was fined $239,800 as a result of a breach which occurred when an employee left unprotected PHI in a car in the possession of her estranged husband.  An Administrative Law Judge upheld the penalty, noting that Lincare did not have policies in place requiring employees to safeguard medical information off-site.

In a second case, Cancer Care Group, an Indianapolis radiation oncology practice (CCG), entered into a $750,000 settlement with OCR after unencrypted backup tapes containing the PHI of more than 50,000 patients were stolen from a telecommuting employee’s vehicle.  OCR required the group to enter into a Corrective Action Plan that included conducting a risk analysis and developing and implementing policies and procedures to prevent similar occurrences.

My partners Michael Kline and Elizabeth Litten were quoted in the November issue of Medical Practice Compliance Alert by Marla Durben Hirsch in her article entitled “Call it telecommuting or working remotely, it needs a HIPAA policy.”

It is increasingly common for employers, including health care providers, to allow staff to work off site on a full- or part-time basis. While it’s most commonly seen as working from home, it includes anywhere but the office, including on a train, in a coffee shop, while traveling from patient to patient or elsewhere, points out attorney Michael Kline with Fox Rothschild in Princeton, N.J.

But it increases the risk of HIPAA violations because the practice is no longer in control of some of the technical and physical safeguards required by HIPAA’s security rule to protect the PHI, points out attorney Elizabeth Litten, also with Fox Rothschild.

“There are more opportunities for things to go wrong,” Litten warns.

Among the tips suggested in the article are the following:

  1. Have clear policies about what practices are accepted and how workers will protect the data;
  2. Determine what hardware and software will be allowed and how it must be configured;
  3. Make sure that the PHI can be password-protected, encrypted or otherwise segregated if the employee does not have a dedicated computer, so that family members who have access to the computer can’t view the PHI. “You don’t want it accessed by little children who want to look at Bubble Guppies,” says Kline.
  4. Double check that your insurance policies allow telecommuting;
  5. Include PHI off the premises as part of your practice’s overall risk assessments and management;
  6. Incorporate protection of PHI into your practice’s telecommuting policy;
  7. Get the promise to protect PHI in writing; and
  8. Monitor how telecommuters handle PHI.

Failure to design and implement effective telecommuting policies and procedures contributed to the breaches at Lincare and CCG and may have substantially increased the magnitude of the financial penalties.  Ideally, covered entities and business associates should anticipate issues with telecommuters and roll out appropriate rules before any PHI leaves the office, but if you already have team members working remotely, it is better to address these risks late than never.