If your company is a covered entity or a business associate, you face unique challenges when workforce members ask or are required to work from home. Hopefully, your company’s HIPAA Security Policies and Procedures address the use of portable devices, whether they are owned by the employer or by the employee, and your HIPAA security risk assessment should take into account any location in which electronic protected health information (PHI) might be created, received, maintained or transmitted. Still, it’s important to remind employees of their obligations with respect to HIPAA compliance and to make sure PHI is protected when used or disclosed outside of the office, particularly when Coronavirus concerns result in changes to the way in which information is typically accessed or communicated.
Here are a few HIPAA privacy and security basics to keep in mind if employees will be handling PHI while working from home.
A is for Access: Check that home devices have access controls, such as automatic logoff. Implement technical policies and procedures that grant access rights to specified workforce members, and that limit access to only those systems and software programs that have been approved by the company. See HHS FAQ on this topic here.
B is for Breach: Remind employees to avoid breach scenarios that are more likely to occur when working off-site, such as preventing family members or guests from viewing or overhearing PHI, not using public or unsecured networks to access or communicate PHI, and being aware of where copies of PHI are made and stored, whether paper or electronic. Implement a policy and procedure for employees to return paper and electronic files to the employer’s office or system and destroy copies that could end up in home trashcans or on personal devices.
C is for (secure) Connection: Check that employees have access to a secure network connection. The HIPAA Security Rule requires that you document establishment of all safeguards (technical, physical, and administrative) needed to protect information exchanged in a network. Check the HIPAA Security Rule on transmission security, and document how you have addressed integrity controls and encryption. See HHS FAQs on this topic here and here.