In
today’s digital age, it should come as no surprise that the number of employees
working from home has been steadily increasing over the past decade. In fact,
in the last 15 years, telecommuting positions have grown by a whopping 140%.
(1) While new technologies have made telecommuting more possible through easier
and more efficient ways of transmitting data, it has also created increased risk
of loss and disclosure of sensitive information. Which is why is it is critical
for healthcare facilities and organizations who have remote employees with
access to EPHI, to implement and manage HIPAA guidelines.
In
fact, OCR has issued some heavy financial penalties for breaches involving
remote workers, for the failure to properly manage and oversee telecommuters’ access
and protection to PHI.
Below
are just a couple examples:
- In
February 2016, the OCR levied a $239,800 fine against the respiratory care
provider Lincare for a “breach of HIPAA” or “failure to prevent disclosure of
PHI.” The breach occurred as a result of a remote employee that breached the
PHI of 278 patients by exposing and abandoning their sensitive information. The
court ruled that Lincare did not have adequate policies and procedures in place
to safeguard patient information. (5)
- In
2015, Cancer Care Group agreed to a $750,000 settlement, after a remote
employee lost a laptop and backup drive when their car was stolen. The laptop
contained more than 50,000 patients PHI. OCR also found that Cancer Care Group
did not have a written policy regarding the removal of hardware containing PHI
into and out of its facilities. They also failed to conduct a risk analysis
when the breach initially occurred. (4)
So how
can you safeguard your organization, protect your patients PHI, and keep your
remote workers HIPAA compliant? To start, it is essential to review and define
all remote employee policies and ensure they are up-to-date and signed.
HHS has
created a complete guidance document to protecting PHI, for covered entities
with remote workers at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
We have
included some of the highlights below:
- Implement risk analysis and risk
management strategies- Analyse your risk. How many employees are working remotely? Will these
employees connect to the network or through a cloud-based system? Will the
employee use their personal computer, or will the organization provide the
computer? When the analysis has been completed, it is necessary to develop risk
management strategies to reduce the risks and vulnerabilities to a reasonable
and appropriate level. It is also essential to make sure there are processes in
place to verify policies are being followed. Continuous and ongoing risk
management is always necessary. (3)
- Create and implement policies
and procedures- Create and implement policies and procedures. If there are no policies or the
policy is not followed, it will be considered wilful neglect. Covered entities
must develop and implement policies and procedures to protect EPHI that is
stored on portable devices and transportable media. According to HHS, covered
entities must also establish and enforce appropriate policies and procedures to
secure EPHI that is being transmitted over an electronic communications
network. In addition, covered entities must develop and implement policies and
procedures for authorizing EPHI access in accordance with the HIPAA Security
Rule at §164.308(a)(4) and the HIPAA Privacy Rule at §164.508. It is essential
that only employees who have been trained and have proper authorization are
granted access to EPHI. (3)
- Implement security awareness and
training- HHS requirements include the implementation of security awareness and
training. In addition, it is necessary for a covered entity’s training program
to address the vulnerabilities associated with remote access to EPHI. Training
should also provide, clear and concise instructions for accessing, storing, and
transmitting EPHI. (3)
For
further information or assistance regarding HIPAA requirements for remote
employees, contact the experts at MedSafe for a free consultation. MedSafe is
the nation's leading one-stop resource for outsourced safety and health
compliance solutions in healthcare.
Toll-free: (888) MED-SAFE
www.medsafe.com
References:
- https://globalworkplaceanalytics.com/telecommuting-statistics
- https://www.flexjobs.com/blog/post/1-field-for-at-home-work-medical-and-health-telecommuting-jobs/
- https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
- https://www.hipaajournal.com/new-ocr-hipaa-penalty-cancer-care-group-to-pay-750000-8087/
- https://www.hipaajournal.com/lincare-inc-ordered-t...