HIPAA Compliance and Working from Home:
Specific Rules for Employees
A 2015 study conducted by telecommuting research firm Global Workplace Analytics found that 3.9 million American workers said they telecommuted at least half of the time in 2015. This figure represents an increase of over 100 percent from the 1.8 million U.S. employees that said the same in 2005. The percentage of employees who telecommute, either by working from home, or by working outside of the office (for example, by traveling to and from patients’ homes) continues to rise to this day. While working outside the office, may provide for greater productivity, and reduce employer costs, HIPAA compliance and working from home is not necessarily a good thing. If proper telecommuting privacy and security measures are not in place, HIPAA Privacy Rule and Security Rule violations may occur. The number of employees working from home now is expected to continue to rise.
HIPAA Compliance and Working from Home
HIPAA rules apply to covered entity employees whether work is performed at the office or at home, or at a patient’s home. HIPAA compliance and working from home do not fit hand in glove for one simple reason: Working at home (or at a patient’s house) can put patients’ protected health information (PHI) at risk, thus presenting HIPAA Privacy Rule concerns and HIPAA Security Rule concerns.
Fortunately, these concerns can be addressed systematically, by taking specific measures with respect to specific work from home guidelines and requirements.
Employers can, for example, take the following steps to ensure mobile device security:
- Encrypt home wireless router traffic.
- Change default passwords for wireless routers from the existing passwords.
- Encrypt, and password-protect, personal devices employees may use to access PHI.
- Personal devices should be configured before allowing those devices can access the network. Covered entities can also specify what brands and versions of personal devices are permitted to access company data.
- Ensure all devices that access your network are properly configured (i.e., are encrypted, with password, firewall, and antivirus protection).
- Encrypt all PHI before it is transmitted.
- Require employee use of a VPN when employees remotely access the company Intranet.
Additional steps employers can take include:
- Develop policies and procedures prohibiting employees from allowing friends and family from using devices that contain PHI.
- Have employees sign a Confidentiality Agreement before they begin work.
- Create a Bring Your Own Device (BYOD) Agreement, with clear usage rules.
- Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
- Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
- Develop and require adherence (through a sanctions policy) to a media sanitization policy.
- Ensure employees disconnect from the company network when their work is complete. This can be done by applying measures such as IT configuring timeouts.
- Maintain and periodically review logs of remote access activity.
Fines Caused By Working From Home/Telecommuting
Recent fines levied by the Department of Health and Human Services’ (DHHS) Office for Civil Rights, based on covered entities’ failure to properly manage telecommuter access to PHI and electronic PHI (ePH), dramatically illustrate this point.
In 2015, Cancer Care Group (CCG), an Indiana-based radiation oncology practice, found out that telecommuting, rather than saving money, can be brutal on the bottom line. That year, CCG agreed to settle with DHHS for $750,000 for potential HIPAA violations.
In 2012, CCG suffered a data breach. The facts of the breach would be considered almost as quaint, were they not so lethal. An employee who had been given permission to telecommute, lost their laptop and backup drive as a result of car theft. The laptop contained the PHI of over 50,000 patients.
OCR investigated this incident and determined that CCG failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in CCG having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting. Put more simply, had CCG analyzed risk, it would have discovered it needed a policy for telecommuting employees that required these employees take physical and security measures to protect laptop devices.
OCR, indeed, discovered that Cancer Care Group had no written policy regarding the removal of hardware containing PHI into and out of its facilities.
This lack of a written policy constituted a clear violation of the HIPAA Security Rule.
One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
CCG group was not the only employer whose allowing employees to telecommute resulted in HIPAA violations. The respiratory medical group Lincare paid $240,000 to settle a data breach matter.
The facts of the Lincare Breach sound like something out of a bad HIPAA soap opera. A manager from Lincare had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cards as a form of data backup.
The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted Lincare and OCR to report he had discovered the private records.
When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, Lincare had failed to implement effective HIPAA compliance guidelines.
Telecommuting and Safeguarding of PHI
Organizations can follow some basic procedures to minimize the risk of PHI that is in transit or stored in a worker’s home, from becoming disclosed without authorization. The first and most basic of these procedures is:
- Developing rules for remote employees in security policies and procedures. To do this, covered entities should make a list of all employees, and indicate, for each employee, the level of information to which that employee has access.