With more and more remote workers in the healthcare space, PHI security should be a top concern. A recent survey determined that 44% of employees are currently working from home, with several employers expecting workers to continue to work remotely permanently. So what does this mean for cybersecurity and HIPAA compliance? To provide healthcare organizations with guidance, remote workers and HIPAA is discussed.
Remote Workers and HIPAA: Data Privacy
As a requirement of HIPAA, organizations working with protected health information (PHI) must ensure the confidentiality, integrity, and availability of the data. When you suddenly have a remote workforce, this becomes more difficult to accomplish, and you therefore must adjust your business practices.
Paper records.
Paper records are still used frequently in the healthcare field. When working from home, healthcare workers may be printing medical records from their home office, as such they must be cognizant of who in their household has the potential to view them. Records that contain any patient information must be kept in a secure location such as locked filing cabinets or a locked office. Otherwise, if an unauthorized individual views these paper documents, even when viewed accidentally by a family member, this is considered a HIPAA violation.
Access controls.
There are several instances in which remote workers would require access to their organization’s network. In these cases, it is essential that the organization has policies and procedures in place for secure remote access, this may include the requirement of an employee to connect to a virtual private network (VPN) before connecting to the organization’s network, or requiring the implementation of multifactor authentication.
PHI disposal.
Perhaps the most challenging aspect of remote workers and HIPAA, is how to dispose of records in a secure manner. Paper records that are no longer needed must be shredded, burned, pulped, or pulverized beyond recognition, or stored in a secure location until they can properly be disposed of. The difficult aspect of proper PHI disposal is when the records are electronic. For electronic PHI disposal, organizations likely must contract a third-party for disposal, which means remote workers must have clear guidelines on how they may comply with ePHI disposal requirements when they aren’t working in the office.
Security risk assessment.
Security risk assessments (SRAs) must be conducted annually, however it is recommended to conduct an SRA whenever there are changes to your business practice, much like the change to a remote workforce. Having remote workers poses a significant cybersecurity risk to any organization, and as such it is important to identify risks and vulnerabilities presented by a remote workforce. By conducting an SRA, gaps in current security practices are identified so that organizations can create remediation plans to address gaps.
Vendor management.
Just like it is important to conduct SRAs when there are changes to your organization’s business practices, it is important to consider your vendors’ risks. Many of your vendors have likely converted to a largely remote workforce, therefore it is essential to reassess the risk that they pose to your organization’s security by sending vendor risk assessments to any vendor that has the potential to access PHI.
HIPAA policies and procedures.
Healthcare organizations must have HIPAA policies and procedures that relate directly to the way their business operates. So it isn’t surprising that organizations with remote workers must have policies and procedures that provide guidelines on how to comply with HIPAA with a remote workforce. To ensure that your organization is complying with HIPAA while your workforce is remote, you must either adapt your existing policies to account for the changes a remote workforce poses to your business, or create new policies and procedures for working remotely.
Office reopenings.
When workers begin to return to the office, they will likely be on a hybrid work schedule, working both from the office and at home. This can pose risks when employees are bringing paperwork or electronic portable devices back and forth. When reopening, organizations must consider this risk and develop policies and procedures to minimize PHI exposure.