With more and more remote workers in the healthcare space, PHI security should be a top concern. A recent survey determined that 44% of employees are currently working from home, with several employers expecting workers to continue to work remotely permanently. So what does this mean for cybersecurity and HIPAA compliance? To provide healthcare organizations with guidance, remote workers and HIPAA is discussed.

Remote Workers and HIPAA: Data Privacy

As a requirement of HIPAA, organizations working with protected health information (PHI) must ensure the confidentiality, integrity, and availability of the data. When you suddenly have a remote workforce, this becomes more difficult to accomplish, and you therefore must adjust your business practices. 

Remote Workers and HIPAA

Paper records.

Paper records are still used frequently in the healthcare field. When working from home, healthcare workers may be printing medical records from their home office, as such they must be cognizant of who in their household has the potential to view them. Records that contain any patient information must be kept in a secure location such as locked filing cabinets or a locked office. Otherwise, if an unauthorized individual views these paper documents, even when viewed accidentally by a family member, this is considered a HIPAA violation.

Access controls.

There are several instances in which remote workers would require access to their organization’s network. In these cases, it is essential that the organization has policies and procedures in place for secure remote access, this may include the requirement of an employee to connect to a virtual private network (VPN) before connecting to the organization’s network, or requiring the implementation of multifactor authentication.

PHI disposal.

Perhaps the most challenging aspect of remote workers and HIPAA, is how to dispose of records in a secure manner. Paper records that are no longer needed must be shredded, burned, pulped, or pulverized beyond recognition, or stored in a secure location until they can properly be disposed of. The difficult aspect of proper PHI disposal is when the records are electronic. For electronic PHI disposal, organizations likely must contract a third-party for disposal, which means remote workers must have clear guidelines on how they may comply with ePHI disposal requirements when they aren’t working in the office.

Let’s Simplify Compliance

Do you need help with managing HIPAA for your remote workforce? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Security risk assessment.

Security risk assessments (SRAs) must be conducted annually, however it is recommended to conduct an SRA whenever there are changes to your business practice, much like the change to a remote workforce. Having remote workers poses a significant cybersecurity risk to any organization, and as such it is important to identify risks and vulnerabilities presented by a remote workforce. By conducting an SRA, gaps in current security practices are identified so that organizations can create remediation plans to address gaps. 

Vendor management.

Just like it is important to conduct SRAs when there are changes to your organization’s business practices, it is important to