In today’s digital age, it should come as no surprise that the number of employees working from home has been steadily increasing over the past decade. In fact, in the last 15 years, telecommuting positions have grown by a whopping 140%. (1) While new technologies have made telecommuting more possible through easier and more efficient ways of transmitting data, it has also created increased risk of loss and disclosure of sensitive information. Which is why is it is critical for healthcare facilities and organizations who have remote employees with access to EPHI, to implement and manage HIPAA guidelines.
In fact, OCR has issued some heavy financial penalties for breaches involving remote workers, for the failure to properly manage and oversee telecommuters’ access and protection to PHI.
Below are just a couple examples:
- In February 2016, the OCR levied a $239,800 fine against the respiratory care provider Lincare for a “breach of HIPAA” or “failure to prevent disclosure of PHI.” The breach occurred as a result of a remote employee that breached the PHI of 278 patients by exposing and abandoning their sensitive information. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information. (5)
- In 2015, Cancer Care Group agreed to a $750,000 settlement, after a remote employee lost a laptop and backup drive when their car was stolen. The laptop contained more than 50,000 patients PHI. OCR also found that Cancer Care Group did not have a written policy regarding the removal of hardware containing PHI into and out of its facilities. They also failed to conduct a risk analysis when the breach initially occurred. (4)
So how can you safeguard your organization, protect your patients PHI, and keep your remote workers HIPAA compliant? To start, it is essential to review and define all remote employee policies and ensure they are up-to-date and signed.
HHS has created a complete guidance document to protecting PHI, for covered entities with remote workers at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
We have included some of the highlights below:
- Implement risk analysis and risk management strategies- Analyse your risk. How many employees are working remotely? Will these employees connect to the network or through a cloud-based system? Will the employee use their personal computer, or will the organization provide the computer? When the analysis has been completed, it is necessary to develop risk management strategies to reduce the risks and vulnerabilities to a reasonable and appropriate level. It is also essential to make sure there are processes in place to verify policies are being followed. Continuous and ongoing risk management is always necessary. (3)
- Create and implement policies and procedures- Create and implement policies and procedures. If there are no policies or the policy is not followed, it will be considered wilful neglect. Covered entities must develop and implement policies and procedures to protect EPHI that is stored on portable devices and transportable media. According to HHS, covered entities must also establish and enforce appropriate policies and procedures to secure EPHI that is being transmitted over an electronic communications network. In addition, covered entities must develop and implement policies and procedures for authorizing EPHI access in accordance with the HIPAA Security Rule at §164.308(a)(4) and the HIPAA Privacy Rule at §164.508. It is essential that only employees who have been trained and have proper authorization are granted access to EPHI. (3)
- Implement security awareness and training- HHS requirements include the implementation of security awareness and training. In addition, it is necessary for a covered entity’s training program to address the vulnerabilities associated with remote access to EPHI. Training should also provide, clear and concise instructions for accessing, storing, and transmitting EPHI. (3)
For further information or assistance regarding HIPAA requirements for remote employees, contact the experts at MedSafe for a free consultation. MedSafe is the nation’s leading one-stop resource for outsourced safety and health compliance solutions in healthcare.
Toll-free: (888) MED-SAFE