Don’t Forget About HIPAA While You’re Working from Home
Many of us now find ourselves working from our home offices, the kitchen table or maybe even sitting in our cars in the garage to have quiet on a conference call while our kids, spouses, and/or pets are running around the house. Our new normal for the next several weeks is anything but normal for many employers and employees. I have yet to talk to a client or individual who isn’t scrambling to figure out how to do their work, keep their company afloat, compensate their employees while they are off, many of whom are home schooling their children in the process. But while on one hand it feels like everything has changed, on the other hand some things have remained the same – such as the HIPAA privacy and security rules. With a very limited exception, which we discussed in a prior post, the HIPAA rules still apply.
If you are subject to HIPAA as either a covered entity (self-insured group health plan, health care provider or health care clearinghouse) or as a business associate of a covered entity, you need to ensure that you are continuing to be diligent regarding your privacy and security policies. The first thing that we recommend you do is to review your current HIPAA policies and procedures regarding what policies you have that address telecommuting or working outside of the office. You may need to amend your HIPAA policies and procedures if they currently prohibit actions that your employees are now taking. The revisions to the policy could be temporary in nature and be lifted once the current emergency is behind us.
It is possible that you never considered telecommuting when you wrote your HIPAA policies. However, many of your policies and procedures could still be applied even to a home office. For example, do you require that employees shred all hard copies that contain protected health information when they are done with the paper (if not, you should)? This procedure should be applied at home. If you have employees that will be printing large amounts of PHI, you should consider purchasing shredders for them or, at a minimum, letting them know that they must lock up the paper until such time as they have access to a shredder.
Other procedures that many HIPAA policies contain or should contain that are imperative to be followed during this time, include:
- Prohibiting anyone other than the employee from using their work devices that contain PHI. While ABC Mouse may be saving some parents in their home schooling while working efforts, their kids should not be viewing it or anything else on their work devices.
- Ensuring that their devices have up-to-date anti-virus protection. You may want to check with your vendor to see if they are offering additional licenses for your employees’ personal devices they may be using (our vendor offered all of our employees free software for their personal devices).
- Only accessing your systems on a secure network. Some employees may not have their home wi-fi networks password protected and this needs to change if they are going to be accessing PHI from these networks.
- Shielding their screens while accessing PHI. While employees may think people in their home are uninterested in what is on their screen, it would still be a violation of HIPAA if a family member was able to see any PHI.
- Disconnecting from the network when not working. Employees should log off of any systems that contain PHI when they have to step away from their “office.” If your policies contain a requirement that all computers should automatically logoff after a certain period, employees should ensure the devices that they are using at home are configured the same way.
- Sending PHI encrypted. As many of us are emailing information that previously we may have communicated in-person, it is an important reminder that it is a best practice (and may be required by your policies) to send PHI encrypted. And more importantly PHI should never be sent through personal emails (gmail, Hotmail, etc.).
- Do not have conversations about PHI in front of your smart devices. Due to many of the smart devices (e.g., Google Home, Amazon Echo, etc.) being able to listen to your conversations, it may be a violation of HIPAA to have conversations in front of them. Employees should unplug these devices in rooms that they are working in before having conversations that in front of them.
You inevitably have a lot on your plate right now, but if you are subject to HIPAA and have employees with access to PHI that are newly telecommuting, we strongly recommend reviewing your HIPAA policies and sending out a communication to applicable employees reminding them of the importance of HIPAA compliance even in our new world. If you are having employees sign a telecommuting policy, it is a good idea to contain an acknowledgment that they understand that they must continue to comply with the company’s HIPAA policies and procedures. If your plate is too full to handle this review, we have a team of attorneys that are ready, willing, and able to assist.