What HIPAA Considerations Apply to Work-from-Home Employees?
Question: Our company sponsors a self-insured health plan. Many plan functions are administered by a third-party administrator, but employees in our benefits department also access protected health information (PHI) when dealing with the third-party administrator and participants.
Most of these employees are now working from home because of the novel coronavirus (COVID-19) crisis. What considerations apply to them under the Health Insurance Portability and Accountability Act (HIPAA)?
Answer: Remote work can provide significant advantages, and in circumstances such as the COVID-19 emergency, it may be essential. But it also creates privacy and security challenges. The HIPAA privacy and security rules apply to PHI used, disclosed, created, received, maintained or transmitted by employees of covered entities and associates, regardless of where the employees are located.
All HIPAA policies and procedures that you follow in an employer’s office or facility apply equally to employees working from home. However, the policies and procedures may need to be adapted to address additional vulnerabilities created by remote work. Coordination with a multidisciplinary team of IT, legal, HR, operations and other professionals will help mitigate risk.
Privacy and security
With respect to the HIPAA privacy rule, remember that PHI is broader than diagnosis and treatment information. It includes demographic information such as participants’ addresses, phone numbers, email addresses and financial information, as well as information about their participation in the health plan. When working from home, employees should ideally:
- Have private workspaces, where others can’t overhear conversations involving PHI
- Use only company-issued devices and never access PHI on shared devices, and
- Put hardcopies of PHI in a locked filing cabinet, shredding anything they can’t store securely.
Regarding the HIPAA security rule, your organization’s risk analysis and risk management plan should already address remote work. But a substantial increase in the number of remote employees would likely be viewed as an operational change requiring re-evaluation of threats and vulnerabilities and appropriate safeguards.
3 prongs of security
Your risk management plan should address the three prongs of the HIPAA security rule. These are:
- Physical safeguards. Although the security rule applies to electronic PHI, physical safeguards are still important. Employers should track the location of each computer accessing PHI. Lost or stolen computers may result in unauthorized disclosure of large amounts of PHI, so making sure employees keep them in a secure room is critical.
In addition, employees need to report loss or theft immediately. Devices should never be left unattended in a vehicle or in a public space. Employees may be tempted to write down passwords and keep them near their computer; this practice is as unacceptable when working remotely as it would be on the employer’s premises.
- Technical safeguards. Controlling access is key. This includes:
- Restricting access to the minimum-necessary PHI for each employee’s job function,
- Requiring unique user IDs and passwords,
- Implementing automatic log-off or screen-lock, and
- Using robust encryption tools.
Advise employees to avoid downloading and storing PHI directly on their computers. An individual machine often has weaker protection than a network; cloud storage may be more secure. Be aware that portable storage media of uncertain provenance, such as a thumb drive, may introduce malware onto an employee’s computer.
- Administrative safeguards. Implement procedures to supervise remote employees. Routinely monitor logins and information system activity to identify security incidents, such as exfiltration of large data files.
Remote work will be new to many employees, so provide mandatory training on your organization’s policies and procedures. If remote work results in hiring new service providers, consider whether business associate contracts are required.
Even with heightened awareness and safeguards, the nature of remote work increases the possibility of unauthorized uses or disclosures of PHI. Because the breach notification rules continue to apply, and you could incur HIPAA penalties if breach notification is inadequate or untimely, also train employees to recognize and promptly report possible breaches.
By now, you’ve likely had a crash course in managing remote employees. Even after these workers have settled in and begun to feel comfortable in their respective working environments, it’s important for employers to keep a close watch on their productivity and adherence to the HIPAA privacy and security rules. Note that the relaxation of HIPAA guidelines that have been shared regarding the COVID-19 pandemic is only in relation to the new tele-health regulations.