Working from home can lead to casual conduct, posing compliance risks for your organization.
More employees than ever are working from home as a result of the COVID-19 pandemic, including physicians, mid-levels, and those that support physician practices in other ways. Unfortunately, working from home can sometimes lead to more casual conduct by employees as compared to the workplace, which can pose a risk to a medical practice’s compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).
HIPAA generally requires that covered entities, such as medical practices, take certain precautions to protect a patient’s protected health information (“PHI”). PHI can include basics such as patient’s name and address, medical condition, date of service, etc. Employees are typically trained on how to handle PHI in the workplace setting using workplace technology, but many practices that switched employees to working from home have allowed HIPAA compliance to slide. This can open the practice to a HIPAA complaint by patients and a potential investigation by the Office of Civil Rights. To assure your practice’s compliance with HIPAA, some issues to consider are the following:
1. What security protocols have been established on devices being used from home? Whether the device is used for texting, emails, telemedicine, scheduling, or other services, it’s important that appropriate safeguards be established. Is the device password protected? Is there an authentication protocol? Is encryption being used? How is data being stored? Every protection in place for employees working in the office setting should be replicated (or improved) for out of office use. Although the transition to working from home happened fairly quickly due to the pandemic, practices have had adequate time to assure that devices, software and protocols are now fully compliant. Training and re-training employees on security protocols is also essential.
2. Is work software being used on a device in the home where other family members or friends might have access to that device? This is especially a concern where family members may be working or attending school from home and sharing devices, or visitors to the home may have access. What training is provided to employees about shared devices and logging off/securing passwords and access to PHI? In addition to billing information (credit cards and social security information), employees may be storing patient information such as names, medical conditions, prescriptions and other private information about patients that must be secured from third party access.
3. It’s important to make sure that protocols are in place for employees to secure documents containing PHI in the home. Employees should have access to a cabinet that locks and a shredder, if needed. Documents with PHI should not be left where they can be seen or taken. Additionally, extra precautions should be taken to secure laptops, tablet, cellphones, and other devices containing PHI from being stolen from the home or from a vehicle in the event of transit. Depending on who may be regularly accessing the home (e.g cleaning service, construction workers, nanny, etc), consideration should be given to implementing additional protocols to safeguard PHI. Also, anyone accessing an employee’s home for a purpose that requires access to PHI (such as an IT professional servicing a work computer or software issue) should enter into a proper Business Associate Agreement with the employer.
4. As it relates to oral discussions (telemedicine, scheduling, billing, etc.), practices must remind employees about confidentiality of all verbal and video discussions. Who might overhear a discussion between a physician and a patient about the patient’s medical concerns and diagnosis? There are similar concerns about calls related to scheduling, billing and other interactions where the patient might be overheard.
Although it is difficult to assure complete privacy in the home, there should be policies in place that define a minimum level of expectation for employees working from home. This means that an employee should have a dedicated space to engage in patient conversations involving PHI where a reasonable expectation of privacy can be assured.
Although COVID has changed many things about the way we work, HIPAA precautions must still be maintained. Make sure your practice reviews the policies it has in place for employees working from home to assure compliance and retrain staff frequently on best practices.
Ericka L. Adler, JD, LLM has practiced in the area of regulatory and transactional healthcare law for more than 20 years. She represents physicians and other healthcare providers across the country in their day-to-day legal needs, including contract negotiations, sale transactions, and complex joint ventures. She also works with providers on a wide variety of compliance issues such as Stark Law, Anti-Kickback Statute, and HIPAA. Ericka has been writing for Physicians Practice since 2011.