HIPAA Compliance for Remote Workers Before, During and After COVID-19
Under normal circumstances, security and patient information are strictly regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The national health emergency created by COVID-19 has resulted in some relaxation of the rules, but most of the regulations still are being enforced and they apply to remote workers, just the same as those in a medical office.
COVID-19 Is Resulting in More Remote Workers
The effort to minimize contact with potentially infected patients has resulted in many medical personnel being asked to perform their duties remotely from home, which has created a need for companies to quickly put privacy practices in place.
The need for social distancing to prevent the spread of the disease throughout workplaces even in environments where patients are never seen, such as medical billing companies, has also increased the number of remote workers who deal with information covered by HIPAA.
Telehealth Is the Main Exception Affecting Remote Workers
Facilitating care for people who have difficulty getting to a doctor’s office has been a major reason for establishing telehealth systems. The rapidly spreading novel coronavirus created the need to keep asymptomatic people who have been infected as well as those with symptoms of COVID-19 from spreading the virus at medical facilities. One approach has been to increase telehealth options, so that patients can be diagnosed and treated without going into a doctor’s office.
There are conditions set in the HIPAA Privacy Rule that apply during an outbreak of infectious disease and allow information to be shared without getting patient approval when it would be necessary to protect the nation’s public health or treat a patient, but these are less likely to apply to remote workers.
New telehealth activities could be more likely to involve remote communications. The Department of Health and Human Services (HHS) said it will “exercise its enforcement discretion and will waive potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.”
This allows healthcare providers to use remote video communication technology such as Skype or FaceTime which are not secure and encrypted as would normally be required. Providers are still required to follow privacy measures as much as possible and must make sure they are in a private environment and try to get the patient to also be in a private environment, using a personal device.
More Remote Workers After COVID-19
Since many employers who had previously not considered remote workers are now seeing the cost benefits of allowing them to work from home, it is likely that many will continue to have remote workers after the virus is brought under control.
Rather than assuming leniency for HIPAA compliance now and in the future, anyone accessing or using patient personal health information (PHI) remotely should put a system in place that makes their work compliant.
Any business using or accessing PHI remotely should document all compliance efforts and needs to have a written policy covering the details of how each aspect is to be carried out. These include:
- Employees should be issued devices used for accessing PHI and must not let anyone else use them.
- Where personal equipment is used, make sure the company has a clear agreement on what can be used and the requirements for security.
- Secure any modems and routers. Home networks often use simple passwords that are easy for family members to remember. For the system to be HIPAA compliant, complex, hard-to-guess passwords need to be set up. Encryption must also be in place.
- Devices need firewalls and anti-virus protection. Each device that will be used in any way involving PHI must be protected from hackers. Medical records contain most of an individual’s private identifying information in addition to their health record, so they are valuable on the black market and hackers actively try to access them.
- Locking File Cabinet or Safe: Anyone who needs paper that includes PHI must keep the records locked up when not in use.
- Shredder: Where PHI is printed, there should be a shredder on site for disposing of all paper as soon as it is no longer needed.
Control Electronic Access
- Keep a log of electronic access to your system.
- Set up the system to log out accounts that become inactive after a short time.
- PHI should not be copied to external media such as portable drives unless it is approved in the policy, which should specify how the media is to be kept secure.
- Require the use of a VPN (virtual private network) in order for a home computer or other device to connect to your network. This encrypts the data being transferred to add another level of security.
Medcare MSO uses the highest level security to ensure the safety of your patients’ personal information. Our highly trained medical billing staff uses a proven system for fast claim submission and maximum payment collection. Call us today at (800) 640-6409 to find out how we can streamline your billing cycle.