Your idea of working from home seem pretty cozy. You imagine sitting in your pajamas and your pet keeping you company. But for medical practitioners, working remotely involves some special precautions to ensure patient privacy and data security.
During the pandemic, more doctors, physicians, and other medical practitioners are working from home than ever. With the help relaxed HIPAA regulations on the use of telecommunications and the advancement of telemedicine, practitioners can treat more patients remotely. In response to the national health emergency, working from home isn’t just comfortable, but it’s an important way to protect the health of patients and healthcare workers.
HIPAA regulations have been relaxed during the pandemic in order to facilitate safe access to healthcare and remote coverage for patients. Potential penalties for non-compliance have been waived during this emergency period for good-faith use of telehealth. But the law was not removed, HIPAA compliance is still necessary.
Is it a HIPAA Violation to Work from Home?
No. Even before the pandemic, WFH was possible without committing a HIPAA violation. But, there are 10 measures that need to be taken to ensure that medical staff remain HIPAA compliant while working remotely.
How to Stay HIPAA Compliant When Working from Home
- Limit Access.
PHI should only be accessed and handled by authorized staff members. When working remotely, limit access to only those staff members that need it to carry out their work. Keep a record of which employees have access to certain types of sensitive information.
- Use HIPAA-Compliant Tools.
Not all platforms and apps for voice and video communications are engineered to protect patient privacy and PHI. Technologies to support either conversations between doctors and other staff or between doctors and patients, should be selected carefully. It’s important to choose one that will continue to fit requirements even after the pandemic, when regulations are expected to go back into full vigor.
Public-facing applications and social media platforms are not appropriate and do not ensure patient privacy.
Find examples of HIPAA-compliant videoconferencing tools.
- Set Passwords.
Be sure that videoconferencing and file-sharing is password-protected to help protect sensitive data. Medical staff should also change the passwords on their home wireless routers using a strong password.
- Secure Remote Access.
If doctors and medical staff are using a platform to login to office computer and access patient data remotely, some extra security measures should be in place. In addition to strong passwords, access should require two-factor authentication. Requiring employees to use a VPN provides safe remote access from any location through public internet connections or private Wi-Fi. Then, when they are done using a device for work purposes, they should securely sign out.
- Ensure Encryption.
Encryption is when data is coded so that unauthorized users can’t utilize data and then uncoded so that only authorized users can understand the information. This security measure is especially important in a work from home environment. It should be implemented at nearly every step in the flow of PHI. This includes configuring wireless routers, email exchange, work and personal devices that are used to handle patient information, for example.
Watch this video for more tips on HIPAA compliance, from Security Metrics, when working from your home office.
- Stay Up to Date.
Ensure that any computer, smartphone or other devices that are being used to access patient information and communicate with staff and patients is up to date. Install all software patches and security updates that are available for that device and operating system.
If you have IT support, they should check that every device accessing the network is properly configured, encrypted, password protected, and equipped with firewalls and anti-virus software.
- Plan for Smooth Call Management.
Rely on a HIPAA-compliant medical answering service to forward calls from your office to staff working from home. This type of service can also help prioritize incoming calls so that staff can save time and handle patient requests more efficiently. External medical answering services are able to triage patients over the phone, update information through your EMR, schedule in-office appointments, or connect them directly through your preferred telemedicine platform.
- Enforce Security Policies.
Make sure that all of your staff who are working from home are familiar with your information security policies. This covers storing and disposing of PHI and devices that are used to access PHI. Employees should understand that they cannot allow other people (including friends and family) to use devices that contain sensitive data. Require employees to read and sign a clear BYOD Usage Agreement and Confidentiality Policy.
- Handle Physical Data with Care.
If employees have a habit of printing and storing hard copies of patient information in their home office, they should have a dedicate storage space that is kept under lock and key. Any paper documents with this type of information must be shredded before it can be thrown away.
- Store PHI in Approved Locations.
Security policies should also outline safe storage procedures for private information. Employees need to know where data can be securely stored and what constitutes an unauthorized use of data outside of the company network. Specifically address the use of external hard drives, discs, flash drives, and private computer storage.
HIPAA-Compliant Medical Answering Services
PatientCalls can help your medical practice to work from home securely and efficiently. Our service exceed typical HIPAA requirements by deploying three layers of authentication for remote agents.