Introduction
Since being signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has become an integral part of the day-to-day business of healthcare providers, their associates, and insurers. The threats to health-related privacy have become more prevalent and public. Organizations have had to increase security measures and ensure their employees are well versed in their responsibilities.
R events focused around the worldwide COVID-19 pandemic have required personnel to move out of offices and work from home. These organizations have had to rethink security for their employees and the information they use to accomplish their work.
Here are some items that every organization should consider for remote workers in a healthcare setting.
Policies:
Policies are an organization’s expectations for its employees, associates, and suppliers. Healthcare organizations write policies to ensure that everyone knows the laws, regulations, and rules and how to comply with them.
Let’s talk about just 3 of the policies most likely to affect an organization required to be HIPAA compliant.
- Use or Disclosure of Protected Health Information (PHI) or electronic PHI (ePHI) – Defines the PHI or ePHI information and how it may be used and disclosed. It may also define or point to consequences for illegal or accidental breaches of the policy.
- Data Ownership and Data Security – This policy (or group of policies) defines who owns specific data, who may have access, how it is stored, transmitted, and protected while at rest.
- Training – Implementing regular training for employees and business associates that have access to PHI, then testing the efficacy of that training.
Some other policies and procedures are likely to be important to your organization, but this is an excellent place to start.
Agreements:
Agreements are contractual obligations entered into by employees and business associates of healthcare providers.
Non-Disclosure agreements: require workers and associates to protect the patient information that they access. This agreement can also cover not disclosing the organization’s business practices, customers, associates, and other sensitive or proprietary information.
Business Associate Agreement (BAA): Ensures that business associates follow the same policies and regulations that your organization does or ones that are potentially stronger than your own.
Data Access/Connectivity: Using a Virtual Private Network (VPN) connection may be required when working from anywhere other than within the organization’s protected work environment (i.e., office). Work-provided internet access may include a separate internet provider from your home, a hard-line connection dedicated for work, or a cellular network connection. Only authorized workers should have access to the system/network.
Case Study:
According to the OCR Breach database, several years ago, an unencrypted laptop of a Health Care employee with the protected health information (PHI) of approximately 4,488 individuals was stolen from a workforce member’s son. He borrowed the laptop without permission and knew the computer’s password. The PHI involved in the breach included medical record numbers, dates of visits, and chief complaints. The responsible workforce member was suspended pending an investigation and ultimately resigned. The CE created and revised its HIPAA policies and procedures, including its mobile device policy, and implemented additional security measures to address high and moderate risks identified in its risk analysis.
Hardware:
Employees doing work for a HIPAA-covered entity must use a work-only system. The device must be protected against unauthorized use, theft, and data loss. Full disk encryption is typically required.
Northstarr Recommendations
As a medical provider or associate, nothing is more important than protecting your organization and clients from physical, mental, or financial harm. With telework becoming more prevalent in the workspace for many organizations, it is necessary to manage the threats related to operations outside an office environment. Northstarr System Solutions has a team of talented professionals who can help you protect your most valuable assets. Contact us today to learn more.