It’s estimated that 36.2 million Americans will work remotely by 2025. For perspective, that’s an 87% percent increase from pre-pandemic levels.

It’s important for companies to continue to evolve to accommodate this shift in work culture. 

Healthcare in particular is one of the industries seeing changes in processes from operations to management. For example, making sure to stay HIPAA compliant with employees working out of the office offers new challenges.

The location of where you work might change but the U.S. Department of Health and Human Services standards continue to stay the same. Understanding the risks of working with protected health information (PHI) and practicing compliance is crucial.

Many basic rules and tips stay the same, regardless if you’re working from home or in the office. Running a simple risk analysis of your workstation can save you from a HIPAA violation or security breach. 

But what it takes to safeguard protected health information out of the office can look different. For example, the way you run a risk analysis may need to adapt to your new workspace. It also doesn’t help if you don’t know what a risk analysis is…or how to start one.

“HIPAA for remote workers”, let’s take a look at what that phrase really means.

• What is HIPAA?

  • Who does HIPAA standards apply to?

  • What’s a HIPAA violation?

• Work From Home HIPAA Risks

  • Paper-based PHI

  • Unsecure Internet Access

  • Inadequate Compliance Training Program

• The HIPAA-Compliant Remote Workplace

  • Password Security

  • Clean Workspace

  • VPN & Encryption Tools

  • HIPAA Training for Remote Workers

• Conclusion

Before talking about HIPAA compliance for remote workers, let’s take a look at what HIPAA stands for and why it’s important. After all, if we don’t understand the law how can we stay in compliance with it?

Anyway, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that exists to protect sensitive health information (more formally known as PHI). This law offers a layer of security so that patient information can remain private. So by law, only those organizations working with and handling PHI and the patient themselves can access this type of information.

The law simplifies the administration of healthcare while eliminating wastage. HIPAA also prevents healthcare fraud and allows employees healthcare coverage between jobs.

If you and/or your organization can’t stay in compliance with it, you’re going to have a violation on your hands (more on that later).

I hinted at this earlier but anyone with access to PHI must abide by HIPAA rules and regulations. The law categorizes those with this access into two groups; covered entities and business associates. 

Covered entity examples are healthcare providers, healthcare clearinghouses, and health plans. These organizations send PHI in connection with transactions. 

A business associate is an individual or organization that helps a covered entity manage sensitive data. 

Failure to follow HIPAA’s standards can result in a violation and can lead to fines or even jail time. According to HIPAA Journal, unauthorized disclosure of PHI is one of the most common HIPAA violations.

You might think that working from the privacy of your own home would make you safe from security threats. After all, there isn't someone peering through your window ready to collect PHI. At least, I hope not or you have a whole different issue at hand. 

But the reality is that when you’re handling PHI at home you still face risks.

According to HIPAA Journal, between January 1, 2022 and June 30, 2022, there were 347 healthcare data breaches of 500 or more records.

In 2021, the same source conducted a study to decipher what the most common causes of healthcare data breaches were. The most common consisted of both email and web browser phishing attacks.

Some healthcare facilities still use paper-based procedures when completing tasks in their operation. This can include revenue cycle analysis, management practices, as well as coding and billing.

Physical documents with sensitive information can hold the risk of an unauthorized person seeing them. While this may seem harmless, this still constitutes a HIPAA violation.

A breach can occur when employees don’t take appropriate measures to secure documents containing PHI.

Failing to properly dispose of these physical files can also pose a risk. Healthcare organizations have HIPAA-compliant procedures for destroying documents containing PHI. 

Companies that usually outsource file disposal to secure vendors may struggle with finding methods to destroy sensitive documents remotely. This poses a risk for these documents to end up in an employee’s unsecured trash bin.

Being able to connect securely to company servers to access files is necessary when it comes to compliance.

IT departments are updating company systems as more employees are starting to work remotely.

Yet, these networks can become congested or slowed depending on the internet provider of the remote employee. Some employees may seek shortcuts to access PHI through channels that lack the security necessary. Or, they may simply forget to log in to the secure network while at home.

I haven’t even mentioned the scenario where the healthcare organization doesn’t have an IT department. The reality is small telehealth practices likely don’t have the resources to hire a full-time IT staff member. This presents a very risky scenario.

Covered entities and business associates need to renew their HIPAA certifications annually. This happens through compliance training programs.

Poor training is another avenue that leaves organizations vulnerable to HIPAA violations. Without proper training, security breaches and improper disposal of PHI are also more likely.

This requirement is no different for remote employees. Compliance training should be a top priority for all organizations to ensure stability. If you’re already providing HIPAA training to your employees, it’s essential that you cover remote work scenarios.

Whatever compliance training you have in place, hopefully it’s engaging and fun. Otherwise, you’re not really helping your organization from a risk perspective.

Taking risks into consideration, there are ways to adjust a remote-work life to be HIPAA compliant. Here are some best practices to follow…all of which should exist as talking points in the HIPAA for remote workers training you assign.

Ensure your home wireless router traffic is password protected. By doing this along with making sure to log in securely to your company’s network, it’s less likely that an employee will face a HIPAA violation.

It’s also a good idea to change the default passwords for your wireless routers. Yes, these passwords are long and full of special characters. The downside is that they’re provided right on the side of your router for everyone to see.

Additionally, ensure that you password-protect personal devices that have access to patient information. Never share passwords with anyone else or allow coworkers to log into programs through your accounts.

But what does a secure password look like?

According to Hive Systems, it would take a hacker 438 trillion years to crack a password that is 18 characters long that contains uppercase letters, lower case letters, symbols, and numbers.

Keeping a cluttered workspace can cause unintentional HIPAA violations. Leaving computers open and sensitive information unattended in your home office can be dangerous. You should lock your computer programs that contain PHI when not in use. Privacy screens for your monitors can help deter a passerby from seeing any sensitive information.

If there are no documents to clutter your desk, then there will be less of a risk of a security breach. So, avoid printing protected health information, and when you do need to print make sure to keep documents out of sight. Try to only access a patient’s records if needed for work.

Even something as simple as a HIPAA fax cover sheet protects your organization from unnecessary HIPAA risk.

In the event that you need to send sensitive information to another coworker, make sure to use encrypted tools. This will help secure the information through email. You should try to avoid sending PHI through email. But, encryption tools such as Sharefile help add another layer of protection from hackers.

Investing in a virtual private network (VPN) for your company is another layer of encryption that’s hard to hack. Offering employees access to VPNs allows them to share patient information securely. They make it as if their computing devices were directly connected to the private network.

Anybody with access to PHI in an organization should have HIPAA training that explains what HIPAA violations are and how to avoid them. All members of a covered entity or business associate workforce should complete security awareness training. That includes individuals in management roles.

The truth is, your employees are the biggest risk to your organization. Nearly 50% of all cybersecurity-related breaches happen due to employee carelessness. In order to stop your employees from being careless…they need to understand the steps to stay compliant. That knowledge only exists through training.

HIPAA compliance isn’t something that only pertains to in-office healthcare facilities. The truth is that healthcare organizations that operate from a remote setting need to still stay in compliance with HIPAA.

Out of all the compliance steps listed in this blog post, though, there is one takeaway you should remember at a minimum. Ensure that you provide HIPAA training to your remote employees.

The U.S. Department of Health and Human Services provides standards that all covered entities or business associates need to follow. Even though the HHS requires training, it doesn’t specifically outline what information to include. This can lead to confusion about what remote employees need to know.

For employees who work from home, compliance training will need to cover instances of work-from-home risks. I’m willing to bet that even if you already have training in place, it falls short in regard to remote workstations.

Offering compliance training modules that break up the material for your employees helps them retain what they learn. Including a section within that training about remote work compliance is the icing on the cake.