HIPAA Compliance Considerations in the Work From Home Era
Working remotely from home isn’t new, but now it’s much more common compared to the past. When the Covid pandemic hit the US, businesses across the country had to close their doors and offices to help stop the spread of the disease. During this time, a majority of the workforce began working remotely from their homes. Although some people did revert back to the office, there are still many employees who still work remotely today. For medical companies, this change creates a whole new situation relating to HIPAA Compliance. With that being said, what are the main considerations medical companies need to take in order to stay HIPAA compliant in a remote working environment?
Remaining HIPAA Compliant in a Remote Environment
Working from home does not violate any HIPAA rules. This was true even before the pandemic forced many employees to work remotely. There are, however, additional considerations that need to be taken in order to keep remote employees HIPAA compliant.
Limiting Employee Access
Access to secured content or patient information should be limited to just the employees who are currently working with that information. This will reduce the chance of a server-wide breach in security.
Using the Right Tools
It’s always recommended to use HIPAA compliant communication tools and avoid using social media or other open source tools to send information. Any communication tools that are used need to have advanced privacy features to keep PHI and patient data secure.
Use a VPN, Strong Passwords & Multi-Factor Authentication for Secure Access
The first and easiest step in implementing secure access is to use very strong passwords with a high character count, as well as change these passwords regularly. In addition to strong passwords, it’s recommended that employees use multi-factor authentication to log in. This can be accomplished through a link or code sent via email or SMS, or by using a mobile authentication app such as Google Authenticator. The last, but most involved step is to require employees to log in using a VPN (virtual private network), which creates a private network for users in the organization.
Using encrypted data can be done in various ways. This makes the important data unreadable to those who are not meant to see it.
Steps for IT Departments to Improve HIPAA Compliance
IT departments can take some initial steps to make sensitive data more secure. Some of these were mentioned above, including the implementation of a Virtual Private Network, or VPN. All employee devices used while working remotely should have to log in through the VPN, and they should be updated regularly. VPNs also need to be tested and monitored often to ensure the network is not being overwhelmed. This is especially important when new devices or employee accounts are added.
In addition to VPN access, remote devices should be equipped with the latest antivirus and firewall software. It’s common for these types of software to be updated often, so the newest versions should be automatically updated and installed on each employee device.
The last step IT can take is to require multi-factor authentication when looging on using each remote device. This adds another layer of protection.
What Steps Can Employees Take to Help Protect Personal Health Information (PHI)?
There are additional steps employees can take to protect sensitive health information. Proper instructions should be sent to each employee on how to implement some or all of these steps when they receive their remote device(s).
- Encrypt and password protect all devices being used to access PHI.
- Always log in from a private, password protected and encrypted router and/or modem.
- Encrypt any PHI in forms before they're submitted.
- Only print PHI if it’s absolutely necessary. That information should be placed in a locked filebox or drawer if still being used and shredded when it’s no longer needed.
- Avoid sending PHI via email unless it’s the only option. If email must be used, it should be encrypted.
- Only external storage devices that are approved by the IT dept. should be used to store PHI.
It’s obviously very important to follow HIPAA compliance rules, whether employees are physically in the office or working remotely. These guidelines should help improve the security of remote workers and can be implemented fairly easily across all devices. If you’d like to learn more about the solutions we offer relating to HIPAA security for remote employees, we’d be more than happy to chat. We’ve worked with numerous well-known medical organizations across the country, and our compnay specializes in HIPAA compliant software solutions.