COVID19 and civil unrest have created new risks which healthcare organizations must address to remain compliant with the Health Insurance Portability and Accountability ACT (HIPAA) and HITECH.

An unprecedented number of employees now telecommute all or part of the time as a result of the government’s response to the COVID19 pandemic. This— along with other recent developments, such as widespread rioting— ushers in a number of new HIPAA risks. Many healthcare organizations will need to update their HIPAA training and policies and procedures to reflect conditions under the new normal.

Here are a few considerations for staying compliant:

  • Secure connections. Is your team working from home? From a local coffee shop? Unprotected networks are a threat to your organization’s PHI. Consider requiring VPN connections. Make sure employees know not to access sensitive information from unsecured networks, such as those found in coffee shops. Make sure wi-fi in the home office is secure.
  • Dedicated work device. In many places, school has been out since spring break…and may remain partially closed in the fall, depending on where you live. Many workers share their homes with children and other family members. Telecommuters working for covered entities should have a dedicated device for work. Allowing children or other household members to surf the web or attend virtual classes on the same device could put PHI at risk. If your employee does not have a dedicated work device, consider providing one.
  • Remote workspaces. Most employers have no visibility into their telecommuting employees’ workspaces. Make sure PHI isn’t spread out all over the kitchen table, where it could be seen by unauthorized eyes, or accidentally picked up with a stack of homework. Give your team written guidelines for workspaces.
  • Risk Assessment. Material changes to operations trigger the need for a new risk assessment—it’s required. Riots and looting have broken out in numerous cities. Is your facility located in a high-risk area? Have you put physical safeguards in place to fortify workspaces in hot zones? For example, are your devices on which you store PHI at risk of being stolen if your windows are broken? Do you have offsite back ups of all your data if there is a fire?
  • Workforce Training. If you’ve completed our HIPAA 2020 Training Course, then you know that changes to operations or risks also trigger the need to re-train staff on HIPAA Compliance. We can help. Click on this link and enter Coupon Code “summer50” to get a 50% discount on HIPAA training.
  • Check your insurance policies to make sure they don’t exclude telecommuting.
  • Device Inventory. Is your device inventory up to date? Do you know whether team members are using work computers or their own personal computers as they work from home? Are there new devices being used to access your intranet or EMR that are not registered with your IT department? Do you know where your company-owned computers reside?
  • Assess your applications. Are you using new or different applications to accommodate remote work? Have you told your staff how to appropriately use Zoom or other tools with respect to PHI?
  • Disposal of PHI. Employers must make sure their telecommuters aren’t disposing of PHI in the kitchen trash can. How do your remote workers plan to dispose of PHI? Do you have policies in place to address disposal of PHI in a telecommuter setting?

This list is by no means comprehensive, but it’s a good starting place to begin thinking about how to refresh your HIPAA compliance efforts to reflect the current environment. You can download our free HIPAA Policy and Procedure checklist here.

Need to train your workforce? Want a certificate to help you comply with documentation requirements? Click here for our certificate earning HIPAA training course.