Remote employees must comply with HIPAA rules to protect clients' PHI. Healthcare institutions should define remote employee guidelines and ensure current, secure document storage. Organizations can avoid HIPAA violations and stay compliant during audits by implementing necessary security measures.

Understanding HIPAA for remote employment

With the increasing trend of telecommuting in the US, organizations must ensure that remote employees comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. While remote work offers numerous benefits, it poses significant risks when safeguarding clients' protected health information (PHI). Failure to meet HIPAA requirements can result in substantial financial penalties. 

Read also: What are the penalties for HIPAA violations? 

How to protect clients' PHI 

Organizations must establish clear guidelines and implement preventative actions for remote employees to ensure HIPAA compliance. The following checklist outlines documentation requirements and security measures:

Security policies and procedures

• Maintain an updated list of employees who work remotely.
• Specify the level of information to which remote employees have access.
  
  

Equipment, software, and hardware requirements:

• Encrypt home wireless router traffic, change default passwords, and ensure proper configuration of all devices accessing the network.
• Mandate using a Virtual Private Network (VPN) when accessing the company's Intranet remotely.
• Encrypt all PHI before transmission through the company's Intranet or internal email encryption.
• Encrypt and password-protect personal devices used to access PHI, ensuring IT configuration and approval.
• Define approved brands and versions of personal devices that can access company data.
  
  

Security and privacy requirements

• Prohibit friends, family, or unauthorized individuals from using devices containing PHI.
• Confidentiality Agreement: Have each employee sign a confidentiality agreement to ensure privacy when handling PHI.
• Create a clear agreement with rules for the use of personal devices.
• Employees storing hard copy PHI in their home offices should have lockable file cabinets or safes.
• Require employees to have a shredder for proper disposal of paper PHI.
• Follow the organization's policy for disposing of PHI or devices storing PHI.
• Instruct employees to disconnect from the company network after work, utilizing IT-configured timeouts.
• Prohibit employees from copying PHI to unauthorized external media, such as flash or hard drives.
• Maintain logs of remote access activity and periodically review them for security purposes.
• Disable inactive accounts for more than 30 days and monitor account activity.
• Communicate that violations of procedures will result in company sanctions and potential legal consequences.

Read more: What is protected health information (PHI)? 

Examples of negligence in remote work

Two notable cases highlight the importance of maintaining HIPAA compliance when working remotely:

• Cancer Care Group faced a settlement of $750,000 after a remote employee lost a laptop and backup drive to car theft. This incident exposed the PHI of over 50,000 patients. The Office for Civil Rights (OCR) found that Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule as they failed to conduct an enterprise-wide risk analysis. Additionally, the organization lacked a written policy regarding removing hardware containing PHI from their facilities.

• Lincare, a respiratory medical group, incurred a settlement cost of nearly $240,000 due to a remote employee breaching the PHI of 278 patients. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information taken off-site. Furthermore, the organization had an unwritten policy allowing certain employees to store PHI in their vehicles for extended periods. These incidents led to a class-action lawsuit against Lincare.

See also: HIPAA Compliant Email: The Definitive Guide