HIPAA Compliance and Working From Home
When businesses choose to have their employees work from home there is a lot to consider, especially if those businesses work with protected health information (PHI). HIPAA compliance and working from home can be a difficult feat, as HIPAA Privacy Rule and Security Rule standards must be upheld.
HIPAA Compliance and Working From Home: Rules
A main concern for HIPAA compliance and working from home are the privacy concerns of working in a non-traditional environment. Healthcare organizations, even when working remotely, have an obligation to safeguard the protected health information (PHI) that they work with.
To ensure that employees working from home are adequately safeguarding PHI, the following security measures should be implemented:
- Change default passwords for wireless routers.
- Encrypt home wireless router traffic.
- Encrypt, and password-protect, personal devices employees may use to access PHI.
- Ensure all devices that access your network are properly configured.
- Encrypt all PHI before it is transmitted.
- Require employee use of a VPN when employees remotely access the company Intranet.
Administrative safeguards for HIPAA compliance and working from home:
- Create policies and procedures prohibiting employees from allowing other people from using devices that contain PHI (i.e. friends and family).
- Have employees sign a Confidentiality Agreement.
- Develop a Bring Your Own Device (BYOD) Policy.
- Provide employees with filing cabinets that lock for secure paper PHI storage.
- Provide shredders for remote workers, enabling employees to destroy paper PHI that is no longer needed.
- Develop a media sanitization policy.
- Ensure employees disconnect from the company network when their work is complete.
- Maintain and periodically review logs of remote access activity.
HIPAA Compliance and Working From Home: HIPAA Compliant Teleconferencing
Even when employees are working from home, there’s still a need to conduct meetings. There are several platforms that enable companies to conduct virtual meetings. However, before it is permitted to use video conferencing tools in conjunction with PHI, it is essential to ensure that the tool is HIPAA compliant.
Things to consider when determining if a video conferencing tool is HIPAA compliant include whether or not the company is willing to sign a business associate agreement (BAA), as well as what safeguards enable PHI protection.
A business associate agreement (BAA) must be signed before the platform can be used for HIPAA compliant communication. A BAA mandates the protections that must be in place securing PHI, and requires each signing party to maintain their own compliance.
Additionally, the video conferencing platform should have the following security measures available:
- Access controls
- Audit logs
- User authentication
- Automatic log-off
For more information on HIPAA compliant video conferencing please click here.