If you only knew…
Several years ago, in order to make some extra cash, I took on some medical billing processing work from home on the weekends. The work was fairly mindless — mostly taking PDF scans of handwritten charts and punching the necessary codes into a billing system. Before I could do this, I had to sign a HIPAA Employee Confidentially Agreement. This was a document that said I would not allow anyone else to access patient information and take security measures to protect this data while it was in my possession. I pride myself of being a person of intense moral fiber and being savvy with data security. The thought never crossed my mind of abusing my authority. Still, the sheer volume of extremely personal information that came across my computer screen was astounding...and even scary. In this piece, we’re going to look at HIPAA compliance for remote workers — what it means, why it's necessary, and some tips on how to do so.
What is the gist of HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (yep, it’s not that old) is an act that restricts the access of a variety of protected health information (PHI) details. There are a total of 18 PHIs in total. These identifiers range from names to email addresses, fax numbers, addresses, account numbers, to health records and biometric data such as fingerprints and even voice prints. Not only does it restrict who can access this information, but it also works to mitigate the risk of patient information being lost or stolen.
What is the penalty for violating HIPAA compliance?
Not only is HIPAA compliance a good practice for patients, but for those companies as well. In addition to keeping them trusted with clients, it also keeps them from having to pay hefty fines. According to the American Medical Association, HIPAA violations can range from fines ranging from $50,000-$250,000 with between 1-10 years in prison. This can even increase depending on the amount of compromised information. According to the U.S. Department of Health and Human Services, a representative from Cancer Care Group was found to be in violation of HIPAA after a car was stolen that contained a computer that protected information. This resulted in a fine of $750,000. I mean, talk about a lousy day! While penalties vary depending on knowingly violating HIPAA versus those who violate HIPAA regulations due to ignorance, the differences in fines and prison time hardly justify changes in risk.
What kind of employees need to be HIPAA compliant?
If any of your employees have access to any of the 18 protected health information (PHI) data points that are used in a healthcare setting, they will likely need to agree to a HIPAA Employee Confidentiality Agreement. Even though this agreement is signed by them, this doesn’t necessarily mean that their employer is off the hook for any HIPAA violations they incur.
Quick Tips to Be HIPAA Compliant
Even though it is important to remain vigilant, being HIPAA compliant doesn’t have to be a headache. Here are a few quick tips for remote employees on how to remain HIPAA compliant. (These are by no means exhaustive, but rather act as a good jumping-off point.)
1. Don’t work on HIPAA-sensitive projects in public.
While it can be nice to get out of the house every so often and work from a coffee shop, do not do so when working with patient information. Even if you found a great nook in the corner where no one can see your screen, between the questionable WiFi security and needing to ever use the restroom, it’s better to be safe than sorry.
2. When discussing HIPAA-sensitive info, keep it down.
Are you a loud phone talker? Yes, it’s possible to be in violation of HIPAA regulations from speaking a little too loudly at the wrong time. If you need to discuss protected information over the phone with another HIPAA compliant co-worker, make sure no third parties can listen.
3. Invest in a good shredder.
If you’re ever handling paper documents or discs that contain HIPAA-sensitive data, you’ll need a good shredder to dispose of the documents once you’re finished with them. Simply tearing up documents is not enough. Also, being able to shred compact discs may also be a handy feature.
4. Be mindful of how you use data in your own processes.
If you’re like me, if it isn’t blocked out on a calendar, it doesn’t get done. Whether you’re scheduling work or even making a to-do list, make sure you’re not using any of the 18 PHIs protected by HIPAA. Even using a patient’s full name in a calendar event description can be extremely risky.
5. Use a cover sheet when faxing information.
I know that most of us do not use fax machines anymore, but they are still fairly widely used in the healthcare industry. Because of this, you will want to use a proper cover sheet when sending sensitive information. This will help keep the data from just sitting in a printer tray for the world to see.
6. Sign out of all data systems when not in use.
It’s not completely uncommon for remote workers to use work computers for personal use. In order to keep all data safe, sign out of all secure data systems when you’re not using them. Make a habit of this.
7. Know which co-workers you can share HIPAA information with.
There should be a documented list within your company files of who can access HIPAA protected data and who do not have this access. Before sharing any protected data, know for sure which workers have which levels of clearance.
8. Make sure your internet connection is secure.
If you work from home, you will want to make sure your internet connection isn’t at risk of being compromised. Make sure all routers allow for data encryption. To increase security, hardwiring devices into a secure router may be your best bet. Also, using a HIPAA-approved virtual private network (VPN) on your computer and mobile device is another great layer of protection for sensitive data.
9. Keep virus protection systems up to date.
In order to keep your computer and systems free of malware, making sure that all of your anti-virus and anti-malware systems are up to date.
10. Be vigilant against phishing and spearphishing.
One way cybersecurity threats can gain access to your computer systems is via email phishing or spearphishing. Do not click on any emailed links that you are not completely sure are safe — even if they seem to have information about you.
11. Do not plug in mysterious drives into your computer.
Most people are smarter than to fall for this, but it still must be said: never plug any mysterious drives into your computer in order to examine their contents. While it may just seem like innocent thumb flash drive you found in a parking lot, it may actually be a front door into your secure system.
12. Do mindful of where you keep sensitive information.
Remember that case of the Cancer Care Group having to pay out a $750,000 penalty for failure to uphold HIPAA compliance? That was the result of a computer being left in a car that was stolen. Never leave any sensitive files or devices containing access to sensitive information in a vehicle. In general, be mindful of where this information is stored. Invest in a locking file cabinet for physical files and advanced password protocols for electronic files.
13. Reassess your security protocols frequently.
Being HIPAA compliant is not a “one and done” procedure. It is an ongoing process of remaining vigilant against data breaches and security threats. To avoid becoming complacent, reassess your own personal security protocols on a regular basis. Make sure you are remaining attentive to them and that they are still relevant.
14. Seek out HIPAA compliant electronic content management systems.
“You do not rise to the level of your goals. You fall to the level of your systems.” - James Clear
You can take all of the precautions you want, but if your electronic content/document management systems do not have HIPAA compliance in mind, then you will always have to pick up the slack. Fortunately, there are electronic content management systems designed with HIPAA compliance baked in.