If you only knew…
Several years ago, in order to make some extra cash, a now-employee of ours took on some medical billing processing work from home on the weekends. The work was fairly mindless—mostly taking PDF scans of handwritten charts and punching the necessary codes into a billing system. Before he could do this, he had to sign a HIPAA Employee Confidentially Agreement. This was a document that said he would not allow anyone else to access patient information and take security measures to protect this data while it was in his possession. He prides himself on being a person of intense moral fiber and being savvy with data security. The thought never crossed his mind of abusing his authority. Still, the sheer volume of extremely personal information that came across his computer screen was astounding...and even scary.
In this piece, we’re going to look at HIPAA compliance for remote workers—what it means, why it's necessary, and some tips on how to do so.
What is the gist of HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (yep, it’s not that old) is an act that aims to limit the access of a variety of protected health information (PHI) details from threats. There are a total of 18 PHIs in total. These identifiers range from names to email addresses, fax numbers, addresses, account numbers, to health records, and biometric data such as fingerprints and even voiceprints. Not only does it restrict who can access this information, but it also works to mitigate the risk of patient information being lost or stolen. Knowing what is a HIPAA violation in the workplace and what isn't is very important.
What is the penalty for violating HIPAA compliance?
Not only is HIPAA compliance a good practice for patients, but for those companies as well. In addition to keeping them trusted with clients, it also keeps them from having to pay hefty fines. According to the American Medical Association, HIPAA violations can range from fines ranging from $50,000-$250,000 with between 1-10 years in prison. This can even increase depending on the amount of compromised information. According to the U.S. Department of Health and Human Services, a representative from Cancer Care Group was found to be in violation of HIPAA after a car was stolen that contained a computer that protected information. This resulted in a fine of $750,000. I mean, talk about a lousy day! While penalties vary depending on knowingly violating HIPAA versus HIPAA violation penalties for employees due to ignorance, the differences in fines and prison time hardly justify changes in risk. This makes understanding HIPAA guidelines for employees—especially HIPAA while working from home—absolutely crucial.
What kind of employees need to be HIPAA compliant?
If any of your employees have access to any of the 18 protected health information (PHI) data points that are used in a healthcare setting, they will likely need to agree to a HIPAA Employee Confidentiality Agreement. Even though this agreement is signed by them, this doesn’t necessarily mean that their employer is off the hook for any HIPAA violations they incur.
How to Maintain HIPAA Compliance
Even though it is important to remain vigilant, being HIPAA compliant doesn’t have to be a headache. Here are a few hipaa tips for employees. (These are by no means exhaustive, but rather act as a good jumping-off point.)
1. Don’t work on HIPAA-sensitive projects in public.
While it can be nice to get out of the house every so often and work from a coffee shop or shared worked space, do not do so when working with patient information. Even if you found a great nook in the corner where no one can see your screen, between the questionable WiFi security and needing to ever use the restroom, it’s better to be safe than sorry.
2. When discussing HIPAA-sensitive info, keep it down.
Are you a loud phone talker? Yes, it’s possible to be in violation of HIPAA regulations from speaking a little too loudly at the wrong time. If you need to discuss protected information over the phone with another HIPAA compliant co-worker, make sure no third parties can listen.
3. Invest in a good shredder.
If you’re ever handling paper documents or discs that contain HIPAA-sensitive data, you’ll need a good shredder to dispose of the documents once you’re finished with them. Simply tearing up documents is not enough. Also, being able to shred compact discs may also be a handy feature.
4. Be mindful of how you use data in your own processes.
Are you one of the many whom if a task isn’t blocked out on a calendar, it doesn’t get done? Whether you’re scheduling work or even making a to-do list, make sure you’re not using any of the 18 PHIs protected by HIPAA. Even using a patient’s full name in a calendar event description can be extremely risky.
5. Use a cover sheet when faxing information.
Most of us do not use fax machines anymore, but they are still fairly widely used in the healthcare industry. Because of this, you will want to use a HIPAA-compliant fax cover sheet when sending sensitive information. This will help keep the data from just sitting in a printer tray on the other side for the world to see.
6. Sign out of all data systems when not in use.
Keeping HIPAA in the workplace may not be immensely challenging due to the closed nature of the space. While this is the case, it’s not completely uncommon for remote workers to use work computers for personal use. In order to keep all data safe, sign out of all secure data systems when you’re not using them. Make a habit of this.
7. Know which co-workers you can share HIPAA information with.
There should be a documented list within your company files of who can access HIPAA protected data and who do not have this access. Before sharing any protected data, know for sure which workers have which levels of clearance.
8. Make sure your internet connection is secure.
If you need to ensure HIPAA compliance working from home, you will want to make sure your internet connection isn’t at risk of being compromised. Make sure all routers allow for data encryption. To increase security, hardwiring devices into a secure router may be your best bet. Also, using a HIPAA-approved virtual private network (VPN) on your computer and mobile device is another great layer of protection for sensitive data.
9. Keep virus protection systems up to date.
In order to keep your computer and systems free of malware, making sure that all of your anti-virus and anti-malware systems are up to date.
10. Be vigilant against phishing and spearphishing.
One way cybersecurity threats can gain access to your computer systems is via email phishing or spearphishing. Do not click on any emailed links that you are not completely sure are safe—even if they seem to have information about you.
11. Do not plug in mysterious drives into your computer.
Most people are smarter than to fall for this, but it still must be said: never plug any mysterious drives into your computer in order to examine their contents. While it may just seem like an innocent thumb flash drive you found in a parking lot, it may actually be a front door into your secure system.
12. Do mindful of where you keep sensitive information.
Remember that case of the Cancer Care Group having to pay out a $750,000 penalty for failure to uphold HIPAA compliance? That was the result of a computer being left in a car that was stolen. Never leave any sensitive files or devices containing access to sensitive information in a vehicle. In general, be mindful of where this information is stored. Invest in a locking file cabinet for physical files and advanced password protocols for electronic files.
13. Reassess your security protocols frequently.
Being HIPAA compliant is not a “one and done” procedure. It is an ongoing process of remaining vigilant against data breaches and security threats. To avoid becoming complacent, reassess your own personal security protocols on a regular basis. Make sure you are remaining attentive to them and that they are still relevant.
14. Seek out HIPAA compliant electronic content management systems.
“You do not rise to the level of your goals. You fall to the level of your systems.” - James Clear
You can take all of the precautions you want, but if your electronic content/document management systems do not have HIPAA compliance in mind, then you will always have to pick up the slack. Fortunately, there are electronic content management systems designed with HIPAA compliance baked in.