As a healthcare professional, you know how important HIPAA compliance is to the livelihood of your practice.
Initially passed in 1996, Congress added several additional rules in 2003, 2005, 2006, 2009, and 2013. The final text of HIPAA created sweeping changes to the healthcare industry, intending to guarantee patient privacy and security.
More recently, changes in the workforce are presenting the latest challenges to HIPAA compliance.
Like other industries, the healthcare industry is dealing with talent shortages. An overabundance of available positions and a lack of workers to fill them is pushing the healthcare industry to seek alternative ways to staff.
On top of this, the pandemic accelerated the number of people seeking the flexibility to work from home. According to a recent survey by McKinsey, over 65% of Americans desire to work remotely, and ‘workplace flexibility is now a top reason to accept a job.
The healthcare industry hopes that embracing remote work can resolve talent shortages and take advantage of changing employee preferences. In fact, the healthcare industry already has the highest number of remote workers in the United States, toppling around 2.7 million employees.
As such, medical practices must incorporate new and innovative security and compliance measures to remain within federal and state guidelines.
The Basics of HIPAA Compliance
To protect patient data in a remote work environment, it is helpful to first understand the ins and outs of the current HIPAA standards.
HIPAA Privacy Rule
The HIPAA Privacy Rule sets forth specific standards for securing patients’ protected health information (PHI). The Privacy Rule applies to covered entities, which include all organizations that collect, create, or send patient information via electronic means. Examples of covered entities include medical facilities and health insurance providers, among many others.
Under the HIPAA Privacy Rule, all patients must receive disclosures concerning the use of their data and provide their explicit consent before a covered entity shares their details with others. Only specific governmental organizations can obtain PHI without the patient’s permission, but the data transferred must be given to protect public health.
HIPAA Security Rule
The HIPAA Security Rule explicitly applies to the maintenance and transmission of electronic PHI. This rule applies to covered entities and business associates. A business associate includes any organization that handles electronic PHI for any purpose.
There are multiple examples of business associates, including billing companies and third-party consultants.
Organizations and individuals must implement physical, administrative, and technical safeguards to comply with the HIPAA Security Rule to protect e-PHI.
The HIPAA Security Rule is the standard that healthcare organizations are most concerned about when offering remote work benefits.
HIPAA Breach Notification Rule
Both covered entities and business associates must adhere to the HIPAA Breach Notification Rule, which requires organizations to report data breaches of PHI and e-PHI to the U.S. Department of Health and Human Services (HHS) within 60 days of discovery.
If the breach involves the data of more than 500 patients, a local media outlet must also receive notification of the situation.
Experiencing a data breach is why many healthcare providers and other organizations are reluctant to implement remote work policies. Data breaches result in a loss of public confidence in the organization and can lead to costly fines and potential litigation.
In addition, there are many administrative actions the affected organization must take to resolve the HIPAA violation and data breach per HIPAA’s rules.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule specifically applies to HIPAA business associates. All business associates must comply with all the HIPAA standards. Any Business Associate Agreements (BAAs) with covered entities must be fully signed and agreed to before transferring or sharing e-PHI.
Under the Omnibus Rule, covered entities must review all HIPAA BAAs yearly. If the agreement with the business associate needs changes to protect patient data further, the covered entity must stop sharing e-PHI until they reach a new BAA with the vendor.
Minimizing Security Risks for Remote Workers
Before offering a remote work option for your staff, covered entities and business associates should take a holistic look at their security policies. Ideally, all remote workers should follow the same standards as those working in the office.
Consider a complete risk analysis of remote work and how the organization and staff can support measures for security. In particular, consider the answer to the following question for your business:
- How can I ensure my practice can utilize remote staff members while remaining HIPAA-compliant and protecting patient ePHI?
Since individuals working from home will have some liberties over PHI, they must understand and enforce their own protections to ensure patient data’s safety.
How Remote Workers Can Implement Security Protections at Home
Remote workers have the same obligations to protect patient data as their counterparts at the office do. Best practices for protecting patient PHI from home include:
Keep the Work Area Private
Ideally, remote workers should not perform their duties in a space that isn’t private or secure through biometric methods. They should have a place to handle their responsibilities free from anyone who may accidentally view patient PHI.
If working from home, remote employees should avoid open spaces like the kitchen or living room. Instead, they should confine work to a home office or room where family members or friends aren’t likely to see the patient’s private information.
Minimize Paper Records
Remote workers should be conscientious about paper records in the home. In the office, it’s easy to lock all paper records in filing cabinets and rooms. At home, it’s much more challenging to keep written details safe.
Individuals working from home should use a locked filing cabinet for all patient PHI paper documents. Make sure to place any records in the cabinet before leaving the room.
Keep Electronic Devices Encrypted
Any electronic devices provided by the covered entity or business associate should contain encryption that prevents unauthorized access. For instance, organizations can use biometric or two-factor identity authentication practices to ensure workers are the only ones who can access an electronic device.
Only Conduct Work on a VPN
Virtual private networks (VPNs) ensure that all electronic work activities are on the company’s main network, not the worker’s personal network. Personal networks usually don’t have the stringent security measures that covered entities and business associates need.
VPN access ensures employees can save important files within the organization’s network, not on their personal desktops.
It’s also essential for organizations to use security-friendly technology to ensure e-mails and text messages are encrypted and transmitted via secure platforms.
Data-Safe Practices as a Remote Worker in the Healthcare Industry
There are a few explicit rules for protecting data while working remotely that all individuals in the healthcare industry should follow:
- Avoid the use of public Wi-Fi connections, like those in coffee shops and restaurants
- Only use encrypted electronic devices
- Remain connected to the VPN; don’t save patient data on your personal desktop
- Keep all paper documents in sight
- File paper documents in a locked cabinet or secure location
- Ensure you’re in a private place where no one can unintentionally hear your conversations when speaking with other employees or patients
Remote workers who fully understand the implications of HIPAA compliance — and regularly undergo security training — are in a better position to safely perform their duties than individuals who don’t.
How Covered Entities and Business Associates Can Support Remote Workers
Ensuring your remote workers have the tools and training to remain compliant with HIPAA is paramount for organizations in the healthcare industry. You can follow several best practices to support remote workers while maintaining your organization’s security.
Be the Provider of Electronic Devices
Don’t allow your remote workers to use their own personal electronic devices. Instead, provide them with laptops and smartphones purchased by the company. The electronic devices should contain business-specific anti-virus software, malware protection, and other security features to protect the organization from potential hacks.
Install Protective Software and Updates
Ensure that your organization can update software with security patches remotely. Your IT team should regularly monitor the devices and notify senior management of irregular activity. Irregular activity can include logins outside work hours or strange transfers of unnecessarily large amounts of data.
Regularly Maintain the VPN
The security team should regularly monitor the VPN and ensure that only approved employees can access it. When workers leave the organization, the security team should immediately disconnect their access to the VPN and request the return of all electronic devices.
Provide Ongoing Training on HIPAA Compliance and Best Practices
All employees should undergo regular training to remain up-to-date on the changing technology landscape. Training should include managing PHI and e-PHI safely away from the workplace and the best practices for remote work.
Workers should be well-versed in the implications for the organization if a data breach of PHI or e-PHI occurs.
How Edge Ensures HIPAA Compliance with Remote Workers
Edge is a facilitator of global remote workers who have the necessary skills to support the hiring needs of the healthcare industry. We connect employers with qualified remote workers who can handle administrative tasks, including front-office medical workers that handle scheduling, insurance verification, and billing support.
Many healthcare providers are nervous about hiring remote workers who handle patient PHI and e-PHI. But Edge stands out from other remote staffing agencies or virtual assistant companies.
To alleviate HIPAA concerns, we offer a signed Business Associate Agreement (BAA) to covered entities that choose to work with us. A BAA is a signed document that affirms a third-party service provider’s willingness to accept responsibility for the safety of your clients’ PHI, maintain appropriate safeguards, and comply with HIPAA requirements when they handle PHI on your behalf.
HIPAA rules require a BAA from every third-party service provider you use that could be exposed to your client’s PHI.
As a HIPAA compliant company, Edge signs a BAA to guarantee your client’s protected health information is safeguarded. Few other remote staffing agencies or virtual assistant companies will offer a BAA to covered entities at a company level by a U.S.-based company. It’s important to note that If the BAA is signed by a foreign company or by an individual employee, the ability to enforce the provisions becomes significantly lower, thus increasing your risks.
We’ve also implemented high-level security defenses against potential data breaches to adapt to our client’s needs. We offer the following:
Bi-Annual Security Training
All our employees undergo an introduction to security training and ethics provided by the U.S. Defense Information Systems Agency (DISA). After the initial training, all employees must take refresher courses every six months. Our employees are well-placed to identify potential security hacks, like phishing and social engineering.
Securing Equipment to Ensure HIPAA Compliance
Employees who work for us receive computers equipped with high-level security protections that use system hardening. System hardening involves over 700 unique settings designed to customize our worker’s computers. Hardening settings protect operating systems, web browsers, and other software from data leaks.
HIPAA Compliant Security Auditing Partner
Edge partners with Drata, a leading data security auditor that uses an automated platform to monitor potential security risks. Using Drata’s platform, Edge continuously monitors security across the organization. Our tech team regularly monitors security alerts, and the system retains evidence of its monitoring in case of potential audits.
Cloud Security
We use cloud security solutions to protect data from unauthorized use and access, DDOS attacks, hackers, and malware. Our cloud security includes comprehensive security policies that all individuals within the company adhere to.
Mandatory HIPAA Compliance Training
All employees must undergo HIPAA training before joining the organization. We’re devoted to ensuring all our workers have the necessary training to handle your company’s PHI and e-PHI.
In addition, all employees must sign non-disclosure agreements (NDAs) and conduct their work over Perimeter 81, a dedicated, HIPAA-compliant VPN. Edge retains a valid HIPAA certification.
NIST 800-53 Security Standard
The NIST 800-53 Security Standard is a military-grade standard with which few organizations can claim compliance. Edge uses the NIST 800-53 Security Standard to ensure complete protection for all remote employees and the organizations they support. Edge is also fully compliant with ISO 27001 and SOC 2 standards.
Healthcare Organizations Can Join the Remote Work Revolution While Maintaining HIPAA Compliance
Organizations in the healthcare industry have valid concerns about protecting patient PHI and e-PHI when they hire remote workers. However, with suitable security systems and training, companies can remain safe from potential data breaches while providing the benefits their employees want — flexible working arrangements.
Your organization can safely implement remote work policies by applying specific safeguards and by hiring trained employees on HIPAA compliance and best practices for security. We invite you to schedule a call with our representatives and learn about the many ways an Edge employee benefits your practice. Use this link to find a convenient time.
