Remote work is quickly becoming the accepted way to do business as the COVID-19 pandemic has involuntarily forced millions of employees around the world to work from home. For some, working remotely was already the norm, but no one could have predicted the sharp increase in remote work that has occurred in 2020.
Healthcare isn’t immune to this shift. Doctors, clinicians, and general practitioners are frequently conducting home-based assessments with patients using video conferencing technology, and many medical professionals are opting to work remotely to complete everyday administrative tasks.
What do you need in order to work remotely?
Remote healthcare work is still governed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA and the subsequent Security Rule and Privacy Rule amendments of 2003 were created to safeguard electronic protected health information (ePHI). These physical, technical, and administrative safeguards apply not only to an onsite workforce but a remote workforce as well.
Prior to setting up a remote working environment, healthcare organizations must identify who the remote users will be and create policies that document the rules and regulations of working securely in a remote environment. Remote access must then be configured per user depending on the ePHI access required for each individual to fulfill their job requirements.
The workforce must receive training about how to use remote work facilities, and they need to know what standards they’re expected to follow. This may include training on cloud servers, HIPAA-compliant collaboration tools, and bespoke in-house applications. The training should reinforce the fact that sharing ePHI is never allowed, even with fellow professionals or family members.
What safeguards protect remote users?
Most of the key HIPAA remote work safeguards revolve around protecting a user’s device, such as a laptop or tablet computer. Since the device will be located somewhere other than the medical practice or facility, typically at a user’s home, the healthcare institution’s physical safeguards, such as door entry systems, won’t be present.
All devices must be encrypted and password protected to prevent unauthorized access. If a laptop is stolen, hard drive encryption by a tool like BitLocker will prevent confidential data from being compromised. Even if the disk is removed and someone tries to access it, any data will be unreadable and impossible to reconstruct into a readable format.
The same rules apply to external media, such as flash drives and external hard drives. Only approved external media can be used. If they contain ePHI, the data must be encrypted and password protected. When not in use, the media must be locked away, and the data must be professionally destroyed once the user has finished working with it.
How can a HIPAA-compliant hosting partner help?
A HIPAA-compliant hosting partner provides all remote workers with an encrypted point-to-point VPN service. A VPN encrypts any data (including ePHI) while it’s transmitted, allowing remote workers to use any consumer internet service provider to securely access a healthcare intranet.
Extensive VPN activity logs keep track of user access habits, and an intrusion prevention system (IPS) intelligently detects and alerts against unexpected logins. If a user decides to catch up with some work at 3 a.m., this type of activity may be automatically flagged as suspicious.
To further protect the integrity of the network, inactive VPN user accounts are automatically locked after 30 days of inactivity.
Access to the VPN requires multifactor authentication. Many healthcare organizations use a combination of a username, a pin, and a security code generated on a user’s mobile phone. You can add more protection by using credit card style pin cards or even biometrics such as a fingerprint. This technology is readily available on commercial laptop devices.
More tips on ensuring HIPAA compliance
To further protect the network, require users to change the default passwords for any home network equipment. If using Wi-Fi, use a minimum-security standard of WPA2-AES to prevent network sniffing. User passwords must be complex, and system administrators should enforce enhanced security standards.
Only print ePHI if absolutely necessary. Most healthcare organizations are pushing for a paperless office environment to greatly cut down on the printing of ePHI. If ePHI is printed, the print-outs must be securely locked in a filing cabinet and shredded when they’re no longer needed. It’s a breach of HIPAA compliance to leave ePHI where anyone else may see it.
Many healthcare practices may have been caught off guard by the rapid change to remote work caused by COVID-19. Most healthcare professionals are key frontline workers who must work at hospitals and medical practices, but they are supported by extensive teams of office-based employees. With the switch to remote work, many organizations didn’t have enough company laptops for staff, so many had to use their own devices.
HIPAA legislation permits healthcare users to use their own device, but there are strict rules regarding implementation. All devices must have adequate antivirus and security patches. Domain administrators can push out updates to any device connected to the corporate network to ensure that it’s compliant. No ePHI should be transferred to a BYOD device.
Healthcare professionals are required to report the loss or theft of a digital asset immediately. Though laptops are encrypted to protect data, mobile phones can be a significant security risk. Fortunately, mobile phone software can provide a kill switch on any enrolled organization mobile phone. This allows a tracking facility and a remote wipe tool in the event a phone can’t be recovered.
The HHS is fully aware of the additional pressures remote workers face during the COVID-19 pandemic, and they have relaxed enforcement of HIPAA regulations during the global emergency. This reprieve from full HIPAA enforcement is temporary, however.
It’s best to maintain HIPAA best practices when working remotely and to uphold the safeguards that protect electronic health information. It might prove difficult to police the activity of remote workers, but organizations can do spot checks and apply the same penalties if anyone is in breach of HIPAA legislation.
Each remote worker has a duty to access ePHI only when necessary, and all confidential information must be locked away when not in use. Likewise, healthcare organizations have a responsibility to provide information technology services that are HIPAA compliant and devices that can be encrypted, traced, and audited on demand.