HIPAA compliance for remote staff

It goes without saying the COVID-19 pandemic is the greatest health challenge the world has faced in decades. As of mid-September 2021, there had been more than 226 million cases across the planet and almost 4.7 million people had died from the virus. The United States alone had recorded more than 42 million cases and 682,000 deaths, with those numbers set to increase as the battle to get the disease under control continues more than 18 months after it reared its head.

Given its vital role caring for the afflicted, the healthcare industry has been on the frontline of the pandemic from day one. More importantly, it has done so while traditional workplaces are being reinvented to cope with the virus itself. Social distancing has forced hospital and health executives to embrace remote working models with haste and establish platforms that allow staff who can work off-site every chance to do so.

Remote working is no longer an innovative concept for the healthcare industry but a necessity. Pre-COVID data showed about 3.4% of all U.S. workers were already working remotely but this number soared in 2020 as businesses strived to protect their people from the virus threat. A global survey by research and advisory company Gartner found 88% of organizations worldwide made it mandatory or encouraged their employees to work from home after COVID-19 was declared a pandemic.

Compliance concerns

While many healthcare workers have no choice but to remain on the frontline, their non-clinical colleagues find themselves increasingly working out of virtual or home environments instead of brick-and-mortar offices. Amid such change, the challenge for healthcare organizations is to ensure they and their employees remain as committed to HIPAA compliance in the new world as they did in their traditional workspaces.

Keeping patients’ personal health information (PHI) secure and confidential is a key foundation for the healthcare sector and the American Academy of Professional Coders (AAPC) has warned the COVID-19 crisis is not an excuse for tardiness. “It’s very important to take the same physical and security measures to safeguard the PHI you are trusted with and for that you need to create a HIPAA-compliant workspace,” it declared.

The concern for healthcare executives is that, as reported by the Wall Street Journal, more non-clinical staff working remotely increases security risks for hospitals and health systems. This is supported by the findings of a poll of more than 2,000 U.S. adults who were working from home due to COVID-19, with almost half (47%) saying they were concerned about cybersecurity risks in their new environment. That is little wonder given 53% were using their personal laptops and computers for business operations, but almost half (45%) had not received any new training on data/device security.

Such fears manifested themselves in real terms when an analysis of U.S. hospital and health service data showed a spike in hospital data breaches since the pandemic due to a rapid cloud expansion and sharp increase in the use of personal devices and working remotely. Key findings included:

• Healthcare data breaches increased 55.1% from 386 in 2019 to 599 in 2020
• Hacking and IT incidents accounted for 67.3% of data security compromises in the healthcare sector in 2020, affecting 24.1 million people
• Unauthorized disclosures were the second most common type of breach (21.5%), followed by loss or theft (8.7%) and other breaches (2.5%)
• The average cost per healthcare record breached increased from $429 in 2019 to $499 in 2020, costing healthcare organizations about $13.2 billion in 2020.

Security measures

The rise in remote working has amplified the need for more rigorous compliance to protect patients’ personal health information. With the COVID-19 threat showing no signs of abating, healthcare executives must develop policies and procedures for remote employees to protect PHI and ensure their organizations remain HIPAA-compliant. Without additional training and strong messaging, people working remotely may not even realize they are at risk of data breaches and identity theft.

• Be specific: protecting PHI in a remote working environment is a challenge that requires a targeted focus. That’s why it is essential that healthcare organizations with remote workers create a security policy specifically designed for remote workers. It is not enough to rely on past procedures and hope for the best. Remote working is a unique situation that warrants a unique policy.
• Be secure: it is surprising how many healthcare organizations invest millions of dollars in IT security but allow remote workers to log on to their network from home with minimal fuss. Home wireless router traffic and PHI-accessing devices need to be encrypted and password-protected, with default passwords changed to ensure they are as secure as possible. Password security is an art itself and various resources are available to help staff create strong passwords.
• Be smart: not every task is suitable for remote work. Employees need to be aware which job functions they are allowed to perform remotely and which should wait until they are in a more secure office setting. Likewise, remote workers need to be on the same page as their on-site colleagues when it comes to the tools and platforms they should be using. Out of sight should not mean out of mind when it comes to cloud storage platforms, conferencing tools and project management programs being used by staff.
• Be responsive: remote workers should have a clear guide to follow if they believe PHI has been compromised. Be it the process for reporting an incident or the need to immediately change passwords, such steps should be included in their mandatory cybersecurity training.
• Be vigilant: HIPAA compliance is about more than just online threats. There is a tendency for remote workers to be more relaxed about their physical workspace, which is why it is imperative to remind them of simple steps to protect PHI. They should avoid printing PHI and if they do, keep it locked away. Minimize the ability for non-authorized people (eg: family, housemates) to overhear patient information and never allow them to use devices that contain PHI. Sharing passwords with staff or family members is also taboo.

Outsourcing options

The COVID-inspired rise in remote working is also driving an increase in healthcare services investing in outsourcing to support their operations. The global healthcare outsourcing market is set to reach $468.5 billion by 2026, up from $296 billion in 2021, with destinations such as the Philippines home to thousands of healthcare candidates including medical coders, clinical data coordinators and medical transcriptionists.

When engaging an outsourcing provider, hospital and health services must keep HIPAA compliance top of mind. The level of security needed to store PHI in a regulated environment is very different from other sectors and healthcare executives should list their key requirements and concerns before starting the search for a provider. Issues to consider include:

• What is their password policy?
• Who will test the system security?
• Is there a policy for destroying media (eg: paper documents) at the end of the contract?
• Do staff receive training in PHI security?
• Are there pre-employment screenings?
• Do staff work in an open-plan office or secure room?
• Does the provider have controls to prevent ransomware attacks?
• Can staff take laptops home or use their own devices?
• Are staff allowed to download and install tools on their computer?

One of the great comforts for patients is knowing the importance clinicians place on the security of their health information. This protection is at the very heart of HIPAA compliance and that is why every step must be taken to ensure a rise in remote workers does not negatively impact such public confidence. The COVID-19 pandemic may have inspired a new way of thinking when it comes to working environments but the need to remain vigilant about PHI has never been more important.

The pandemic is just one challenge facing the healthcare sector. Learn how to optimize revenue cycle management in an environment that is notoriously complex, rife with inefficiencies and difficult to achieve.