This piece was co-authored by Thomas Heaney.
The modern workplace is in the midst of a colossal transformation. An estimated forty-four percent of employees are currently working from home, and a recent survey reported that employers expect the number of full-time workers who stay at home permanently to three times the pre-pandemic figures.
The implications of this shift will not only affect productivity and company culture, but will also affect policies and processes across finances, human resources, information technology, and a myriad of other business functions. The stakes are arguably greater in the healthcare industry, which, in addition to facing many of the same challenges for other industries, must also consider how a remote workforce impacts HIPAA compliance.
In the aforementioned survey, respondents were distributed fairly evenly across industries, with 15% from the healthcare sector. Only two out of ten respondents said they provided adequate tools and resources to support long-term remote employees. This has the potential to create a host of challenges to meet HIPAA requirements.
Under the Health Insurance Portability and Accountability Act (HIPAA), any covered entity or business partner that collects, processes, or stores PHI is required to implement security and privacy controls to protect its privacy, integrity, availability, or CIA.
The good news is that the law is not overly prescriptive in how companies treat privacy and security, as long as the end result of preserving the CIA materializes. This allows flexibility in how the organization deals with compliance and defines specific policies and process that best suit its unique needs.
But this flexibility should not be confused with indulgence. HIPAA compliance is serious and enforceable, and it must be properly addressed in the context of workplace challenges and the changes that have emerged amid the pandemic.
Data privacy in a distant world
Home working conditions affect HIPAA compliance and privacy practices in several ways. The US Department of Health and Human Services reports that more than 300 PHI violations have occurred so far this year, putting the personal data of 10.8 million individuals at risk.
This underscores the importance of health care institutions that address the many gaps through which protected health information may be exposed. These include:
- paper. Many aspects of healthcare business operations remain paper based, such as billing / coding and revenue cycle management. This means that employees print documents containing sensitive financial and / or health information at home, where other family members can view printed documents. Such exposure, regardless of innocence, would violate the Health Insurance Portability and Accountability Act.
- Arrival. Healthcare IT departments face the tremendous burden of transforming hub network infrastructure allowing employees to keep working and gain secure access to the systems and documents they need. Remote access controls must balance employee productivity with requirements to ensure the privacy of patient information. The stress on remote systems may also impair their usability, increasing the risk of employees taking shortcuts and using insecure channels to share information.
- behavior. Maintaining compliance with HIPAA’s requirements for document retention and disposal is a fairly straightforward process when employees are in the office. Screened disposal suppliers are often contracted to perform at least daily or weekly scans of safe containers. The checks and systems are in place to ensure that PHI records are stored securely and are not kept for longer than permitted by law. This becomes a very blurry issue when employees work remotely, either with physical documents or electronic copies stored on personal devices.
- protection. The increase in data breaches this year proves what security professionals already know: Data is weak. The anxiety and risk only increase when employees are working from home. Do employees access company systems over secure networks? Are employees still following security best practices? What additional pressure is being put on the company’s IT and infrastructure? Was there a degradation in the network due to the increase in remote staff, forcing the IT department to exclude the policy? These are all important security considerations.
- Reopen the office. As companies reopen, many of them are implementing revised work schedules that require employees to leave the office for extended periods of time. This can disrupt workflows that support privacy controls, such as requiring increased use of USB or cloud-based sites for storing and moving documents. When this happens on a large scale, it becomes very difficult for the compliance team to adequately track and manage every piece of PHI.
- Vendor management. Similar to the challenges that the company faces, the company’s vendors face the same challenges with an increasingly distant workforce. If these sellers are handling PHI on behalf of the company, more regular vendor assessments are necessary.
- Compliance. Regardless of company size, maintaining a robust privacy compliance program is essential to ensure proper management and decision making when considering some of the issues mentioned above. The new normal for telecommuting may create the need for exceptions to the existing policy or the new policies altogether. With exceptions to company policy, or new policies being put in place, how is the company being tracked and ensuring compliance?
A new normal for HIPAA compliance
Legal and compliance teams subject to HIPAA requirements must engage with key stakeholders, including their IT departments, to begin to understand the full range of challenges that their organization faces as a result of employees working from home.
The assessment, conducted either by internal teams or an external expert, is an important step in understanding the scope of PHI for which the organization is responsible, the business functions and the employees who have access to structured data.
In any cases where the organization or certain business units must deviate from the HIPAA Standard Operating Procedures, teams should document the reasons for this and create secondary controls to ensure that personal data is not compromised as a result of new processes. Close monitoring of these activities and the ways in which employees transmit data must be maintained to ensure that unapproved shortcuts are not taken.
HIPAA has been around for a long time, and most healthcare organizations have comfortably settled their compliance processes for years. But the landscape has changed dramatically this year with the shift to remote work, along with the emergence of new privacy regulations and a number of new systems in which structured data is created, shared, and maintained.
It is important to remember that all of these changes have the potential to affect HIPAA compliance. Organizations need to continue to prioritize the Health Insurance Transfer and Responsibility Act (HIPAA) and should view the pandemic as a compulsory function to reassess and update the policies of past years to ensure they meet the requirements of today’s new normal.
Louise Rains-Gomez is Managing Director of Technology at FTI Consulting, which focuses on the challenges of information management and data management.
Thomas Hiney is Director of Technology at FTI Consulting, focusing on managing and improving privacy programs, HIPAA compliance and more.