What are HIPAA Compliance Risks in a Remote Work Environment?
May 24, 2022
Website Be Like In 100 Years

The workplace of today is going through a period of significant upheaval right now. According to a recent survey, companies anticipate that the number of full-time workers who remain at home permanently will triple that of pre-pandemic levels. Currently, an estimated forty-four percent of employees are working from home.

The ramifications of this transition will not only have an impact on productivity and company culture. Still, they will also touch on policies and operations across a wide range of business departments, including finance, human resources, information technology, and countless others. The stakes are arguably even higher in the healthcare industry, which must not only contend with many challenges as other industries but also take into consideration how a remote workforce impacts HIPAA compliance. This is in addition to contending with many of the same challenges as other industries.

Data privacy in a remote world

There are various ways in which HIPAA and privacy compliance policies are impacted when employees have the option to work from home. According to a report by the United States Department of Health and Human Services, there have been more than 300 breaches of protected health information (PHI) so far this year, putting the personal information of 10.8 million people at risk.

This highlights the significance of health care organizations addressing the myriad of gaps through which protected health information (PHI) may be exposed. These are the following:

  • Access: IT departments in healthcare organizations are dealing with a significant load as they attempt to pivot their network architecture in a way that would allow employees to keep working while also providing them with safe access to the systems and information they require. Controls over remote access need to strike a balance between the demands placed on employees' productivity and the need to protect the confidentiality of patient information. It's possible that strains on remote systems might also lead to poor usability, which would increase the danger of employees taking shortcuts and sharing information through channels that aren't safe.

  • Security: When employees do their jobs from home, the level of anxiety and risk goes up. Do employees have access to the company's systems through encrypted networks? Are workers still adhering to the recommended procedures for maintaining security? What new pressures are being put on a company's information technology and physical infrastructure? Has there been a degradation of the network as a result of a growth in the number of remote employees, requiring the information technology department to create exceptions to policy? All of these aspects  of safety and protection should not be overlooked.

  • Vendor Management: The challenges that an increasingly remote workforce poses to a firm are paralleled by those that are posed to the company's vendors, who must contend with the same issues. If these suppliers are responsible for the processing of PHI on behalf of the organization, then more frequent vendor assessments will be required.

  • Compliance: It is essential to keep a  robust privacy compliance program in place in order to guarantee appropriate governance and decision-making when some of the difficulties mentioned above are taken into consideration. The growing prevalence of working from home could result in the need for new policies or modifications to those that are already in place. How does the organization keep track of and ensure that employees adhere to its  guidelines when exceptions to those policies are established or when new policies are introduced?

COVID-19 Work from Home requirements 

Since 2020, cities across the United States have been issuing stay at home to prevent the spread of COVID-19. As a result, the majority of the working population has been obliged to switch to working from home for the time being. Certain HIPAA-covered companies and the majority of business associates are examples of persons who fit into the category of people who work from home. This is despite the fact that essential staff, such as a large number of healthcare professionals, have continued to work in person.

Within the past few months, the Office for Civil Rights within the DHHS, which is responsible for the enforcement of HIPAA violations, has released a few statements of expectations in light of the widespread public health emergency that has been unfolding across the country. They made the announcement that they would not impose penalties for noncompliance if healthcare professionals who are covered use standard video chatting software for tele-health purposes.

Even if it is possible to utilize these applications at this time, it is essential that providers enable all of the privacy and encryption settings that are available through these programs. The completion of business associate agreements with these organizations is still a need for organizations. Specific programs like Zoom, have made it possible for covered companies to finish these forms. To reiterate, this is merely a short-term solution, and covered companies should not count on it being in place once the current condition of a nationwide public health emergency has passed.