This piece was collaborated with Thomas Hiney.
The modern workplace is in the midst of a major transformation. An estimated forty-four percent of employees are currently working from home, and a recent survey reported that employers expect the number of full-time workers to stay home permanently. three times the pre-pandemic figure.
The impact of this change will not only impact productivity and company culture, but also policies and practices across finance, HR, IT, and countless other business functions. . The stakes are said to be even higher in the healthcare industry, which, in addition to facing many of the same challenges faced by other industries, must also consider how the remote workforce impacts employment. HIPAA compliant.
In the survey mentioned above, respondents are spread across industries, with 15% from the healthcare sector. Only two out of ten respondents said they have provided adequate tools and resources to support long-term remote workers. This has the potential to create a range of challenges to meet HIPAA requirements.
Under HIPAA, any insured entity or business partner that collects, processes or stores protected health information is required to implement security and privacy controls to protect privacy confidentiality, integrity, and availability of the organization or the CIA.
The good news is that the law isn’t too prescriptive about how companies approach privacy and security, as long as the end result of maintaining the CIA is achieved. This allows flexibility in how an organization approaches compliance and defines specific policies and procedures tailored to the unique needs of the organization.
But this flexibility must not be confused with leniency. HIPAA compliance is a serious, enforceable issue that must be properly addressed in light of the challenges and changes in the workplace that have emerged amid the pandemic.
Data security in a distant world
Working from home conditions affect HIPAA and privacy compliance practices in a number of ways. The US Department of Health and Human Services reports that more than 300 PHI breaches have occurred this year, affecting the personal data of 10.8 million individuals.
This highlights the importance of healthcare organizations in addressing the many vulnerabilities through which PHI can be exposed. Including:
- Paper. Many aspects of healthcare business processes are still paper-based, such as invoicing/coding and revenue cycle management. This means employees are printing documents containing sensitive financial information and/or PHI at home, where other family members can view the printed documents. Such exposure, however innocent, would constitute a violation of HIPAA.
- Access. Healthcare IT departments are facing a tremendous burden on the network infrastructure that revolves around enabling employees to continue working and have secure access to their systems and documents. need. Remote access control must balance staff productivity with the requirements to ensure the privacy of patient information. Difficulties on remote systems can also lead to poor usability, increasing the risk of employees taking shortcuts and using unsafe channels to share information.
- Disposal. Maintaining compliance with HIPAA requirements for document retention and handling is a fairly straightforward process when employees are in the office. Inspected disposal providers are typically contracted to perform daily or at least weekly scans of secure containers. Systems and checks are in place to ensure that PHI records are securely stored and are not kept for longer than permitted by law. This becomes a very confusing problem when employees are working remotely, with physical documents or electronic copies stored on personal devices.
- Protect. This year’s surge in data breaches proves what security experts already know: data is vulnerable. Concerns and risks only increase when employees work from home. Are employees accessing company systems through a secure network? Are employees still following security best practices? What additional stresses are being placed on a company’s IT and infrastructure? Has there been network degradation due to the increased number of remote workers, forcing the IT department to introduce exception policies? These are all important security considerations.
- The office reopened. As companies reopen, many are implementing revised work schedules that require employees to be out of the office for extended periods of time. This back-and-forth has the potential to disrupt workflows that promote privacy controls, such as promoting the use of USBs or cloud-based websites for document storage and movement. . When this happens on a large scale, it becomes very difficult for the compliance team to fully track and manage every piece of PHI.
- Supplier management. Similar to the challenges facing a company, its suppliers are facing similar challenges with an increasingly remote workforce. If these suppliers are handling PHI on behalf of the company, more frequent supplier audits may be necessary.
- Compliance. Regardless of the size of a company, maintaining a strong privacy compliance program is essential to ensure proper governance and decision-making considering some of the above. The new normal of remote work may create the need for exceptions to existing or new policies. When exceptions to company policies are made or new policies are implemented, how does the company monitor and ensure compliance?
A new normal for HIPAA compliance
Legal and compliance teams that comply with HIPAA requirements must work with key stakeholders, including their IT departments, to begin to understand the full range of challenges their organizations face. face due to employees working from home.
Assessments, conducted by internal teams or external experts, are an important step in understanding the scope of PHI for which the organization is responsible, the business functions and which employees have access to the data. specified.
In any event where an organization or certain business units must deviate from standard operating procedures for HIPAA, teams must document why and establish secondary controls. provided to ensure personal data is not compromised as a result of the new processes. Close monitoring of these activities and the manner in which employees migrate data must be maintained to ensure that unapproved shortcuts are not used.
HIPAA has been around for a long time, and most healthcare organizations have been comfortable dealing with their compliance processes for many years. But the landscape has changed dramatically this year with the shift to remote working, with the emergence of new privacy regulations and several new systems in which data is managed. , share and save.
It is important to remember that all of these changes have the potential to affect HIPAA compliance. Organizations need to continue to prioritize HIPAA and should view pandemics as a function that forces a re-evaluation and refresh of previous years’ policies to ensure they meet the requirements of today’s new normal.
Louise Rains-Gomez is the Managing Director of Technology at FTI Consulting, focusing on the challenges of information governance and data management.
Thomas Hiney is FTI Consulting’s Chief Technology Officer, who focuses on security program management and optimization, HIPAA compliance, and more.