With the recent coronavirus outbreak, which has been declared a pandemic by the World Health Organization (WHO), companies around the globe are letting their employees work from home to promote “social distancing”. Big companies such as Google, Apple and many others have already instructed all of their employees in Europe, the Middle East, and North America to work from home as precaution against the virus. This practice is likely to continue to spread throughout the business world, and healthcare organizations should be prepared to follow suit. Because, even if it’s remote working, all employees need to stay compliant with HIPAA privacy and security requirements just as in the office. Experienced medical billing and coding outsourcing companies have stringent measures in place to ensure that all personal health information (PHI) they receive remains secure and confidential.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.
According to the American Academy of Professional Coders (AAPC), “the laws are same for employees and business associates working from home. In the past 10 years, the number of employees working remotely in the United States has increased by 115%. And with the COVID-19 pandemic requiring many employees to work from home, that statistics is hiking rapidly.”
In this current health crisis, although certain HIPAA sanctions are being waived, it’s not an excuse for mishandling patients’ PHI. There are 18 PHIs and these identifiers range from names to email addresses, fax numbers, addresses, account numbers, to health records and biometric data such as fingerprints and even voice prints. Not only does it restrict who can access this information, but it also works to mitigate the risk of patient information being lost or stolen. It’s very important to take the same physical and security measures to safeguard the PHI you are trusted with and for that you need to create a HIPAA-compliant work space.
AAPC has listed some of the best practices to create a HIPAA-compliant workspace, which includes:
- Ensuring your home wireless router traffic is encrypted and password protected.
- Changing default passwords for wireless routers.
- Encrypting and password protecting your personal devices that you may use to access PHI such as cellphones and tablets.
- Computer programs containing patient information should be closed and logged out of when not in use.
- Be vigilant against cybersecurity threats such as phishing and spear phishing.
- Always lock your screens when walking away from your computer.
- Use a privacy screen on your monitor(s).
- Never share sensitive PHI with others who shouldn’t have access, including co-workers and personal acquaintances.
- Only access a patient’s record if needed for work.
- Avoid printing PHI; however, if necessary, keep all PHI, such as patient paperwork, charts, and records, locked away and out of view.
- Do not leave patient information out where unauthorized persons may see it.
- Minimize the ability for others to overhear patient information, for instance, saying a patient’s whole name out loud within hearing distance of others.
- Never allow friends, family, and so on, to use your devices that contain PHI.
- Limit email transmissions of PHI to only those circumstances when the information cannot be sent another way. At a minimum, use encryption tools (most businesses provide tools to send encrypted emails).
- Do not share passwords between staff or family members.
- Shredding paper files should be immediately disposed.
- Reassess your security protocols frequently.
Work with your IT department to ensure your home office is HIPAA-compliant and take the time to review your organization’s HIPAA Privacy and Security policies. The U.S. Department of Health & Human Services has identified several key risks that companies must consider when authorizing remote access and offers guidance on how to mitigate these risks. For accessing PHI, certain rules should be followed. They are:
- Log-In and Password access should require two-factor authentication
- Always require employees to use VPN to access company networks
- Organizations should grant appropriate levels of access to users, specific to their role
- Employees should never leave laptops logged in, unattended, or allow others to use the device while any PHI is accessible
- Disconnect from all access when work is complete
- Laptops should be equipped with antivirus and firewalls to protect network access
Certain steps employers can take include:
- Develop policies and procedures prohibiting employees from allowing friends and family from using devices that contain PHI.
- Have employees sign a Confidentiality Agreement before they begin work.
- Create a Bring Your Own Device (BYOD) Agreement, with clear usage rules.
- Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
- Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
- Develop and require adherence (through a sanctions policy) to a media sanitization policy.
- Ensure employees disconnect from the company network when their work is complete. This can be done by applying measures such as IT configuring timeouts.
- Maintain and periodically review logs of remote access activity.
It’s very important for all companies that provide the facility of work from home to develop policies and procedures for remote access employees to protect PHI to the standards of the HIPAA Security Rule. To ensure effective implementation and successful safeguards proper education and training of employees are vital. Non-compliance can result in severe civil and criminal penalties. That is, the failure to comply with HIPAA could lead to loss of accreditation and reputation damage, lawsuits by federal government, financial penalties ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years. That’s why it’s critical that physician practices looking to outsource their medical billing and coding tasks choose a HIPAA-compliant service provider.
An experienced medical billing company would have stringent measures in place to ensure that all PHI they receive remains secure and confidential. Their team of medical coders and billing specialists would be well-trained in HIPAA requirements to help physicians maintain compliance with the latest federal regulations.