By Lauren Bikoff, MLS
Work-from-home arrangements can pose HIPAA compliance issues.
As employers have navigated the COVID-19 pandemic, many employees are working remotely for the first time. This can pose HIPAA compliance issues, warned experts at an October 15 webinar sponsored by Segal Company.
"Training is very important," said Lisa Simioni, senior consultant in the compliance practice at Segal. "In this COVID environment, it is really time to take a look at your HIPAA policies, and examine if you have workforce members that need a refresher on what your rules are." This is important for employees that typically worked in the office, who are not used to logging into the system remotely. "These employees may not be familiar with where the protected health information (PHI) is stored," she explained. Having employees work remotely poses many questions about security. "What happens if someone from home sees files or materials with PHI? Are remote workers being monitored? Did the employer send the employees equipment or are they using their own equipment? How is the information protected? These are all questions that employers need to grapple with our new COVID-19 remote workforce," said Guy Lester, vice president and director of marketing at Segal.
Five steps to compliance. According to Ashkon Roozbehani, health compliance consultant at Segal, there are five things companies can do assure HIPAA compliance. First, conduct periodic risk assessments every two years, or when new technology or software services are acquired. "Whenever your environment changes up a little bit, it’s good to do an assessment to see where your vulnerabilities lie in terms of health information," he said.
The second and third steps are to update policies and procedures and provide ongoing training. "It's important to have written policies and procedures, because that is an important resource for your staff to understand how to follow the rules," Roozebehani commented. "Also, training is important—it’s difficult to comply with HIPAA if your staff doesn’t understand exactly what the rules are."
Lastly, companies should have processes in place to detect and report breaches, and to contract with business associates who are also independently responsible for complying with the HIPAA rules. "If you have a breach, the worst thing that you could do is sit on it, because ultimately, the penalties are worse for failing to report mistakes," he concluded.
Revist and retrain. Simioni reiterated that the most important thing is for employers to revisit their procedures and retrain their newly mobile workforce. "After you update your policies and procedures, don’t just put them in a binder and forget they exist," she said. "The policies don’t serve any purpose or benefit you, as the covered entity, if you don’t actually make sure that those employees that are working with electronic PHI are actually aware of and fully trained on what your policies are."
IndustryNews: NewsStory HealthInformationTechnologyNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Reform WK-EDGE: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health reform legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.