By Pension and Benefits Editorial Staff
As employers have navigated the COVID-19 pandemic, many employees are working remotely for the first time. This can pose HIPAA compliance issues, warned experts at an October 15 webinar sponsored by Segal Company.
“Training is very important,” said Lisa Simioni, senior consultant in the compliance practice at Segal. “In this COVID environment, it is really time to take a look at your HIPAA policies, and examine if you have workforce members that need a refresher on what your rules are.” This is important for employees that typically worked in the office, who are not used to logging into the system remotely. “These employees may not be familiar with where the protected health information (PHI) is stored,” she explained.
Having employees work remotely poses many questions about security. “What happens if someone from home sees files or materials with PHI? Are remote workers being monitored? Did the employer send the employees equipment or are they using their own equipment? How is the information protected? These are all questions that employers need to grapple with our new COVID-19 remote workforce,” said Guy Lester, vice president and director of marketing at Segal.
Five steps to compliance. According to Ashkon Roozbehani, health compliance consultant at Segal, there are five things companies can do assure HIPAA compliance. First, conduct periodic risk assessments every two years, or when new technology or software services are acquired. “Whenever your environment changes up a little bit, it’s good to do an assessment to see where your vulnerabilities lie in terms of health information,” he said.
The second and third steps are to update policies and procedures and provide ongoing training. “It's important to have written policies and procedures, because that is an important resource for your staff to understand how to follow the rules,” Roozebehani commented. “Also, training is important—it’s difficult to comply with HIPAA if your staff doesn’t understand exactly what the rules are.”
Lastly, companies should have processes in place to detect and report breaches, and to contract with business associates who are also independently responsible for complying with the HIPAA rules. “If you have a breach, the worst thing that you could do is sit on it, because ultimately, the penalties are worse for failing to report mistakes,” he concluded.
Revist and retrain. Simioni reiterated that the most important thing is for employers to revisit their procedures and retrain their newly mobile workforce. “After you update your policies and procedures, don’t just put them in a binder and forget they exist,” she said. “The policies don’t serve any purpose or benefit you, as the covered entity, if you don’t actually make sure that those employees that are working with electronic PHI are actually aware of and fully trained on what your policies are.”
SOURCE: Understanding HIPAA Privacy and Security, Enforcement, and the Impact of COVID-19 on Health Plans, Segal webinar, October 15, 2020; www.segalco.com
Interested in submitting an article?
Submit your information to us today!Learn More