Does your occupation allow you to work from home? Well, you aren't alone. According to a recent survey conducted by Gallup, approximately 37% of all workers in the United States telecommute.
Working from home certainly has its perks, such as the ability to set your own hours, eat at home, and not having to purchase gas. However, it also has some caveats, including Informations Technology (IT) and other security concerns, which may cause conflicts with the Health Insurance Portability and Accountability Act (HIPAA).
If you keep up with our blog here at Allpoint Compliance, you are probably well aware of the general function behind HIPAA: to protect the privacy of healthcare patients by establishing certain rules and requirements that doctors and other covered entities must follow. But what if healthcare employees are allowed to work from home? Can they still access, transfer, store and/or facilitate Protected Health Information (PHI) without violating HIPAA?
First and foremost, it's important to note that HIPAA only affects a worker's “home” computer if that computer contains or accesses PHI. If a nurse, for instance, uses her home computer to check an online news bulletin board published by the hospital for which she works, she does not have to abide by HIPAA, assuming no PHI is present in the bulletin board. But if a nurse uses her home computer to download sensitive patient files so she can better plan her weekly schedule, she must adhere to HIPAA and its respective requirements. To learn more about what's classified as PHI and what's not, check out the Department of Health and Human Services (HHS) webpage here.
The first step towards ensuring HIPAA compliance for at-home healthcare workers is to analyze the risk of disclosure. In other words, how likely is it for PHI to be accessed or otherwise disclosed by unauthorized individuals? Known as risk assessment, this is an essential step towards maintaining compliance HIPAA.
Healthcare employees who work from home should also implement appropriate and meaningful safeguards. The Security Rule states that covered entities should use a combination of physical, technical and administrative safeguards to protect Electronic Protected Health Information (EPHI) from disclosure. Physical safeguards may consist of locked doors and windows; technical safeguards may consist of firewalls, virus scanners, and proactive network monitoring services; and administrative safeguards may consist of policies and procedures pertaining to EPHI. Combining these elements together should allow healthcare employees to work from home, as long as they follow all of requirements set forth by HIPAA.