A BUSINESS ASSOCIATE’S COMPLIANCY JOURNEY: REMOTE WORKFORCEMay 15, 2014
Small businesses may struggle to achieve and maintain HIPAA compliance, especially when there are added challenges such as employees who work remotely—whether full-time or on occasion—and need to access protected or personal health information (PHI) on a daily basis. Ensuring corporate office compliance is often an easier task than ensuring compliance for remote workspaces, but the HIPAA requirements stay the same no matter the location.
Businesses facing this challenge may want to establish several rules to ensure that remote workspaces are safe and secure. Here are five suggested remote workspace policies:
- Keep PHI Logs: When printing PHI is necessary, require staff to record any and all activity in a log that enables the business to track any PHI that is in physical format. Staff must also record the date on which printed PHI was destroyed, as well as the manner of destruction.
- Develop Email Rules: Don’t include PHI in the subject line of internal email messages. Further, require employees to include the least amount of PHI possible in the body of email messages with other staff. For example, instruct employees to refer to patients by initials only in the subject of email messages. Never allow employees to text any PHI.
- Establish Work Break Rules: When employees leave their workstation for a break, require them to sign out of any programs where PHI is contained, as well as “lock” their computer. If physical PHI is on their desk, require them to cover the PHI with protector sheets so that no information is visible to anyone who might pass by. Instruct employees to follow separate end-of-day procedures when their shifts are over.
- Provide Periodic Training: Require all employees to receive periodic training on HIPAA, including updates or new developments, refreshers on company policies, and quizzes to ensure information retention.
- Create and Follow Security Incident Procedures: Put procedures in place to ensure that any potential breaches are reported and handled in a timely way, if they should occur. Promptly investigate all events and remedy any identified issues.
Because maintaining compliance is also important, another suggestion is to provide all staff, whether remote or on-site, with laminated cards to keep at their workspaces, listing all the kinds of information that is considered PHI. It’s also a good idea to stock the protector sheets that employees are required to use to cover physical PHI during work breaks. Lastly, for businesses with compliance officers, consider including frequent updates and reminders in company newsletters and staff meetings to help achieve consistent compliance.
Ultimately, employees should be aware that HIPAA compliance is a joint responsibility: if a breach were to occur, it’s not just the business at risk of liability, but also the individual employees who were involved. Employees who work remotely must especially manage their remote offices and function as their own compliance officers—in practice, if not in title.
Building a business based on a remote workforce has many advantages, as well as some unique challenges. In terms of HIPAA compliance, it requires ongoing and comprehensive training to ensure full staff understanding of the requirements for compliance, and the risks and consequences of not meeting those requirements. It also requires a good dose of diligence from the compliance team to ensure remote workers are following through at every step.