Your idea of working from home seems pretty cozy. You imagine sitting in your pajamas and your pet sitting at your feet keeping you company. But for medical professionals, working remotely involves some special precautions to ensure patient privacy and data security.
Furthermore, you are in an “employer workspace” now, so there are also OSHA considerations that must be met to make sure you are compliant.
The pandemic had many healthcare workers— coding, billing and administrative staff— pivot from working in an office to working from home. When this necessary change happened, very few practices considered what that workspace would look like and even if the employee had a “dedicated” workspace available to protect patients from HIPAA breaches, or to protect themselves from a hazardous work environment.
Also, with the relaxed use of telecommunications and the advancement of telehealth, practitioners can treat more patients remotely. In response to the national health emergency (PHE), working from home isn’t just comfortable, but it’s an important way to protect the health of patients and healthcare workers, when necessary.
HIPAA regulations have been relaxed during the pandemic in order to facilitate safe access to healthcare and remote coverage for patients. Even though “potential” penalties for non-compliance have been waived during this emergency period for good-faith use of telehealth, the law was not removed, and HIPAA compliance is still necessary.
If proper telecommuting privacy and security measures are not in place, HIPAA Privacy Rule and Security Rule violations may occur. The number of employees working from home now is expected to continue to rise.
HIPAA Compliance and Working from Home
HIPAA rules apply to covered entities employees, whether work is performed at the office or at home, or at a patient’s home. HIPAA compliance and working from home do not fit hand in glove for one simple reason: Working at home (or at a patient’s house) can put patients’ “protected health information (PHI) at risk, consequently presenting HIPAA Privacy Rules concerns and HIPAA Security Rule concerns. Therefore, establishing HIPAA guidelines for employees is important.
Fortunately, these concerns can be addressed systematically, by taking specific measures with respect to specific work from home guidelines and requirements.
Employers can, for example, take steps to ensure IT security, such as the following:
- Encrypt home wireless router traffic.
- Change default passwords for wireless routers from the existing passwords.
- Ensure all devices that access your network are properly configured (i.e., are encrypted, with password, firewall, and antivirus protection).
- Encrypt all PHI before it is transmitted.
- Require employee use of a VPN when employees remotely access the company Intranet.
The HIPAA guidelines for working at home have additional steps that employers can take:
- Develop policies and procedures prohibiting employees from allowing friends and family from using devices that contain PHI. (e.g. laptops, cell phones, etc used to store or transmit ePHI)
- Have employees sign a Confidentiality Agreement before they begin work.
- Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
- Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
- Develop and require adherence (through a sanctions policy) to a media sanitization policy. (limit external media connections on work routers)
- Ensure employees disconnect from the company network when their work is complete. This can be done by applying measures such as IT configuring timeouts.
- Maintain and periodically review logs of remote access activity.
The OCR (Office of Civil Rights) Investigations of Telecommuters
OCR investigated incidents of HIPAA breaches caused by telecommuting and determined that certain HIPAA entities, failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in these entities, having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting.
OCR also discovered that these entities, had no written policy regarding the removal of hardware containing PHI into and out of its facilities.
This lack of a written policy constituted a clear violation of the HIPAA Security Rule.
One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
One of the reported breaches, sounded like something out of a bad HIPAA soap opera. A manager from a specific HIPAA entity- employee and telecommuter, had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cars as a form of data backup.
The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted the main company and the OCR to report he had discovered the private records.
When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, the care center had failed to implement effective HIPAA compliance guidelines.
Why is OSHA Getting into the act?
The OSH Act applies to work performed by an employee in any workplace within the United States, including a workplace located in the employee’s home. All employers, including those which have entered into “work at home” agreements with employees, are responsible for complying with the OSH Act and with safety and health standards.
Even when the workplace is in a designated area in an employee’s home, the employer retains some degree of control over the conditions of the “work at home” agreement. An important factor in the development of these arrangements is to ensure that employees are not exposed to reasonably foreseeable hazards created by their at-home employment.
Ensuring safe and healthful working conditions for the employee should be a precondition for any home-based work assignments. Employers should exercise reasonable diligence to identify in advance the possible hazards associated with particular home-work assignments, and should provide the necessary protection through training, personal protective equipment, or other controls appropriate to reduce or eliminate the hazard. In some circumstances the exercise of reasonable diligence may necessitate an on-site examination of the working environment by the employer. Employers must take steps to reduce or eliminate any work-related safety or health problems they become aware of through on-site visits or other means. This is also a good way to determine if the employee has a dedicated space to use for working from home, and is not sitting at a dining room table with the kids, the spouse and everyone else’s paperwork also in the open for all to see.
Certainly, where the employer provides work materials for use in the employee’s home, the employer should ensure that employer-provided tools or supplies pose no hazard under reasonably foreseeable conditions of storage or use by employees.
An employer must also take appropriate steps when the employer knows or has reason to know that employee-provided tools or supplies could create a safety or health risk. Here are frequently asked questions and answers:
Is the employer responsible for compliance with the home itself?
An employer is responsible for ensuring that its employees have a safe and healthful workplace, not a safe and healthful home. The employer is responsible only for preventing or correcting hazards to which employees may be exposed in the course of their work. For example: if work is performed in the basement space of a residence and the stairs leading to the space are unsafe, the employer could be liable if the employer knows or reasonably should have known of the dangerous condition.
Is the employer required to do periodic compliance inspections in the home, which may include safety, health, fire, and environmental issues?
There is no general requirement in OSHA’s standards or regulations that employers routinely conduct safety inspections of all work locations. However, certain specific standards require periodic inspection of specific kinds of equipment and work operations, such as:
- ladders (§1910.25(d)(1)(x)) and §1910.26(c)(2)(vi));
- electrical protective equipment (§1910.137(b)(2)(ii));
- mechanical power-transmission equipment (§1910.219(p));
- portable electric equipment (§1910.334(a)(2)).
Although some of these operations may not be found in home-based workplaces, nevertheless, if an employer of home-based employees is aware of safety or health hazards, or has reason to be aware of such hazards, the OSH Act requires the employer to pursue all feasible steps to protect its employees; one obvious and effective means of ensuring employee safety would be periodic safety checks of employee working spaces.
What would be OSHA’s inspection procedures in a private home?
OSHA’s health and safety inspection program is directed primarily toward industrial and commercial establishments and construction sites. They do not ordinarily conduct inspections of home-based workplaces, although from time to time we have visited private homes or apartments to investigate reports of sweatshop-type working conditions in the garment industry and other businesses where hazards have been reported. Any OSHA enforcement visit must, of course, be conducted in compliance with the Fourth Amendment which would require that OSHA obtain either consent to inspect or a judicially-issued warrant. It has been reported that home inspections are becoming more commonplace. It is imperative that telecommuters and their employers are aware of the rules.
Below are responses to other general questions from the OSHA work-place site.
Workplace Analysis and Hazard Prevention: The employer is responsible for correcting hazards of which it is aware or should be aware.
If, for example, the work requires the use of office equipment (computer, printer, scanner, fax machine, copying machine, etc.) in an employee’s home, it must be done in a manner to, for example, not overload the home electrical circuits as this could be a fire safety violation.
Programming note: For more on this topic listen to Talk Ten Tuesday, today when Terry Fletcher reports this story live, 10 Eastern.
References and Resources: