In response to the Coronavirus outbreak companies around the globe are instructing employees to work from home to promote “social distancing.” Notably Google and Apple recently instructed all of their employees in Europe, the Middle East, and North America to work from home as precautions against the virus. This practice is likely to continue to spread throughout the business world, and healthcare organizations should be prepared to follow suit.
While tech savvy companies like Google and Apple are well equipped to support remote access, the healthcare industry faces its own unique challenges in implementing this strategy. Of particular concern is the impact on patient privacy and the security of personal health information (PHI) with regard to the HIPAA laws.
Remote workers in healthcare access PHI through company networks and by downloading data onto personal devices. Without establishing appropriate policies this creates an enormous risk for unauthorized access and data breaches. The U.S. Department of Health & Human Services has identified several key risks that companies must consider when authorizing remote access and offers guidance on how to mitigate these risks.
Access of PHI
- Log-In and Password access should require two factor authentication
- Always require employees to use VPN to access company networks
- Organizations should grant appropriate levels of access to users specific to their role
- Employees never leave laptops logged in, unattended, or allow others to use the device while any PHI is accessible
- Disconnect from all access when work is complete
- Laptops should be equipped with anti-virus and firewalls to protect network access
Storage of PHI
- Devices with access should be kept safe and not stored in vehicle where it could be stolen
- Do not allow employees to access PHI on a public device where it can accidentally be left, such as a library
- Do not make physical copies of PHI and require employees who must, maintain a locked storage space and a proper shredder to destroy PHI
- Never store PHI on personal devices
- All PHI must be encrypted before it is transmitted or stored
It is essential for organizations to develop policies and procedures for remote access employees to protect PHI to the standards of the HIPAA Security Rule. Successful safeguards require proper education and training of employees to ensure effective implementation. In wake of the recent Coronavirus outbreak, healthcare companies must be prepared to remain HIPAA compliant no matter what manner they operate.
As always, ADVOCATE will keep you up to date on this and all issues impacting radiology as they become available.
Colton Zody, JD
Chief Compliance Officer