The mass migration to remote work hasn’t softened the U.S. Department of Health and Human Services enforcement of HIPAA regulations. DHH imposes huge financial penalties when employers don’t keep proper tabs on their remote employee’s access to and protection of PHI.
One recent example is when the Cancer Care Group agreed to pay $750,000 after an employee was the victim of a car theft which resulted in a stolen laptop. The device contained more than 50,000 patients’ sensitive information, and DHH absolutely threw the book.
HIPAA compliance during remote work is a team effort, but a large share of responsibility falls on IT. Here’s an agenda that’ll make sure you stay on the good side of HIPAA, wherever your employees are:
The HIPAA Remote-Work Compliance Checklist
Routers and WIFI
- Ensure that home wireless router traffic is encrypted using WPA2-AES. This is an out-of-the-box standard for most modern routers, but older technology may need to be configured.
- Encourage remote workers to take extra WIFI safety precautions, such as changing their WIFI password to a sentence rather than a single word and setting up separate networks for work and home devices
- Consider restricting or banning the use of public WIFI, which can subject users to man-in-the-middle attacks or other exploits
- Configure all devices that connect to the business network. Ensure that all devices are encrypted, password-protected, and contain the latest anti-virus software
- Only allow specific brands and versions of devices that are known to be safe
- Mandate automatic patching and security upgrades on all devices
- Ban or discourage the use of shadow IT and BYOD on the business network
- Require that employees use a Virtual Private Network when the access the company’s Intranet from home
- Continually monitor and test VPN limits to ensure the network can handle increases in the number of users, and be prepared to invest in extra bandwidth if necessary
- Implement multifactor authentication on all connections that use VPN, or ensure passwords are very strong
Security and Training
- Notify all employees that phishing attempts will almost certainly increase while working remotely
- Ensure that security teams are prepared to handle the influx of new security related-tasks, such as log review and incident response
- Ensure that security training is administered to remote workers no less frequently than every six months
- Avoid banning teleconferencing for fear of Zoom bombing or other such occurrences; DHH announced that they would not impose penalties for noncompliance if healthcare providers use common telehealth applications like Google Hangouts, Zoom, Skype, or Microsoft Teams.
- However, do provide a reasonable degree of protection for video conferencing applications, including password-protected sessions, strong passwords, and avoiding publishing of any events or meetings where PHI may be presented.
Like most organizations, HHS is still adapting to the new normal and is working out its methods for policing HIPAA compliance. Businesses should not be lax; although the shift to remote work presents many challenges, HIPAA violations will still rack up huge penalties.
Have a system in place to ensure your remote workforce is covered in regard to HIPAA. That way, you’ll at least be able to always provide a defense for your diligence in case a privacy breach does occur.