Maintaining Compliance with HIPAA Privacy and Security Rules in a Remote Work Environment

The United States is now almost one year into its COVID Pandemic Response that shifted a large percentage of its workforces to a remote office scenario.  While every organization works to maintain appropriate security and privacy safeguards in this new milieu, the stakes are higher for those companies that are obligated by the HIPAA Privacy and Safeguard Rules.  While you cannot understate the importance of awareness training for a remote work force, there are several steps that companies can implement to support continue compliance, even outside the office.

  • Secure Wireless– All employees should ensure that the wireless networks to which they are connected are secured. This seems straightforward and generally, people are aware that they should be requiring passwords to join the network, but secure wireless networks take a little bit more than that. Protection of the networking equipment itself is often overlooked, as more attention is focused on the workstation itself. Users should ensure that they have changed the default administrative credentials on their networking equipment.  Setting the SSID (network name) to private can also help secure the network, making it more difficult for criminals to find. Firmware on the access point or router should be updated and patches maintained.  Securing network equipment and devices is critical to securely working in a remote environment.
  • VPN Connections – When accessing corporate resources, employees should be sure to do so through secure VPN connections. VPNs establish a secure connection between the workstation and the network resource being accessed. Data traffic is exchanged through an encrypted tunnel, offering protections against theft of data in transit. It also obscures the IP address of the workstation by using a proxy.  It’s also important to remind employees to disconnect from the network when they are done with work.
  • Two Factor Authentication – An additional of security can be added by requiring two factor authentication for logging into corporate assets that may have sensitive or regulated data, such as PHI. This requires users to provide not just a name and password to log-in, but also an additional identifying criterion. Most often, this is a randomized number provided by an authentication tool, such as Google Authenticator or RSA SecurID.  This means that even if someone does compromise username and password, they will be unable to log in to those sensitive assets.
  • Printing Restrictions – In talking about securing the work environment at home, printing is often overlooked. Printing hard copies of reports or file that contain PHI represents a potential exposure. If employees must print documents with sensitive information, it should be stored in a locked drawer or filing cabinet. When the document is no longer needed it should be shredded.
  • Policies and Procedures – While well-documented policies and procedures are a must for the protection of PHI, they are only successful if employees understand them and know how to apply them to their job roles. Not only is it helpful to have the policies regarding the treatment of PHI readily available, but companies may also consider conducting ongoing training about the role their employees play in ensuring the security and confidentiality of PHI.  Ongoing communications through email, SharePoint or company messaging systems can act as helpful reminders and assist in creating a culture of security and privacy awareness.

While everyone is managing the seemingly continuous change necessary to maintain healthy communities amidst the pandemic, one thing that remains constant is the need to ensure the protection of sensitive patient data.  For that reason, we must ensure that the policies, processes, and pratices that we enforce to secure patient data apply equally in the office and at home.