Table of Contents
Health care entities, facing a tight labor market, increasingly are allowing telecommuting as a way to keep employees, but many fail to put in place necessary safeguards for protected health information (PHI) for their work-at-home personnel.
That’s the word from attorneys, who say organizations can’t simply send personnel to work at home without considering issues such as bring-your-own-device, family members’ use of a shared computer and access to printed documents in a home office setting.
“One of the biggest areas of enforcement with recent OCR [Office for Civil Rights] settlements is with the fact that many covered entities simply failed to have adequate policies in place to ensure the proper handling of electronic PHI [ePHI] in the telecommuting context,” says attorney Sara Jodka, of counsel at Dickinson Wright PLLC in Columbus, Ohio.
“Many covered entities failed to have any policies covering telecommuting and simply relied on their privacy policies to govern,” Jodka tells RPP. “The problem was that the policies oftentimes were not modified to provide for security and privacy under HIPAA as many employees accessed patient information remotely.”
Jodka notes that most of the policy failures involving remote access of PHI “concern the receipt and removal of hardware of electronic media that contain ePHI and the failure to implement policies and procedures to safeguard facilities and equipment from unauthorized access, tampering, theft, etc. when it was appropriate to do so under the circumstances.”
Another major issue that “goes hand-in-hand with the policy update failures” involved employers’ failure to conduct accurate and thorough risk analysis of potential risks and vulnerabilities regarding confidentiality, integrity and availability of ePHI,” Jodka says.
Jodka says that health care increasingly is moving in a direction that requires more, not less, remote access to ePHI, and telecommuting is a part of that. “I think allowing telecommuting staff to handle ePHI is imperative, especially as health care continues to evolve in the telemedicine space and more and more covered entities are providing in-home health care [and] requiring professionals to travel to see patients, which additionally and necessarily requires that they have access to ePHI while traveling,” she says.
Attorney William Maruca, a partner with Fox Rothschild LLP in Pittsburgh, says it might be difficult for some health organizations to ban telecommuting altogether. “Experienced billing and coding personnel are in short supply in many locations, so it may be advantageous to offer a well-delineated, secure work-from-home option when recruiting for these positions,” Maruca tells RPP.