Deciphering Background Checks 401(K) Missing Participants Mentorship Program Remote Work Policies Cafeteria Plan Employer Emergency Savings Accounts Retaining a Motivated Team Long-Term Care Insurance Payroll Best Practices Skills-Based Hiring Train Supervisors To Use Constructive Feedback Exemptions On Form W-4 DOL Final Rule On Independent Contractors Benefits of a Payroll Process Review Leadership Development Program Final Rule On Electronic Recordkeeping Orientation Employee Fraud Electronic Filing Qualified Retirement Plans COLAs Compensation Philosophy 2024 Health Coverage Year-End Payroll Educating Employees About Retirement Hiring Process Training Programs FUTA Neurodiversity Qualified Retirement Plan Audit HSA at-will employment Club Memberships custodial account esop Employers Payroll HRA ADA 401(k) Employee Value Proposition Agricultural tax breaks W-2 Filing Employment Tax When Hiring Loved Ones returnship programs

Remote Work Policies & HIPAA Compliance: Employer Refresher

An increasing number of employers are now embracing remote work options for their employees, whether full-time or part-time. If your organization falls into this category and provides a health care plan, it’s crucial to revisit the regulations surrounding protected health information (PHI) and the Health Insurance Portability and Accountability Act (HIPAA).

The Privacy Rule

One major feature of HIPAA is its Privacy Rule. This is essentially a set of national standards for safeguarding PHI. Always keep in mind that PHI is much broader than details about diagnosis and treatment. It also includes demographic data such as participants’ addresses, phone numbers, email addresses and financial information, as well as details about their plan participation.

Some staff members — managers, in particular — may be able to access PHI. When working remotely, these employees should ideally:

  • Have private workspaces where others can’t overhear conversations involving PHI,
  • Use only employer-issued devices and never access electronic PHI (ePHI) on shared devices, and
  • Put hard copies of PHI in a locked filing cabinet, shredding anything they can’t store securely.

Be sure to know which remote workers can access PHI. Each should be able to verify that there are proper measures in place to protect it.

The Security Rule

Another major HIPAA feature is its Security Rule, which is essentially a set of regulations for safeguarding ePHI. Every plan sponsor should conduct an organizational risk analysis and implement a risk management plan that addresses remote work. Doing so is even more important if, in recent years, you’ve seen a substantial increase in the number of remote workers. Your risk management plan should address the three prongs of the HIPAA Security Rule. These are:

1. Physical safeguards. Although the Security Rule applies to ePHI, physical safeguards are still important. Employers should track the location of each computer accessing ePHI. Lost or stolen computers may result in unauthorized disclosure of large amounts of ePHI, so making sure employees keep them in a secure room is critical.

In addition, employees need to report loss or theft immediately. Devices should never be left unattended in a vehicle or public space. Employees may be tempted to write down passwords and keep them near their computers. However, this practice is as unacceptable when working remotely as it is when working on-site.

 2. Technical safeguards.  Controlling access is key. This includes:

  • Restricting access to the minimum-necessary ePHI for each employee’s job function,
  • Requiring unique user IDs, passwords and multifactor authentication,
  • Implementing automatic log off or lock screen, and
  • Using robust encryption tools.

Advise employees to avoid downloading and storing ePHI on their computers. An individual machine often has weaker protection than a network — cloud storage may be more secure. Warn them against using portable storage media, such as thumb drives, from unknown or unauthorized sources. These items may install malware onto an employee’s computer.

3. Administrative safeguards.  Implement procedures to supervise remote employees. Routinely monitor logins and system activity to identify potential security incidents, such as transfers or removal of large amounts of data. For new employees, or those new to remote work, mandate training on your organization’s policies and procedures.

Even with heightened awareness and safeguards, the nature of remote work increases the possibility of unauthorized use or disclosure of ePHI. Because the breach notification rules continue to apply, and you could incur HIPAA penalties if breach notification is inadequate or untimely, train employees to recognize and promptly report possible breaches.

Top Of Mind

Regular reminders and occasional retraining are good ways to keep HIPAA compliance top of mind for employees involved in plan administration, whether they work remotely or on-site. For help identifying and managing the costs and financial risks of your health care plan, contact us.

Related Articles

Talk with the pros

Our CPAs and advisors are a great resource if you’re ready to learn even more.