Best practices for HIPAA compliance when working form home 

Now that you have employees working from home it is more important than ever to make sure to comply with HIPAA regulations. 

Steps your company should take:

  • Create remote work policies. These should be documented in your Security Policies and Procedures.
  • Keep track of who is working remotely and regulate their access levels. These should be designated according to the employee’s role.
  • Keep logs of remote access activity. These should be reviewed periodically. IT should disable any accounts that are inactive for more than 30 days.
  • IT should configure all devices before allowing them access to the network. Specify what brands or versions of personal devices that are allowed to access company data.
  • Have each employee sign a Confidentiality Agreement.
  • Create a BYOD (Bring Your Own Device) Agreement. This should have clear usage rules regarding when, where, and which devices may be used.
  • Have a Media Sanitization Policy that indicates how employees should dispose of PHI. This may include rules regarding how to shred or destroy hard copy PHI and how to delete electronic PHI.
  • Train staff on how to recognize social engineering attacks. This may come in the form of a phishing scam or other malware discharged by a hacker.
  • Ensure that your systems are secure. Your VPN and other remote access systems should be fully patched.
  • Enhance system monitoring. Configure your network so that you receive early detection or alerts for abnormal activity. It might be the result of hackers and/or malware.
  • Require multi-factor authentication on all staff members’ accounts that access PHI. 
  • Test the capacity of remote access solutions. If found to be necessary, increase the capacity.
  • Brief employees on IT support mechanisms. It’s better to be overprepared than underprepared. Instruct employees to double-check with IT before opening any suspicious messages or attachments.
  • Update or review your Disaster Recovery Plan. Your mindset should be: not if, but when. Be prepared to handle breaches and other incidents that may arise from changes in the locations and circumstances in which employees will be working.
  • In cases of disaster, redundancy is key. Cross-train staff and IT personnel. Have multiple backups of data, in multiple locations. Always overprepare, so that nothing takes you by surprise.

What can you do to safeguard your organization from HIPAA violations?

Use the following list as a guide for your Security Policies and Procedures:

  • Make a list of remote employees.
  • Indicate the level of information to which they have access.

Describe Equipment, Software, and Hardware requirements:

  • Encrypt home wireless router traffic using WPA2-AES. This is a pretty standard configuration, and most routers these days come pre-configured.
  • Change default passwords for wireless routers to something difficult. This provides an extra layer of protection.
  • Make sure that all devices accessing your network are properly configured by IT. Devices must be encrypted, password protected, and installed with software firewalls and anti-virus software is installed.
  • Require that employees use a VPN when they access the company’s Intranet remotely.
  • All PHI must be encrypted before being transmitted. This can either be through the company’s Intranet or using the internal email encryption.
  • Encrypt and password protect any personal devices employees use to access PHI.
  • Have your IT department or vendor configure personal devices before allowing them access to the network. Specify what brands and versions of personal devices can access the company data.

Describe Security and Privacy requirements:

  • Employees should not allow any friends, family, etc. to use devices that contain PHI.
  • Have each employee sign a Confidentiality Agreement to assure the utmost privacy when handling PHI.
  • Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
  • Employees who store hard copy (paper) PHI in their home office need a lockable file cabinet or safe to store the information.
  • Employees need a shredder at their location for the destruction of paper PHI once it is no longer needed. The company needs to specify when it is ok to dispose of any paper records.
  • Employees must follow the organization’s Media Sanitization Policy for disposal of all PHI or devices storing PHI.
  • Make sure employees disconnect from the company network when they are done working. Usually, IT configuring timeouts take care of this.
  • Employees cannot copy any PHI to external media not approved by the company. This includes flash drives and hard drives. You may require all PHI to stay on the company network.
  • Keep logs of remote access activity, and review them periodically. IT should disable any accounts inactive for more than 30 days.
  • Mandate that any employees in violation of these procedures will be subject to the company’s Sanction Policy and/or civil and criminal penalties.