HIPAA and Working at Home in the Age of the Coronavirus: HIPAA & HITECH Act Blog by Jonathan P. Tomes

Jon Tomes

I got this question from an attendee of one of my recent HIPAA webinars:

“We are a medical billing company in the State of [redacted]. … [W]e are in a “stay at home” order with 100% work force reduction which basically forces us to either close completely or allow our employees to work from home. I have medical billers/collectors and would have to set each of them up remotely to log into our office through a secured VPN. Do you know if HIPAA has laxed or eased the rules and regulations regarding HIPAA compliance since these mandates have been put into effect? This is all happening so fast, in one breath the State wants all employees to work from home, yet we as business owners need to worry about HIPAA compliance/breaches with our employees. I am nervous about employees bringing paperwork home with patient names/social security numbers. I am torn as to whether we should allow this to be done or not. Any guidance or recommendations in regards to this would be greatly appreciated.”

My answer was as follows:

“There is some lessening of HIPAA requirements, but none that apply directly to this business. For them, see my blog at https://www.veteranspress.com/hipaa and-https://www.veteranspress.com/hipaa-and-coronavirus-2 . A recent U.S. Department of Health and Human Services (“HHS”) bulletin stressed that, even in an emergency situation, covered entities must continue to implement reasonable and appropriate safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information (“EPHI”).

“If the business conducts a risk analysis of working at home and finds that the VPN, log-in, security, etc., constitute reasonable and appropriate security measures, then they can work at home. I attach my sample work-at-home policy to revise for their situation and adoption.”

It then occurred to me that maybe I could help other small health care businesses by providing this information and attaching my sample work-at-home policy, which I had initially developed shortly after the Privacy Rule had come out. If Massachusetts General Hospital had adopted it, it might well have avoided a $1 million settlement for a HIPAA violation consisting of taking paper records home and losing them on public transportation.

Normally, to get this policy, one either has to buy my Compliance Guide to HIPAA and the DHHS Regulations with its disk of sample policies and other documents or has to sign up to be a premium member, who can then download policies from our website. Remember that it is a sample, a template, and you will probably need to modify it for your situation. For example, you might delete the part referring to paper records if you operate only electronically (in which case, you might add language prohibiting printing out and taking paper records home).

To sweeten the pot even more, to try to help during this crisis, if you adopt your version of the sample policy and email it to me at jon@veteranspress.com, I will review it at no cost. Hope this helps! Jon

Work-at-home Policy

 Introduction

[Name of organization] adopted this Work-at-home Policy to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (hereinafter HIPAA); and the Department of Health and Human Services (“DHHS”) security and privacy regulations, as well as our duty to protect the confidentiality, integrity, and availability of confidential medical information as required by law, professional ethics, and accreditation requirements. This policy applies to all workforce members of [name of organization] who perform work at home that involves protected health information (“PHI”) under HIPAA—that is, individually identifiable health information. Familiarity with this policy and demonstrated competence in the requirements of the policy are an important part of the duties of all [name of organization] workforce members who work at home with PHI.

Assumptions

 This Work-at-home Policy is based on the following assumptions:

  • Information used in working at home may contain confidential, individually identifiable health information.
  • Some such information may be particularly sensitive, such as information regarding AIDS/HIV, alcohol and drug abuse, mental health, and other sexually transmitted and communicable diseases.
  • Breach of confidentiality of individually identifiable health information may harm patients and others and risk legal liability for [name of organization] and its officers and employees.
  • [Name of organization] is responsible for protecting PHI everywhere, not just on its property.
  • Working at home may be more efficient than working on [name of organization] property and benefit [name of organization] by improving employee morale, reducing absenteeism, and the like.
  • Working at home may benefit members of the workforce through eliminating commuting, providing more control over the work environment, saving money, and assisting with family obligations.
  • Working at home may involve other legal issues, such as workers’ compensation liability.

Policy

  • [Name of organization] encourages working at home to increase productivity and provide good working conditions and other benefits for its workforce.
  • Working at home with PHI, however, requires [name of organization] to ensure that the PHI is adequately safeguarded.

Eligibility Criteria

  • Working at home is not a universal workforce member benefit. It is not available for every job or every workforce member in every [name of organization] department. Only eligible workforce members may apply for participation. Eligibility, however, does not determine selection. [Name of organization] has the sole discretion to select workforce members to work at home.
  • Workforce members satisfying the following criteria may apply for participation in the program:
  • Previous clearance for access to PHI.
  • No pending personnel-related disciplinary action.
  • Portable job duties.
  • Availability of a worksite suitable for performing duties.
  • Not in probationary status.
  • [Others?]
  • [Name of organization] reserves the right to waive any of the above eligibility criteria if determined to be in the best interest of [name of organization].

Selection Criteria

  • Selection of program participants is within the sole discretion of [name of organization]. The criteria used to select participants include, but are not limited to, the following:
  • Workforce member meets eligibility criteria.
  • Supervisor agreement and approval.
  • Nature of work to be accomplished.
  • Job duties with clearly defined performance requirements that are measurable and results oriented.
  • Willingness to participate in required training and permit auditing of work at home.
  • Achieves the business needs of [name of organization].
  • Ability of the workforce member to adapt to working at home.
  • Current and past performance reviews.
  • Availability of computers and other equipment.
  • Agreement to terms of the Work-at-home Agreement.
  • [Name of organization] reserves the right to waive any of the above criteria if determined to be in the best interest of [name of organization].

Position Suitability

 Some job positions are more suitable for working at home than others.

  • Jobs that do not require face to face interaction, that require minimal supervision, that involve the extensive use of computers and telephones, and that have clearly defined and easily measurable tasks are more appropriate for working at home.
  • [Name of organization] will examine the distinct activities, functions, and tasks of a workforce member’s position to determine whether the position is appropriate for working at home.

Performance Evaluations

  • The workforce member working at home is responsible for maintaining availability, appropriate levels of production, and quality of work while working at home.
  • The supervisor will use [name of organization]’s performance management system to define the performance expectations of the workforce member.
  • Specific tasks, timelines, performance measures, and deliverables should be clearly identified before beginning the program.

Work Station Location

  • The work-at-home workforce member’s official work station is where any necessary computer, telephone, and/or other pieces of equipment are located at the home address.
  • The room must be lockable, and locking storage cabinets must be located therein for storage of [name of organization] PHI.

[Name of Organization] and Departmental Policies

Workforce members who work at home are subject to all [name of organization] rules, policies, and procedures applicable to those who work for [name of organization], including, but not limited to, time and attendance, leave, insurance, and other benefits, and HIPAA policies.

Liability

  • [Name of organization] shall not be liable for injury or property damage to third persons at the work-at-home site.
  • The workforce member agrees to indemnify and hold harmless [name of organization], its agents, and its workforce members from any and all claims, demands, judgments, liabilities, losses, damages, or expenses resulting or arising from any injury or damage to any person, corporation, or other entity caused directly or indirectly by the work-at-home workforce member’s acts, omissions, bad faith, willful misconduct, or negligence, excluding acts within the scope of the workforce member’s employment under [name of state or states that the organization operates in] law.

Work Environment

The workforce member shall designate a worksite at the workforce member’s home that allows performance of workforce member’s assigned work.

  • The workforce member is responsible for maintaining a safe, healthy, professional, and secure worksite.
  • [Name of organization] has the right to inspect the worksite upon notice as agreed in the Work-at-home Agreement.

Supplies, Equipment, and Telephone/Computer/Data Connection

  • The workforce member is responsible for providing equipment, supplies, and telephone or other data connections to perform the workforce member’s job duties.
  • [Name of organization] will provide access in order for the workforce member to perform the workforce member’s job duties.
  • [Name of organization] will maintain and repair only equipment provided to the workforce member by [name of organization]. The workforce member shall promptly report equipment malfunction to the office specified in the Work-at-home Agreement.
  • If a workforce member provides equipment, [name of organization] will be responsible for the installation, testing, and maintenance of only that portion of the equipment that directly affects the workforce member’s ability to connect with [name of organization].
  • Equipment, supplies, telephone services, software, hardware, and so forth provided by [name of organization] shall be used only for official [name of organization] business. Personal use is prohibited.
  • Equipment, supplies, telephone services, software, hardware, and so forth provided by [name of organization] remain [name of organization] property and must be returned in good working condition at the termination of the Work-at-home Agreement or when requested.

Security

  • Materials, documents, and so forth transported to or from the official work station are the workforce member’s responsibility.
  • The workforce member shall protect [name of organization] records and documents from unauthorized access, use, or disclosure.
  • Equipment, media, and PHI will be transported to and from the home in a secure manner consistent with [name of organization]’s Movement of PHI Policy.
  • Paper records will be transferred between [name of organization] and the workforce member’s home in a fire and waterproof locked container and will be locked up while not being used in the home.

Enforcement

All officers, agents, employees, and other workforce members of [name of organization] must adhere to this policy, and all supervisors are responsible for enforcing this policy. [Name of organization] will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with [name of organization]’s medical information sanction policy and personnel rules and regulations.

 

______________________________                        ______________________________

Signature of User                                                        Date

 

______________________________                        ______________________________

Title of User                                                                Printed Name of User

 

______________________________                        ______________________________

Signature of Witness                                                   Printed Name of Witness

 

 

Portions of this Policy were adapted from considerations specified in The American Society for Testing and Materials, E 1902-97 Standard Guide for Management of the Confidentiality and Security of Dictation, Transcription, and Transcribed Health Records (1997).

 

seo by: k.c. seo