COVID-19 has suddenly forced millions of Americans to work from home where they can safely self-distance and avoid the uber-contagious virus. Working from home may help reduce the virus’ transmission and flatten the curve, but doing so can be a big security risk.
Employees should know that the same federal and state laws that you are required to follow at work also apply when you are working from home. Those who work in the healthcare industry should be aware that the Health Insurance Portability and Accountability Act’s (HIPAA) rules and guidelines cannot be set aside or ignored in the case of a national health emergency.
When employees log in to company servers from home, they may put their company’s security at risk by way of weak passwords on personal computers, unsecured home WiFi routers or passing along a virus. Experts warn that malware can easily jump from an employee’s compromised PC to a connected office network.
Another worry that is easy to overlook but just as critical, is abiding by federal and state laws governing information, especially patients’ protected health information (PHI).
In February, the Office for Civil Rights (OCR) released a bulletin explaining how the HIPAA Privacy Rule applies in light of the coronavirus pandemic and other public health emergencies. According to the OCR, basic HIPAA rules still apply even in the midst of a public health emergency.
HIPAA Rules Still Apply
Passed in 1996, HIPAA mandates industry-wide standards for using healthcare information on electronic billing and other processes, and requires the protection and confidential handling of patient information.
The HIPAA Privacy Rule sets national standards to protect individuals’ medical records and other PHI as well as sets boundaries on the use and release of health records. The HIPAA Security Rule requires that “covered entities” and “business associates” apply administrative, physical and technical protections to safeguard electronically stored PHI.
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers and other members of a covered entity’s or business associate’s workforce. Covered entities are defined by HIPAA as 1) health plans; 2) healthcare clearinghouses; and 3) healthcare providers who electronically transmit any health information related to transactions governed by HHA standards, including submitting claims to Medicare and commercial payers.
Business associates are individuals or entities (other than employees of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. A business associate of a covered entity (including a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority on behalf of a covered entity or another business associate, to the extent authorized by its business associate agreement.
The U.S. Department of Health and Human Services (HHS) requires covered entities and business associates to follow HIPAA rules whether they are working at the office, at their home or even at a patient’s home. Employees working from home may inadvertently put patients’ PHI at risk, leading to possible HIPAA rule violations. HHS has advised covered entities to continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.
Safeguarding Patient Information
According to the National Law Review, healthcare workers on the frontline still are required to uphold the “minimum necessary” standard when treating patients with the coronavirus. For example, a covered entity must make a reasonable effort to disclose only the minimum necessary PHI in all circumstances. Keep in mind, a public health emergency does not excuse anyone from freely disclosing patient information. The HIPAA Privacy Rule does allow covered entities to disclose PHI without a patient’s consent in order to treat that patient. Employers, however, cannot disclose the name of any infected employee(s) to their co-workers or any information regarding their medical condition.
If a public health authority asks a covered entity to disclose information for infectious disease reporting purposes, the covered entity can assume that the request meets the minimum necessary standard required by HIPAA. But disclosing PHI to the media or other entities not directly involved in a patient’s care is prohibited except under very specific circumstances. According to the OCR’s bulletin, PHI may be disclosed to the following categories of individuals and entities:
- Public health authorities;
- Foreign government authorities (at the direction of public health authorities);
- At-risk individuals or groups;
- Family, friends, police, disaster relief organizations, etc., who are involved in the patient’s care;
- Anyone, if it would lessen or prevent a serious and imminent threat to the health and safety of the public at large or an individual.
Tips & Tactics to Protect PHI at Home
With so many employees now working from home, security officers might not be sleeping well at night. HIPAA rules apply at home as well as at the office, and safeguarding PHI while working at home presents some different challenges.
Paul Ellis, eSolutions’ Director of Security, said if your monitor is visible from a window or family members can see PHI on your screen as they walk by, you are not in compliance with HIPAA rules. Ellis said things as simple as a family member glancing at PHI over your shoulder or a child reading an email you left on your screen before you stepped away are HIPAA violations. You should still lock your computer when you leave your desk at home just like you would do at work. Also be cautious not to share too much when you are on a video call, either via your camera or by sharing your screen, Ellis said.
Many of the technological safeguards that exist in the office might not exist at your home, so Ellis said employees should be “extra mindful” of their actions. For example, your hard drive should be encrypted already, but ask yourself whether you really need to download that PHI file to your computer. And if you don’t have a secure way to dispose of PHI documents via a crosscut shredder, don’t print them at all. “The biggest thing is awareness,” he added. “Be aware of who has access to your computer and who can see your screen.”