Practices have adapted to COVID-19 in many ways, including doctors or some staff working from home. Patient data now exists where it hadn’t been found before, and is being transported between locations as never before. Are you taking reasonable steps to protect patient data in this new environment?
Concern about meeting HIPAA requirements would have slowed adoption of new work configurations, even as the need for social distancing grew rapidly. To remove this barrier and encourage doctors and practices to rapidly try work from home and telehealth, the Office of Civil Rights (OCR), which is charged with enforcing HIPAA, temporarily reduced enforcement activities in certain areas. This will not last.
At its core, HIPAA compliance is based on taking reasonable efforts to prevent exposure of protected patient information. When we look back, what will be considered reasonable when every practice was scrambling to adapt is likely to be very different from what will be reasonable after the period of scrambling is past. Enforcement will be coming back, and unless you already had policies governing work from home, its time to put these in place.
Here are some DOs and DON’Ts, specific to working from home:
• DON’T use the computer in an accessible place in the home where others may see your screen.
• DON’T print documents unless you can immediately secure them from unauthorized viewers.
• DON’T access medical or patient data from computers your family shares and may already be compromised.
• DO use a business system, IT department, or IT consultant to inspect your home computer before use.
• DO use a secure connection to ensure end-to-end encryption of data in transit This can be a VPN to the office or from home to a filtering company that will verify web connection links for safety.
• DON’T throw away documents with patient or sensitive data. Shred them.
• DON’T have phone calls discussing patient information where others can hear the confidential information.
• DO log off if you walk away from the computer, even for a minute – which may turn into 10-20!
• DON’T physically transport data between home and office on an un-encrypted computer or flash drive.
• DO make sure your WiFi is password protected, and that all the computers in your network have strong, up-to-date anti-virus.
While not a comprehensive list, this is a good start. In compliance, more is better, but if you cannot do everything, don’t make the mistake of doing nothing. Do what you can, TRAIN your people in these new best practices, and DOCUMENT what you are doing and that you are training.