This piece was coauthored with Thomas Hiney.
The modern workplace is in the midst of a massive transformation. An estimated forty-four percent of employees are currently working from home, and a recent survey reported that employers expect the number of full-time workers who remain at home permanently to triple that of pre-pandemic figures.
The implications of this shift will not only impact productivity and company culture, but touch policies and operations across finance, HR, IT and countless other business functions. The stakes are arguably even higher in the healthcare industry, which, in addition to contending with many of the same challenges of other industries, must also consider how a remote workforce impacts HIPAA compliance.
In the survey mentioned above, respondents were spread somewhat evenly across industries, with 15% from the healthcare sector. Only two out of every ten respondents said they have provided adequate tools and resources to support employees working remotely long term. This has the potential to create an array of challenges to fulfilling HIPAA requirements.
Under HIPAA, any covered entity or business associate that collects, processes or stores protected health information is required to implement security and privacy controls to protect its confidentiality, integrity and availability, or CIA.
The good news is that the law is not overly prescriptive in how companies approach privacy and security, so long as the end result of maintaining CIA is achieved. This allows for flexibility in how an organization approaches compliance and determines the specific policies and process that fit its unique needs.
But this flexibility must not be confused with leniency. HIPAA compliance is a serious, enforceable matter, and must be properly addressed in the context of the workplace challenges and changes that have emerged amid the pandemic.
Data privacy in a remote world
Work-from-home conditions impact HIPAA and privacy compliance practices in a number of ways. The U.S. Department of Health and Human Services reported that more than 300 breaches of PHI have occurred so far this year, compromising the personal data of 10.8 million individuals.
This underscores the importance of health care organizations addressing the numerous gaps through which PHI may be exposed. These include:
- Paper. Many aspects of health care business processes are still paper-based, such as billing/coding and revenue cycle management. This means employees are printing documents containing sensitive financial information and/or PHI at home, where hard copy documents may be viewed by other members of the household. Such exposure, however innocent, would constitute a HIPAA violation.
- Access. Healthcare IT departments are facing tremendous burden to pivot network infrastructure so it allows employees to continue working and have secure access to the systems and documents they need. Remote access controls must balance employee productivity with requirements to ensure privacy of patient information. Strains on remote systems may also lead to poor usability, which increases the risk of employees taking shortcuts and using unsecure channels to share information.
- Disposal. Maintaining compliance with HIPAA requirements for document retention and disposal is a fairly straightforward process when employees are in the office. Vetted disposal vendors are often contracted to perform daily or at least weekly sweeps of secure receptacles. Checks and systems are in place to ensure PHI records are stored securely, and not retained longer than is allowed by law. This becomes a very foggy issue when employees are working remotely, either with physical documents or electronic copies stored on personal devices.
- Security. The increase in data breaches this year has proven what security professionals already knew: data is vulnerable. The concern and risk only increase when employees work from home. Are employees accessing company systems via secure networks? Are employees still following security best practices? What additional strain is being put on a company’s IT and infrastructure? Has there been network degradation due to increased remote employees, necessitating the IT department to make exceptions to policy? These are all important security considerations.
- Office reopenings. As companies reopen, many are implementing modified work schedules that require employees to be out of the office for extended periods of time. This back-and-forth has the potential to disrupt workflows that uphold privacy controls, such as prompting an increased use of USB or cloud-based sites for storing and moving documents. When this happens at scale, it becomes very difficult for the compliance team to sufficiently track and manage every piece of PHI.
- Vendor management. Similar to the challenges posed to a company, a company’s vendors are facing the same challenges with an increasingly remote workforce. If these vendors are handling PHI on the company’s behalf, performing more regular vendor assessments are necessary.
- Compliance. No matter the size of a company, maintaining a robust privacy compliance program is essential to ensure proper governance and decision-making when considering some of the above issues. The new normal of remote work may create a need for exceptions to existing policy or new policies altogether. As exceptions to company policy are made, or new policies are made, how is the company tracking and ensuring adherence?
A new normal for HIPAA compliance
Legal and compliance teams subject to HIPAA requirements must partner with key stakeholders, including their IT departments, to begin understanding the full scope of challenges their organization is facing as a result of employees working from home.
An assessment, conducted either by internal teams or an outside expert, is an important step in understanding the scope of PHI for which the organization is responsible, and which business functions and employees have access to regulated data.
In any instances where the organization or certain business units must deviate from standard operating procedures for HIPAA, teams must document the reasons why and establish secondary controls to ensure personal data is not compromised as a result of new processes. Close monitoring of these activities and the ways in which employees move data must be maintained to ensure unapproved shortcuts are not being taken.
HIPAA has been around a long time, and most healthcare organizations have been comfortably settled in their compliance processes for years. But the landscape has changed significantly this year with the shift to remote work, alongside the emergence of new privacy regulations and a number of new systems in which regulated data is generated, shared and retained.
It’s important to remember that all of these changes have the potential to impact HIPAA compliance. Organizations need to continue to prioritize HIPAA and should consider the pandemic a forcing function to reassess and refresh the policies of years past to ensure they meet the demands of today’s new normal.
Louise Rains-Gomez is a managing director in FTI Consulting's Technology segment, focused on information governance and data management challenges.
Thomas Hiney is a director in FTI Consulting's Technology segment, who focuses on privacy program management and optimization, HIPAA compliance and more.