This piece was co-authored with Thomas Hiney.
The fashionable office is within the midst of an enormous transformation. An estimated forty-four % of staff are at the moment working from house, and a latest survey reported that employers count on the variety of full-time employees who stay at house completely to triple from pre-pandemic figures.
The implications of this shift is not going to solely impression productiveness and firm tradition, however contact insurance policies and operations throughout finance, HR, IT and numerous different enterprise capabilities. The stakes are arguably even greater within the healthcare trade, which as well as to contending with lots of the identical challenges of different industries, should additionally think about how a remote workforce impacts HIPAA compliance.
In the survey talked about above, respondents had been unfold considerably evenly throughout industries, with fifteen % from the healthcare sector. Only two out of each ten respondents mentioned they’ve offered enough instruments and sources to assist staff working remotely long run. This has the potential to create an array of challenges to fulfilling HIPAA necessities.
Under HIPAA, any lined entity or enterprise affiliate that collects, processes or shops protected well being data is required to implement safety and privateness controls to defend its confidentiality, integrity and availability, or CIA.
The excellent news is that the legislation will not be overly prescriptive in how firms method privateness and safety, as long as the top results of sustaining CIA is achieved. This permits for flexibility in how a company approaches compliance and determines the particular insurance policies and course of that match its distinctive wants.
But this flexibility should not be confused with leniency. HIPAA compliance is a critical, enforceable matter, and have to be correctly addressed within the context of the office challenges and adjustments which have emerged amid the pandemic.
Data privateness in a remote world
Work from house circumstances impression HIPAA and privateness compliance practices in quite a lot of methods. The U.S. Department of Health and Human Services reported that greater than 300 breaches of PHI have occurred up to now this yr, compromising the private knowledge of 10.eight million people.
This underscores the significance of well being care organizations addressing the quite a few gaps by way of which PHI could also be uncovered. These embody:
- Paper. Many features of well being care enterprise processes are nonetheless paper-based, reminiscent of billing/coding and income cycle administration. This means staff are printing paperwork containing delicate monetary data and/or PHI at house, the place laborious copy paperwork could also be seen by different members of the family. Such publicity, nonetheless harmless, would represent a HIPAA violation.
- Access. Healthcare IT departments are dealing with great burden to pivot community infrastructure so it permits staff to proceed working and have safe entry to the programs and paperwork they want. Remote entry controls should steadiness worker productiveness with necessities to guarantee privateness of affected person data. Strains on remote programs may additionally lead to poor usability, which will increase the chance of staff taking shortcuts and utilizing unsecure channels to share data.
- Disposal. Maintaining compliance with HIPAA necessities for doc retention and disposal is a reasonably simple course of when staff are within the workplace. Vetted disposal distributors are sometimes contracted to carry out every day or no less than weekly sweeps of safe receptacles. Checks and programs are in place to guarantee PHI data are saved securely, and not retained longer than is allowed by legislation. This turns into a really foggy situation when staff are working remotely, both with bodily paperwork or digital copies saved on private gadgets.
- Security. The improve in knowledge breaches this yr has confirmed what safety professionals already knew: knowledge is weak. The concern and threat solely improve when staff make money working from home. Are staff accessing firm programs through safe networks? Are staff nonetheless following safety greatest practices? What further pressure is being placed on an organization’s IT and infrastructure? Has there been community degradation due to elevated remote staff, necessitating the IT division to make exceptions to coverage? These are all vital safety concerns.
- Office re-openings. As firms re-open, many are implementing modified work schedules that require staff to be out of the workplace for prolonged durations of time. This back-and-forth has the potential to disrupt workflows that uphold privateness controls, reminiscent of prompting an elevated use of USB or cloud-based websites for storing and shifting paperwork. When this occurs at scale, it turns into very tough for the compliance workforce to sufficiently monitor and handle each piece of PHI.
- Vendor Management. Similar to the challenges posed to an organization, an organization’s distributors are dealing with the identical challenges with an more and more remote workforce. If these distributors are dealing with PHI on the corporate’s behalf, performing extra common vendor assessments are vital.
- Compliance. No matter the dimensions of an organization, sustaining a sturdy privateness compliance program is crucial to guarantee correct governance and determination making when contemplating a number of the above points. The new regular of remote work might create a necessity for exceptions to current coverage or new insurance policies altogether. As exceptions to firm coverage are made, or new insurance policies are made, how is the corporate monitoring and making certain adherence?
A brand new regular for HIPAA compliance
Legal and compliance groups topic to HIPAA necessities should companion with key stakeholders together with their IT departments to start understanding the total scope of challenges their group is dealing with on account of staff working from house.
An evaluation, carried out both by inner groups or an out of doors professional, is a vital step in understanding the scope of PHI for which the group is accountable, and which enterprise capabilities and staff have entry to regulated knowledge.
In any situations the place the group or sure enterprise models should deviate from customary working procedures for HIPAA, groups should doc the explanation why and set up secondary controls to guarantee private knowledge will not be compromised on account of new processes. Close monitoring of those actions and the methods by which staff transfer knowledge have to be maintained to guarantee unapproved shortcuts aren’t being taken.
HIPAA has been round a very long time, and most well being care organizations have been comfortably settled of their compliance processes for years. But the panorama has modified considerably this yr, with the shift to remote work, alongside the emergence of recent privateness laws and quite a lot of new programs by which regulated knowledge is generated, shared and retained.
It’s vital to keep in mind that all of those adjustments have the potential to impression HIPAA compliance. Organizations want to proceed to prioritize HIPAA and ought to think about the pandemic a forcing operate to reassess and refresh the insurance policies of years previous to guarantee they meet the calls for of in the present day’s new regular.
Louise Rains-Gomez is a managing director in FTI Consulting’s Technology phase, targeted on data governance and knowledge administration challenges.
Thomas Hiney is a director in FTI Consulting’s Technology phase, who focuses on privateness program administration and optimization, HIPAA compliance and extra.