In response to the COVID-19 outbreak, many global and domestic workforces are rapidly shifting to working from home to keep the business functional during the public health emergency. Working from home, however, poses new and unique challenges and risks that organizations may not have previously considered since the shift to teleworking occurred so rapidly.
Here are our top 3 privacy and security concerns HIPAA covered entities should consider for their newly remote workforce.
Access to Protected Health Information (PHI) by Unauthorized Individuals
Your employees are working from home, but so are their spouses, significant others, and other family members. When in its on-site workplace, employers are able to exercise greater control over access to PHI, physically and electronically. In a work for home environment, however, spouses, significant others, and other family members who might have access to or view plan participant’s PHI pose an additional risk that was limited in the traditional on-site work environment.
Individuals that have access to PHI while working from home should treat their home office like a traditional on-site worksite, and make sure they have the appropriate physical and technical safeguards in place to protect participants’ PHI. Now is a good time to provide employees with a HIPAA refresher to catch new breach sources and remind them of best practices for safeguarding PHI, even at home.
Bring Your Own Device (BYOD) May Lessen Technical Safeguards
Millions of Americans came home from work one day and woke up the next day to learn they will not be returning to the office until further notice. Businesses have been forced to pivot quickly to ensure business continuity in response to social distancing, quarantines and other efforts to slow the spread of the coronavirus. This quick pivot has exposed some vulnerabilities such as employees who do not have company devices/laptops they can take home to work, or a lack of technical controls in place that are designed to ensure data security outside of the office.
Companies now have thousands of employees who are accessing sensitive data via the employee’s personal devices, or through unsecure network connections. When employees utilize their own devices and unsecured networks, the risk of a HIPAA breach increases substantially because the employer has no assurances that the data is encrypted at rest or in transmission. Additionally, personal devices may be more susceptible to malware and other attacks that could compromise the company’s data.
A Business Associate Agreement is Required for Certain Vendors
To better enable employees to collaborate remotely, employers are utilizing a myriad of software solutions to maintain connectivity, such as Zoom, Slack, Microsoft Teams, Google Drive, JoinMe or Skype. On-site, the usage of these platforms may have been limited, but now all forms of work are occurring on these platforms in ways that may not have been previously anticipated, such as the handling of PHI.
Any vendor that has access to the covered entities PHI is considered a business associate with which the covered entity must have a signed business associate agreement (BAA). An employer should confirm whether it currently has a BAA in place with these types of vendors and obtain one if it does not. Many of the larger vendors make their BAA available on their website for your convenience.
While these are all concerns to be mindful of at any time with remote workers, it is especially important right now as bad actors often like to take advantage of chaos, like that caused by COVID-19, with phishing scams and other data theft schemes. The Department of Health and Human Services (HHS) recently issued COVID-19 Fraud Alert warning the public about fraud schemes related to the coronavirus. Additionally, while HHS issued enforcement discretion relief for certain covered entities, like healthcare providers in some instances, that relief has not yet been extended to other covered entities, such as health plans and healthcare clearing houses.