How can you assure remote employees’ HIPAA compliance?

remote workers hipaa compliance essentials

Remember the days of “Never gonna happen” when people wanted to work from home, even occasionally?  All the compliance focus was on what was happening at the office, or during business travel. Then came the pandemic, and the organizations that would have fallen on their swords to prohibit all remote work for coders, or customer service reps (for example) hastened to permanently station those same team members at home. And in the process, get out from under the cost of the valuable office space leased to house them.  Enter the age of remote employees’ HIPAA compliance challenges.

Now that’s been a series of “Ack!” moments as everyone understands what remote HIPAA compliance truly means when dealing with employees in a home office environment.  Things to consider include insecure physical environments, technical security that may be outdated or weak, data transport and disposal challenges, insecure video platforms, and not the least, how to balance work and family demands when the family sees the employee as being “at home” vs. “at work.” Also, if people have one workstation for work and personal vs two separate ones, there’s a higher risk of exposing the organization to phishing, malware and ransomware risks.

Organizations can – and should – take a variety of steps to address these challenges and avoid violating HIPAA compliance.

Assess the employee’s remote workspace

  • Is the “office space” secure?
  • Is there a door that locks?
  • Is it out of the way of household traffic?

Where is the workstation?

  • Is it out of view of family members passing by?
  • Is there somewhere to lock it up if not in use?
  • Is there a shredder?

Essentials for Remote HIPAA Compliance

We’ll get you started with the essentials in this downloadable Remote Office Security Checklist.  Our recommendation is that employees need to complete it as part of the initial approval process to work remotely. Make it an annual requirement to complete it – notice the signature line – so employees can attest their truth. You can even make it part of an annual remote HIPAA Compliance awareness training. Further:

  • Review your mobile device use agreement and your Acceptable Use policy to be sure that they reflect remote work.
  • Train employees on the rules – don’t assume they know what is and isn’t acceptable remote work behavior.
  • Update your policies to reflect remote environments, covering requirements relating to physical, technical access, and videoconference security steps

You’ll need to assure that your organization’s HIPAA compliance-required security risk analysis assesses the security of remote environments. That also means you need to update the risk management program to reflect any noted / discovered risks and the associated risk mitigation.

Remember to train to the environment and include:

  • Social engineering
  • Home office etiquette
  • Proper paper/electronic destruction
  • Updating anti-malware
  • Periodic security reminders

When it comes to the actual technology your team(s) use for remote work, be sure that you harden the workstations used for remote work.  Absolutely require that either a VPN or other secure connection is used to connect to the organization.  (An aside: If you’ve been allowing your employees to use non-company issued and configured devices to connect to the network, realize that significantly increases risk severity.) Other technical specifics include:

  • Continue your usual network security controls
  • Make sure that anti-malware and firewalls are installed
  • Security patches need to be installed timely
  • Encrypt end-to-end
  • Secure your video platforms and online storage
  • Review your audit logs!

And finally, please be sure that your backup processes make sense and test that they work efficiently with the remote contingent. You want to be 100% sure that your organization can recover necessary information from a backup.

Julia Huddleston, Principal Consultant, holds the designation of Certified Information Privacy Manager, Certified Information Privacy Professional, and Certified (HITRUST) CSF Practitioner. Contact her or Kevin Haralson, MBA, CCSFP, CHP and Senior Compliance Analyst, for a full compliance program review, security risk analysis, or to prep for certification via the HITRUST or SOC process.