[ Tuesday, March 15, 2005 ]
The dangers of telecommuting:
Medical Newswire's Hospital Compliance Wire email newsletter offers some advice on how to deal with employees working on PHI from home. Telecommuting is a fact of life these days, more in some industries than others. In the tech industry, there is a huge coterie of folks who rarely set foot in an office, but are simply connected between their home computer and their office system. Many consultants, who spend most of their time officing with their clients, don't even have a permanent office in their company's headquarters. In addition to the "traditional" telecommuter, many professionals and others take work home with them, tapping into the office computer via their home computer and the internet (or even a dedicated high speed or dial-up line) so that they can finish what they need to get done while still catching a kid's soccer game or tucking them into bed. In most instances and industries, even where confidential information or potential trade secrets are involved, there's not a whole lot of worries about operating in this fashion. However, in the healthcare field, if PHI is being carried to, accessed from, or processed at home, HIPAA must be addressed, from both a Privacy Rule and Security Rule perspective.
The most important things you can do are to make sure your policies and procedures take into account how PHI may be used in an out-of-the-office situation, and train your staff who will be using PHI out of the office on what they need to do to make sure privacy and security are ensured. Classifications of employees will come into play: the home office worker (pure telecommuter) will need to be treated differently than the office worker who takes home PHI; and doctors taking home PHI will probably require different treatment than clerical workers taking home PHI. Make sure your policies and procedures reflect such role-based differences.
For employees who will only rarely need to deal with PHI at home, make sure there's a special procedure or instruction for them, so that they'll recognize that they will need to be particularly careful with the PHI they're carrying. For employees who always deal with PHI at home, make sure they know are are trained in your policies and procedures, and make sure they know how those policies and procedures should be implemented in their homes.
You'll need policies specifically addressing when it's OK to take PHI out of the office, and you'll want to be able to track the PHI's comings and goings. Having employees sign out laptops if they're going to be dealing with PHI will give them the heightened sense of HIPAA as well as giving you an ability to track who took what PHI and when.
Which brings up another point: segregate the home computing environment from the office/PHI computing environment however you can. If possible, prevent employees from dealing with PHI on their home computers, or at least make sure your policies and procedures deal with the steps necessary to make sure the PHI does not get loaded on the home PC hard drive or that it gets scrubbed off after the employee uses it. Make sure your employees know that family members should not be in the room or able to see the computer while the employee is dealing with PHI. If the employee leaves the computer, the PHI must be made inaccessable to a family member who might sit down at the computer (this is not just a confidentiality/privacy issue, but also a data integrity issue, since the family member might inadvertently or intentionally change the PHI).
It's a good idea to make sure that any home use will be in a similar environment to the office use. Part of this is atmospheric, to keep the "culture of privacy" that prevails in the office foremost in the mind of the employee. The employee should be in the same frame of mind regarding PHI as he or she would be in the office. Part of this is physical: if the employee usually deals with PHI in a secure office, where only co-workers with rights to access the same PHI are present, then the worker should do his or her home work in a closed room with no other family members present. And part of this is technical: if your office computer is firewalled in a particular way, or operates on a particular encryption standard, home use should be equally protected. If you use password protections and automatic logoffs at the office, the same or higher level of protection should be employed at home.
Finally, you should make sure your employees are cautious and diligent in the way they deal with media that hold PHI. Disks or cds should be carefully handled. Locking briefcases are a good idea, not so much for the actual protection they provide as for the way they keep privacy and security in the forefront of the mind of the employees carrying them. Employees should carry hard copies of PHI back to the office; all the computer protection in the world can be easily undone by the simple act of throwing a piece of paper in a trash can. If you shred at work, the employee should either shred at home or bring the documents back to the office after use for shredding.
Some covered entities will determine that nobody should be accessing PHI at home, and will forbid it. Others won't be able to take such a draconian step, and will need some flexibility. That's OK, but you need to make sure you don't let convenience of operation open a door to HIPAA violations.
Jeff [10:09 AM]
Blogger: HIPAA Blog - Edit your Template