HIPAA Compliance in the Telecommuting Age

Since this is the Information Age, it should come as no surprise that more employees are working remotely, i.e., telecommuting. The flexibility to work from anywhere allows employees to work offsite, including from home, public transportation system, airport, coffee shop, etc. While such flexibility certainly has its advantages, it also has its disadvantages. One specific disadvantage for those in the health care industry is that the mishandling of personal health information (PHI) has put a spotlight on telecommuters by federal enforcement agencies.

It is easy to see why there are so many issues with telecommuters mishandling PHI given that many telecommuters must be able to access patient information remotely to perform their duties. Companies have far more control of patient data if the data is maintained in a centralized mainframe environment, as opposed to a distributed basis. As such, health care organizations must consider whether telecommuters are downloading patient information from the employer’s network, whether employees are storing PHI on a personal computer or device, and what measures those employees are taking to properly protect that information.

The Health Insurance Portability and Accountability Act (HIPAA) includes measures for both the security and privacy of patient information. Covered entities are required to self-report data breaches to the Office for Civil Rights (OCR), and OCR is required to investigate all data breaches that expose the PHI of more than 500 patients. While action is taken by OCR in most reported-breach cases, the breaching entity enters into a Corrective Action Plan (CAP), which identifies a set of actions the entity must take to bring data privacy and security standards up to standards.

That is not always the case, however, and OCR has levied some hefty financial penalties against a number of entities involving telecommuter breaches because those entities failed to properly oversee and manage their telecommuters’ access and protection of PHI.

In February 2016, OCR levied a $239,800 fine against respiratory care provider Lincare as the result of a breach of PHI. OCR’s investigation began after the agency received a complaint that a Lincare employee removed documents containing the PHI of 278 patients, left it exposed where an unauthorized person (her estranged husband) had access, and abandoned the information when she moved to another home. The judge noted that Lincare did not have adequate policies and procedures in place to safeguard patient information that was taken off site, despite that employees working in patients’ homes routinely removed PHI from Lincare offices. OCR’s investigation also revealed an unwritten policy requiring certain employees to store PHI in their own vehicles for extended periods. In total, Lincare had four violations that sparked HIPAA enforcement: (1) no safeguards or policies addressing secure handling of offsite PHI; (2) an unwritten policy to store PHI in vehicles as part of its emergency procedure protocol; (3) unreasonable response to theft of PHI; and (4) no policy to monitor documents removed from offices.

In another case, the OCR and U.S. Department of Health and Human Services entered into a $750,000 settlement with Cancer Care Group, a radiation oncology practice, after unencrypted backup tapes containing the PHI of more than 50,000 patients were stolen from a telecommuting employee’s vehicle. OCR started investigating after Cancer Care notified it of a breach of unsecured electronic PHI (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of current and former Cancer Care patients.

The OCR determined that, prior to the breach, Cancer Care was in widespread non-compliance including that it had not conducted an enterprise-wide risk analysis when the breach originally occurred, nor did they have a written policy regarding the removal of hardware and electronic media containing ePHI from its facilities, even though doing so was very common. In addition to paying $750,000, OCR required Cancer Care to enter into a CAP that included conducting a risk analysis and developing and implementing policies and procedures to prevent similar occurrences.

These decisions should give health care entities pause to check their policies for the handling of PHI offsite. There are several tips to be learned from these decisions:

  • Establish clear and effective policies and training to address PHI that is removed offsite; gathered in the field, at facilities, or in residential-based offices; or accessed remotely.
  • Incorporate protecting PHI in the telecommuting policy.
  • Establish effective policies to track offsite PHI to ensure all PHI can be monitored and properly returned.
  • Ensure all PHI can be password protected, encrypted or otherwise segregated if the employee does not have a dedicated computer to ensure others who have access to the computer cannot view PHI.
  • Ensure insurance covers and allowed telecommuting.
    Include off-premises access to PHI in the provider’s overall risk assessment and management.
  • Ensure security policies extend to an employee’s personal devices and expressly prohibit employees from downloading patient information to any personal computer, drive or device.
  • Mitigate risk by promptly modifying policies and procedures in response to HIPAA breaches and violations.
  • Have a HIPAA-compliant business continuity plan, and make sure it does not include employees being able to keep PHI in their vehicle.
  • Covered entities and business associates should anticipate issues with telecommuters and roll out appropriate rules before any PHI leaves the office.
  • Even if a covered entity has PHI leaving its premises, it cannot ignore the issue. Compliance is one of those areas where, better late than never.

Originally published in Healthcare Michigan, January 2017.

About the Author:
Sara H. Jodka (Of Counsel, Columbus), at Dickinson Wright, dedicates her practice to working with employers to anticipate, identify, and resolve labor and employment, data privacy, related compliance issues and litigation risks in today’s ever evolving workplace. Sara devotes a significant part of her practice to proactively counseling employers in litigation prevention and overall compliance with state, federal, and administrative laws and regulations, which includes reviewing and revising employee handbooks and policies; counseling management regarding termination decisions (including large scale layoffs/reductions in force); performing exempt status classification audits; and training employees on key employment policies and issues, including those related to leave, privacy, discrimination, harassment and retaliation, social media, the digital workplace and others. Sara may be reached at sjodka@dickinsonwright.com and you can visit her bio here.