In recent days, many organizations have switched to remote work due to the pandemic. In healthcare, too, many providers are working from home and also relying on telehealth to monitor patients from a distance. However, working remotely has brought on the challenge of HIPAA compliance. The American Medical Association has emphasized that while certain HIPAA requirements related to telemedicine are not being enforced during the COVID-19 public health emergency, generally, HIPAA privacy, security, and breach notification requirements must continue to be followed. Among other things, this implies that providers should take extra precautions to ensure the confidentiality of patient data when staff are working from home and also outsource their EHR-related documentation tasks only to HIPAA-compliant medical transcription companies.
Having HIPAA compliant solutions means that every covered entity and business associate who accesses protected health information (PHI) must ensure that the necessary technical, physical and administrative safeguards are in place in compliance with the HIPAA Privacy Rule to protect the integrity of PHI.
- Technical safeguards refer to the technology used to protect electronic PHI (ePHI) and provide access to data
- Physical safeguards relate to the physical access to ePHI whether it is stored in a remote location or in on-premise data center of HIPAA covered entity (such as that of a HIPAA compliant medical transcription company). The physical location where ePHI is stored must be secure and safe against unauthorized access.
- Administrative safeguards focus on the policies and procedures implemented by an organization for the maintenance of security measures that protect patient health information.
However, the government’s move to temporarily suspend penalties for noncompliance of HIPAA rules surrounding telehealth communications has made this compliance much more difficult, notes a recent HealthTech article. The notice from the Department of Health and Human Services’ Office for Civil Rights regarding provision of telehealth says:
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
To be HIPAA compliant, these video calling services must also have security features such as end-to-end encryption (E2EE) and access controls to safeguard PHI. While video conferencing tools like GoToMeeting, Skype and Zoom are HIPAA compliant, Apple’s Facetime is not. Ultimately, the reliability of these platforms depends on using them in a HIPPA-compliant manner (www.compliancy-group.com). Users must be wary of hackers who are taking advantage of this public health emergency to gain access to hospital networks.
As the pandemic pushes healthcare organizations to make changes in their procedures and workflows to support business continuity, including allowing employees to work at home, they need to take steps to beef up cybersecurity and maintain the confidentiality of PHI. Here are 8 steps that healthcare organizations can take to set up remote workspaces for HIPAA adherence:
As remote work and care becomes a common practice, these steps will become even more important to maintain HIPAA compliance. The bottom-line: all staff should stay HIPAA compliant, regardless of location.
Healthcare organizations should also ensure that any third-party vendor they contract with, such as a medical transcription service provider, complies with all HIPAA protocols, rules and regulations. A reliable business associate would have the following measures in place to protect valuable patient data:
Outsourcing medical transcription to such a company will ensure that PHI is used and transferred with proper access and in accordance with the defined safeguards.