Last week, we reminded health plans that HIPAA is alive and well…and enforceable. This week, let’s test our HIPAA IQ with 10 questions designed to get you thinking about HIPAA in a “work-from-home” context.
Protected Health Information (PHI) created, received, maintained, or transmitted by a health plan must be protected. Therefore, employer security systems must be working like a well-oiled machine to maintain the confidentiality, integrity, and availability of PHI while working remotely.
DO YOU KNOW…
.1…which benefit plans must comply with HIPAA?
- Don’t forget about HRAs, FSAs, Dental & Vision plans, EAPs, or Wellness Plans!
2….where PHI is created, received, maintained, and transmitted?
- PHI is flowing, even if employees work from home; PHI created, received, maintained, or transmitted by the health plan is PHI.
- Health information for purposes other than plan administration, such as FMLA or worker’s compensation data, or voluntarily disclosed health data is not PHI, but must still be treated as confidential.
3….who in your organization has access to Protected Health Information (PHI)?
- Now more than ever is a great time to verify user IDs, passwords, and security protocols (e.g. folder access using a VPN network) to ensure appropriate personnel working from home access only necessary PHI for their job function.
4…what actions to take in the event of a breach of PHI?
- Review your risk analysis, ensure remote devices (e.g. mobile devices & apps, as applicable) are secure, and modify as necessary to reduce the risk of a PHI breach while more than a “typical” number of employees are remotely working.
5…designated both a Privacy Officer and Security Officer?
- Even when working remotely, employees must be able to inquire about their PHI. Ensure employees have avenues to request confidential inquiries from appointed staff.
6…trained staff on Privacy & Security?
- If your regularly scheduled HIPAA training (or training of newly hired staff) falls during quarantine, don’t skip it!
- Seek creative methods to train employees on the importance of HIPAA principles, especially identifying, protecting, and sharing PHI.
7…conducted a HIPAA Security risk assessment?
- An off-cycle security meeting may be necessary (webinar, anyone?) to evaluate work-from-home policies, procedures, and systems access, as outlined within your Data Operations Plan, including any business continuity or emergency operation plans.
8…confident in your security management processes that protect PHI?
- Consider consultation with your IT professionals to ensure all systems that create, receive, maintain, and transmit PHI are secure.
DO YOU HAVE…
9…written procedures for how to send and receive PHI?
- If remote work impacts how your business sends and receives PHI, review & update existing policies & procedures to verify that security measures (administrative, technical, and physical) are sufficient to protect PHI.
10…Business Associate Agreements (BAAs) in place with verified Business Associates (BAs)? (Spoiler: YOU may be liable if your BA’s aren’t in compliance!)
- Maintaining compliant BAAs is required.
- April 3rd, 2020, the OCR released two Notices of Enforcement Discretion letters: one to BAAs regarding disclosures for public health purposes, and one to covered health care providers (HCP) regarding telehealth communications.
- BAs are permitted to share PHI for purposes of “public health & health oversight activities” even if the BAA does not expressly permit it; HCP are permitted to use “any non-public facing remote communication product that is available to communicate with patients.” For full details on these changes, consult our COVID-19 Resources Page.