Group Health Plan Advisory (COVID-19): The New Normal of Employees Working from Home Can Lead to HIPAA Privacy and Security Violations
The pandemic has caused a huge increase in the number of employees working from home. Procedures and equipment need to be reviewed to ensure that this new normal does not lead to violations of the HIPAA Privacy and Security regulations that can result in fines.
Fines are Substantial
The HIPAA Privacy and Security regulations mandate that protected health information (PHI) must be secured according to their guidelines. Some examples of violations and fines include:
CVS Pharmacy and Rite Aid Corporation were fined $2.25 million and $1.04 million, respectively for inappropriately disposing of pill bottles with patient information on the labels in industrial trash containers. Both drugstore chains agreed to implement Corrective Action Plans which essentially call for the shredding of these types of documents.
On July 27, 2020, Lifespan Health System (“Lifespan”) agreed to pay $1.04 million to the Office of Civil Rights (OCR) to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee laptop.
Types of Violations
The HITECH Act, which amended HIPAA, requires the Secretary of the Department of Health and Human Services to post on its website a list of breaches of unsecured PHI affecting 500 or more individuals. The webpage, commonly referred to as the “HIPAA Wall of Shame”, allows us to provide a summary of the causes:
Actions to Minimize Your Risk
Virtually every risk category presents more challenges when employees who work with or have access to PHI work from home. The following are recommendations to help minimize this exposure and keep your company’s name off OCR’s HIPAA Wall of Shame.
- The National Institute of Standards and Technology, in connection with the OCR, created a Security Risk Assessment Tool to guide employers through the required risk assessments. All employers, regardless of size are required to conduct a risk assessment. Even employers that have conducted a recent assessment should update it given the new work environment.
- Instruct employees not to share company computers with family members.
- Instruct employees to minimize the at-home printing of documents containing PHI and shred them when no longer needed.
- Printed documents containing PHI need to be stored in a locked location.
- Employees need to have a heightened sense of awareness about phishing and other forms of computer hacking.
- Employees should be instructed to use the corporate VPN and its antivirus/anti-malware software.
The increase in the number of employees working from home does not need to lead to an increase in violations of HIPAA Privacy and Security regulations. A review of procedures and equipment plus an emphasis on employees training will mitigate this risk and avoid the potential fines that a violation will bring.
Please contact your Oswald client team representative for further information.
Disclaimer: Materials are solely for informational purposes as an educational resource. Please contact counsel to obtain advice with respect to any specific issue.