Attention Healthcare Telecommuter? Is Your Workspace HIPAA Compliant? OSHA Compliant?

Your idea of working from home seems pretty cozy. You imagine sitting in your pajamas and your pet sitting at your feet keeping you company. But for medical professionals, working remotely involves some special precautions to ensure patient privacy and data security. 

Furthermore, you are in an “employer workspace” now, so there are also OSHA considerations that must be met to make sure you are compliant.

The pandemic had many healthcare workers— coding, billing and administrative staff— pivot from working in an office to working from home. When this necessary change happened, very few practices considered what that workspace would look like and even if the employee had a “dedicated” workspace available to protect patients from HIPAA breaches, or to protect themselves from a hazardous work environment.

Also, with the relaxed use of telecommunications and the advancement of telehealth, practitioners can treat more patients remotely. In response to the national health emergency (PHE), working from home isn’t just comfortable, but it’s an important way to protect the health of patients and healthcare workers, when necessary.   

HIPAA regulations have been relaxed during the pandemic in order to facilitate safe access to healthcare and remote coverage for patients. Even though “potential” penalties for non-compliance have been waived during this emergency period for good-faith use of telehealth, the law was not removed, and HIPAA compliance is still necessary. 

If proper telecommuting privacy and security measures are not in place, HIPAA Privacy Rule and Security Rule violations may occur. The number of employees working from home now is expected to continue to rise.

HIPAA Compliance and Working from Home

HIPAA rules apply to covered entities employees, whether work is performed at the office or at home, or at a patient’s home. HIPAA compliance and working from home do not fit hand in glove for one simple reason: Working at home (or at a patient’s house) can put patients’ “protected health information (PHI) at risk, consequently presenting HIPAA Privacy Rules concerns and HIPAA Security Rule concerns. Therefore, establishing HIPAA guidelines for employees is important.

Fortunately, these concerns can be addressed systematically, by taking specific measures with respect to specific work-from-home guidelines and requirements.

Employers can, for example, take steps to ensure IT security, such as the following:

  • Encrypt home wireless router traffic.
  • Change default passwords for wireless routers from the existing passwords.
  • Ensure all devices that access your network are properly configured (i.e., are encrypted, with password, firewall, and antivirus protection).
  • Encrypt all PHI before it is transmitted.
  • Require employee use of a VPN when employees remotely access the company Intranet. 

The HIPAA guidelines for working at home have additional steps that employers can take:

  • Develop policies and procedures prohibiting employees from allowing friends and family from using devices that contain PHI. (e.g. laptops, cell phones, etc used to store or transmit ePHI)
  • Have employees sign a Confidentiality Agreement before they begin work. 
  • Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
  • Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
  • Develop and require adherence (through a sanctions policy) to a media sanitization policy. (limit external media connections on work routers)
  • Ensure employees disconnect from the company network when their work is complete. This can be done by applying measures such as IT configuring timeouts. 
  • Maintain and periodically review logs of remote access activity.
The OCR (Office of Civil Rights) Investigations of Telecommuters

OCR investigated incidents of HIPAA breaches caused by telecommuting and determined that certain HIPAA entities, failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in these entities, having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting.

OCR also discovered that these entities, had no written policy regarding the removal of hardware containing PHI into and out of its facilities. 

This lack of a written policy constituted a clear violation of the HIPAA Security Rule. 

One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” 

One of the reported breaches, sounded like something out of a bad HIPAA soap opera. A manager from a specific HIPAA entity- employee and telecommuter, had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cars as a form of data backup.

The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted the main company and the OCR to report he had discovered the private records.  

When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, the care center had failed to implement effective HIPAA compliance guidelines.

Why is OSHA Getting into the act?

The OSH Act applies to work performed by an employee in any workplace within the United States, including a workplace located in the employee’s home. All employers, including those which have entered into “work at home” agreements with employees, are responsible for complying with the OSH Act and with safety and health standards.

Even when the workplace is in a designated area in an employee’s home, the employer retains some degree of control over the conditions of the “work at home” agreement. An important factor in the development of these arrangements is to ensure that employees are not exposed to reasonably foreseeable hazards created by their at-home employment.

Ensuring safe and healthful working conditions for the employee should be a precondition for any home-based work assignments. Employers should exercise reasonable diligence to identify in advance the possible hazards associated with particular homework assignments and should provide the necessary protection through training, personal protective equipment, or other controls appropriate to reduce or eliminate the hazard. In some circumstances, the exercise of reasonable diligence may necessitate an on-site examination of the working environment by the employer. Employers must take steps to reduce or eliminate any work-related safety or health problems they become aware of through on-site visits or other means. This is also a good way to determine if the employee has a dedicated space to use for working from home, and is not sitting at a dining room table with the kids, the spouse and everyone else’s paperwork also in the open for all to see.

Certainly, where the employer provides work materials for use in the employee’s home, the employer should ensure that employer-provided tools or supplies pose no hazard under reasonably foreseeable conditions of storage or use by employees.

An employer must also take appropriate steps when the employer knows or has reason to know that employee-provided tools or supplies could create a safety or health risk. Here are frequently asked questions and answers:

Question:

Is the employer responsible for compliance with the home itself?

Response:

An employer is responsible for ensuring that its employees have a safe and healthful workplace, not a safe and healthful home. The employer is responsible only for preventing or correcting hazards to which employees may be exposed in the course of their work. For example: if work is performed in the basement space of a residence and the stairs leading to the space are unsafe, the employer could be liable if the employer knows or reasonably should have known of the dangerous condition.

Question:

Is the employer required to do periodic compliance inspections in the home, which may include safety, health, fire, and environmental issues?

Response:

There is no general requirement in OSHA’s standards or regulations that employers routinely conduct safety inspections of all work locations. However, certain specific standards require periodic inspection of specific kinds of equipment and work operations, such as:

  • ladders (§1910.25(d)(1)(x)) and §1910.26(c)(2)(vi));
  • electrical protective equipment (§1910.137(b)(2)(ii));
  • mechanical power-transmission equipment (§1910.219(p));
  • portable electric equipment (§1910.334(a)(2)).

Although some of these operations may not be found in home-based workplaces, nevertheless, if an employer of home-based employees is aware of safety or health hazards, or has reason to be aware of such hazards, the OSH Act requires the employer to pursue all feasible steps to protect its employees; one obvious and effective means of ensuring employee safety would be periodic safety checks of employee working spaces.

Question:

What would be OSHA’s inspection procedures in a private home?

Response:

OSHA’s health and safety inspection program is directed primarily toward industrial and commercial establishments and construction sites. They do not ordinarily conduct inspections of home-based workplaces, although from time to time we have visited private homes or apartments to investigate reports of sweatshop-type working conditions in the garment industry and other businesses where hazards have been reported. Any OSHA enforcement visit must, of course, be conducted in compliance with the Fourth Amendment which would require that OSHA obtain either consent to inspect or a judicially-issued warrant. It has been reported that home inspections are becoming more commonplace. It is imperative that telecommuters and their employers are aware of the rules.

Below are responses to other general questions from the OSHA workplace site.

Workplace Analysis and Hazard Prevention: The employer is responsible for correcting hazards of which it is aware or should be aware.

If, for example, the work requires the use of office equipment (computer, printer, scanner, fax machine, copying machine, etc.) in an employee’s home, it must be done in a manner to, for example, not overload the home electrical circuits as this could be a fire safety violation.

Programming note: For more on this topic listen to Talk Ten Tuesdays, today when Terry Fletcher reports this story live, 10 Eastern.

References and Resources:

https://www.jdsupra.com/legalnews/hipaa-compliance-guidelines-for-remote-9027191/

https://www.healthcareitnews.com/blog/hipaa-and-remote-work-top-compliance-risks-address

https://www.hhs.gov/sites/default/files/securely-teleworking-healthcare.pdf

Facebook
Twitter
LinkedIn

Terry A. Fletcher BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, ACS-CA, SCP-CA, QMGC, QMCRC, QMPM

Terry Fletcher, BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, CMCS, ACS-CA, SCP-CA, QMGC, QMCRC, is a healthcare coding consultant, educator, and auditor with more than 30 years of experience. Terry is a past member of the national advisory board for AAPC, past chair of the AAPCCA, and an AAPC national and regional conference educator. Terry is the author of several coding and reimbursement publications, as well as a practice auditor for multiple specialty practices around the country. Her coding and reimbursement specialties include cardiology, peripheral cardiology, gastroenterology, E&M auditing, orthopedics, general surgery, neurology, interventional radiology, and telehealth/telemedicine. Terry is a member of the ICD10monitor editorial board and a popular panelist on Talk Ten Tuesdays.

Related Stories

Autism Diagnosis and ICD-10-CM

Autism Diagnosis and ICD-10-CM

A recent report from US News was published regarding an October article in the Journal of the American Medical Association (JAMA) about the increase in

Read More

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Enhancing Outcomes with CDI-Coding-Quality Collaboration in Acute Care Hospitals

Enhancing Outcomes with CDI-Coding-Quality Collaboration in Acute Care Hospitals

Join Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, as she presents effective strategies to strengthen collaboration between CDI, coding, and quality departments in acute care hospitals. Angela will also share guidance on implementing cross-departmental meetings, using shared KPIs, and engaging leadership to foster a culture of collaboration. Attendees will gain actionable tools to optimize documentation accuracy, elevate quality metrics, and drive a unified approach to healthcare goals, ultimately enhancing both patient outcomes and organizational performance.

November 21, 2024
Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Comprehensive Outpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Optimize your outpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to outpatient CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. You will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.

September 5, 2024
Advanced Outpatient Clinical Documentation Integrity: Mastering Complex Narratives and Compliance

Advanced Outpatient Clinical Documentation Integrity: Mastering Complex Narratives and Compliance

Enhancing outpatient clinical documentation is crucial for maintaining accuracy, compliance, and proper reimbursement in today’s complex healthcare environment. This webcast, presented by industry expert Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, will provide you with actionable strategies to tackle complex challenges in outpatient documentation. You’ll learn how to craft detailed clinical narratives, utilize advanced EHR features, and implement accurate risk adjustment and HCC coding. The session also covers essential regulatory updates to keep your documentation practices compliant. Join us to gain the tools you need to improve documentation quality, support better patient care, and ensure financial integrity.

September 12, 2024

Trending News

Featured Webcasts

Patient Notifications and Rights: What You Need to Know

Patient Notifications and Rights: What You Need to Know

Dr. Ronald Hirsch provides critical details on the new Medicare Appeal Process for Status Changes for patients whose status changes during their hospital stay. He also delves into other scenarios of hospital patients receiving custodial care or medically unnecessary services where patient notifications may be needed along with the processes necessary to ensure compliance with state and federal guidance.

December 5, 2024
Navigating the No Surprises Act & Price Transparency: Essential Insights for Compliance

Navigating the No Surprises Act & Price Transparency: Essential Insights for Compliance

Healthcare organizations face complex regulatory requirements under the No Surprises Act and Price Transparency rules. These policies mandate extensive fee disclosures across settings, and confusion is widespread—many hospitals remain unaware they must post every contracted rate. Non-compliance could lead to costly penalties, financial loss, and legal risks.  Join David M. Glaser Esq. as he shows you how to navigate these regulations effectively.

November 19, 2024
Post Operative Pain Blocks: Guidelines, Documentation, and Billing to Protect Your Facility

Post Operative Pain Blocks: Guidelines, Documentation, and Billing to Protect Your Facility

Protect your facility from unwanted audits! Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, and take a deep dive into both the CMS and AMA guidelines for reporting post operative pain blocks. You’ll learn how to determine if the nerve block is separately codable with real life examples for better understanding. Becky will also cover how to evaluate whether documentation supports medical necessity, offer recommendations for stronger documentation practices, and provide guidance on educating providers about documentation requirements. She’ll include a discussion of appropriate modifier and diagnosis coding assignment so that you can be confident that your billing of post operative pain blocks is fully supported and compliant.

October 24, 2024
The OIG Update: Targets and Tools to Stay in Compliance

The OIG Update: Targets and Tools to Stay in Compliance

During this RACmonitor webcast Dr. Ronald Hirsch spotlights the areas of the OIG’s Work Plan and the findings of their most recent audits that impact utilization review, case management, and audit staff. He also provides his common-sense interpretation of the prevailing regulations related to those target issues. You’ll walk away better equipped with strategies to put in place immediately to reduce your risk of paybacks, increased scrutiny, and criminal penalties.

September 19, 2024

Trending News

Prepare for the 2025 CMS IPPS Final Rule with ICD10monitor’s IPPSPalooza! Click HERE to learn more

Get 15% OFF on all educational webcasts at ICD10monitor with code JULYFOURTH24 until July 4, 2024—start learning today!