Your idea of working from home seems pretty cozy. You imagine sitting in your pajamas and your pet sitting at your feet keeping you company. But for medical professionals, working remotely involves some special precautions to ensure patient privacy and data security.
Furthermore, you are in an “employer workspace” now, so there are also OSHA considerations that must be met to make sure you are compliant.
The pandemic had many healthcare workers— coding, billing and administrative staff— pivot from working in an office to working from home. When this necessary change happened, very few practices considered what that workspace would look like and even if the employee had a “dedicated” workspace available to protect patients from HIPAA breaches, or to protect themselves from a hazardous work environment.
Also, with the relaxed use of telecommunications and the advancement of telehealth, practitioners can treat more patients remotely. In response to the national health emergency (PHE), working from home isn’t just comfortable, but it’s an important way to protect the health of patients and healthcare workers, when necessary.
HIPAA regulations have been relaxed during the pandemic in order to facilitate safe access to healthcare and remote coverage for patients. Even though “potential” penalties for non-compliance have been waived during this emergency period for good-faith use of telehealth, the law was not removed, and HIPAA compliance is still necessary.
If proper telecommuting privacy and security measures are not in place, HIPAA Privacy Rule and Security Rule violations may occur. The number of employees working from home now is expected to continue to rise.
HIPAA rules apply to covered entities employees, whether work is performed at the office or at home, or at a patient’s home. HIPAA compliance and working from home do not fit hand in glove for one simple reason: Working at home (or at a patient’s house) can put patients’ “protected health information (PHI) at risk, consequently presenting HIPAA Privacy Rules concerns and HIPAA Security Rule concerns. Therefore, establishing HIPAA guidelines for employees is important.
Fortunately, these concerns can be addressed systematically, by taking specific measures with respect to specific work-from-home guidelines and requirements.
Employers can, for example, take steps to ensure IT security, such as the following:
The HIPAA guidelines for working at home have additional steps that employers can take:
OCR investigated incidents of HIPAA breaches caused by telecommuting and determined that certain HIPAA entities, failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in these entities, having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting.
OCR also discovered that these entities, had no written policy regarding the removal of hardware containing PHI into and out of its facilities.
This lack of a written policy constituted a clear violation of the HIPAA Security Rule.
One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
One of the reported breaches, sounded like something out of a bad HIPAA soap opera. A manager from a specific HIPAA entity- employee and telecommuter, had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cars as a form of data backup.
The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted the main company and the OCR to report he had discovered the private records.
When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, the care center had failed to implement effective HIPAA compliance guidelines.
The OSH Act applies to work performed by an employee in any workplace within the United States, including a workplace located in the employee’s home. All employers, including those which have entered into “work at home” agreements with employees, are responsible for complying with the OSH Act and with safety and health standards.
Even when the workplace is in a designated area in an employee’s home, the employer retains some degree of control over the conditions of the “work at home” agreement. An important factor in the development of these arrangements is to ensure that employees are not exposed to reasonably foreseeable hazards created by their at-home employment.
Ensuring safe and healthful working conditions for the employee should be a precondition for any home-based work assignments. Employers should exercise reasonable diligence to identify in advance the possible hazards associated with particular homework assignments and should provide the necessary protection through training, personal protective equipment, or other controls appropriate to reduce or eliminate the hazard. In some circumstances, the exercise of reasonable diligence may necessitate an on-site examination of the working environment by the employer. Employers must take steps to reduce or eliminate any work-related safety or health problems they become aware of through on-site visits or other means. This is also a good way to determine if the employee has a dedicated space to use for working from home, and is not sitting at a dining room table with the kids, the spouse and everyone else’s paperwork also in the open for all to see.
Certainly, where the employer provides work materials for use in the employee’s home, the employer should ensure that employer-provided tools or supplies pose no hazard under reasonably foreseeable conditions of storage or use by employees.
An employer must also take appropriate steps when the employer knows or has reason to know that employee-provided tools or supplies could create a safety or health risk. Here are frequently asked questions and answers:
Question:
Is the employer responsible for compliance with the home itself?
Response:
An employer is responsible for ensuring that its employees have a safe and healthful workplace, not a safe and healthful home. The employer is responsible only for preventing or correcting hazards to which employees may be exposed in the course of their work. For example: if work is performed in the basement space of a residence and the stairs leading to the space are unsafe, the employer could be liable if the employer knows or reasonably should have known of the dangerous condition.
Question:
Is the employer required to do periodic compliance inspections in the home, which may include safety, health, fire, and environmental issues?
Response:
There is no general requirement in OSHA’s standards or regulations that employers routinely conduct safety inspections of all work locations. However, certain specific standards require periodic inspection of specific kinds of equipment and work operations, such as:
Although some of these operations may not be found in home-based workplaces, nevertheless, if an employer of home-based employees is aware of safety or health hazards, or has reason to be aware of such hazards, the OSH Act requires the employer to pursue all feasible steps to protect its employees; one obvious and effective means of ensuring employee safety would be periodic safety checks of employee working spaces.
Question:
What would be OSHA’s inspection procedures in a private home?
Response:
OSHA’s health and safety inspection program is directed primarily toward industrial and commercial establishments and construction sites. They do not ordinarily conduct inspections of home-based workplaces, although from time to time we have visited private homes or apartments to investigate reports of sweatshop-type working conditions in the garment industry and other businesses where hazards have been reported. Any OSHA enforcement visit must, of course, be conducted in compliance with the Fourth Amendment which would require that OSHA obtain either consent to inspect or a judicially-issued warrant. It has been reported that home inspections are becoming more commonplace. It is imperative that telecommuters and their employers are aware of the rules.
Below are responses to other general questions from the OSHA workplace site.
Workplace Analysis and Hazard Prevention: The employer is responsible for correcting hazards of which it is aware or should be aware.
If, for example, the work requires the use of office equipment (computer, printer, scanner, fax machine, copying machine, etc.) in an employee’s home, it must be done in a manner to, for example, not overload the home electrical circuits as this could be a fire safety violation.
Programming note: For more on this topic listen to Talk Ten Tuesdays, today when Terry Fletcher reports this story live, 10 Eastern.
References and Resources:
https://www.jdsupra.com/legalnews/hipaa-compliance-guidelines-for-remote-9027191/
https://www.healthcareitnews.com/blog/hipaa-and-remote-work-top-compliance-risks-address
https://www.hhs.gov/sites/default/files/securely-teleworking-healthcare.pdf
The articles describe a significant 2026 dispute over the misuse of health information exchanged by asserting a treatment purpose through Carequality. (Raths) The core allegation
It’s hard to believe, but April 1 is right around the corner. As coders, we know that is one of our update dates, and this
Please log in to your account to comment on this article.
Uncover essential coding insights with nationally recognized coding authority Kay Piper, RHIA, CDIP, CCS. Through ICD10monitor’s interactive, on‑demand webcast series, Kay walks you through the AHA’s 2026 ICD‑10‑CM/PCS Quarterly Coding Clinics, translating each update into practical, easy‑to‑apply guidance designed to sharpen precision, ensure compliance, and strengthen day‑to‑day decision‑making. Available shortly after each official release.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s fourth quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s third quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s second quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Federal auditors are intensifying their focus on inpatient psychiatric facilities, using advanced data analytics to spotlight outliers and pursue high‑dollar repayments. In this high‑impact webcast, Michael Calahan, PA, MBA, Compliance Officer and V.P., Hospital & Physician Compliance, breaks down what regulators are really targeting in IPF-PPS admissions, documentation, treatment and discharge planning. Attendees will learn practical steps to tighten processes, avoid common audit triggers and protect reimbursement and reduce the risk of multimillion-dollar repayment demands.
In this timely session, Stacey Shillito, CDIP, CPMA, CCS, CCS-P, CPEDC, COPC, breaks down the complexities of Medical Decision Making (MDM) documentation so providers can confidently capture the true complexity of their care. Attendees will learn practical, efficient strategies to ensure documentation aligns with current E/M guidelines, supports accurate coding, and reduces audit risk, all without adding to charting time.
Join Ronald Hirsch, MD, FACP, CHCQM for The PEPPER Returns – Risk and Opportunity at Your Fingertips, a practical webcast that demystifies the PEPPER and shows you how to turn complex claims data into actionable insights. Dr. Hirsch will explain how to interpret key measures, identify compliance risks, uncover missed revenue opportunities, and understand new updates in the PEPPER, all to help your organization stay ahead of audits and use this powerful data proactively.
Stay ahead of the 2026-2027 audit surge with “Top 10 Audit Targets for 2026-2027 for Hospitals & Physicians: Protect Your Revenue,” a high-impact webcast led by Michael Calahan, PA, MBA. This concise session gives hospitals and physicians clear insight into the most likely federal audit targets, such as E/M services, split/shared and critical care, observation and admissions, device credits, and Two-Midnight Rule changes, and shows how to tighten documentation, coding, and internal processes to reduce denials, recoupments, and penalties. Attendees walk away with practical best practices to protect revenue, strengthen compliance, and better prepare their teams for inevitable audits.
Prepare for the 2025 CMS IPPS Final Rule with ICD10monitor’s IPPSPalooza! Click HERE to learn more
Get 15% OFF on all educational webcasts at ICD10monitor with code JULYFOURTH24 until July 4, 2024—start learning today!
BLOOM INTO SAVINGS! Get 25% OFF during our spring sale through March 27. Use code SPRING26 at checkout to claim this offer.
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
