Master the upcoming ICD-10 code and IPPS changes! Prepare your team for the upcoming changes taking effect on October 1. Discover the benefits of IPPSPalooza and how it can drive your success. Click here >

Attention Healthcare Telecommuter? Is Your Workspace HIPAA Compliant? OSHA Compliant?

Your idea of working from home seems pretty cozy. You imagine sitting in your pajamas and your pet sitting at your feet keeping you company. But for medical professionals, working remotely involves some special precautions to ensure patient privacy and data security. 

Furthermore, you are in an “employer workspace” now, so there are also OSHA considerations that must be met to make sure you are compliant.

The pandemic had many healthcare workers— coding, billing and administrative staff— pivot from working in an office to working from home. When this necessary change happened, very few practices considered what that workspace would look like and even if the employee had a “dedicated” workspace available to protect patients from HIPAA breaches, or to protect themselves from a hazardous work environment.

Also, with the relaxed use of telecommunications and the advancement of telehealth, practitioners can treat more patients remotely. In response to the national health emergency (PHE), working from home isn’t just comfortable, but it’s an important way to protect the health of patients and healthcare workers, when necessary.   

HIPAA regulations have been relaxed during the pandemic in order to facilitate safe access to healthcare and remote coverage for patients. Even though “potential” penalties for non-compliance have been waived during this emergency period for good-faith use of telehealth, the law was not removed, and HIPAA compliance is still necessary. 

If proper telecommuting privacy and security measures are not in place, HIPAA Privacy Rule and Security Rule violations may occur. The number of employees working from home now is expected to continue to rise.

HIPAA Compliance and Working from Home

HIPAA rules apply to covered entities employees, whether work is performed at the office or at home, or at a patient’s home. HIPAA compliance and working from home do not fit hand in glove for one simple reason: Working at home (or at a patient’s house) can put patients’ “protected health information (PHI) at risk, consequently presenting HIPAA Privacy Rules concerns and HIPAA Security Rule concerns. Therefore, establishing HIPAA guidelines for employees is important.

Fortunately, these concerns can be addressed systematically, by taking specific measures with respect to specific work-from-home guidelines and requirements.

Employers can, for example, take steps to ensure IT security, such as the following:

  • Encrypt home wireless router traffic.
  • Change default passwords for wireless routers from the existing passwords.
  • Ensure all devices that access your network are properly configured (i.e., are encrypted, with password, firewall, and antivirus protection).
  • Encrypt all PHI before it is transmitted.
  • Require employee use of a VPN when employees remotely access the company Intranet. 

The HIPAA guidelines for working at home have additional steps that employers can take:

  • Develop policies and procedures prohibiting employees from allowing friends and family from using devices that contain PHI. (e.g. laptops, cell phones, etc used to store or transmit ePHI)
  • Have employees sign a Confidentiality Agreement before they begin work. 
  • Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
  • Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
  • Develop and require adherence (through a sanctions policy) to a media sanitization policy. (limit external media connections on work routers)
  • Ensure employees disconnect from the company network when their work is complete. This can be done by applying measures such as IT configuring timeouts. 
  • Maintain and periodically review logs of remote access activity.
The OCR (Office of Civil Rights) Investigations of Telecommuters

OCR investigated incidents of HIPAA breaches caused by telecommuting and determined that certain HIPAA entities, failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in these entities, having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting.

OCR also discovered that these entities, had no written policy regarding the removal of hardware containing PHI into and out of its facilities. 

This lack of a written policy constituted a clear violation of the HIPAA Security Rule. 

One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” 

One of the reported breaches, sounded like something out of a bad HIPAA soap opera. A manager from a specific HIPAA entity- employee and telecommuter, had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cars as a form of data backup.

The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted the main company and the OCR to report he had discovered the private records.  

When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, the care center had failed to implement effective HIPAA compliance guidelines.

Why is OSHA Getting into the act?

The OSH Act applies to work performed by an employee in any workplace within the United States, including a workplace located in the employee’s home. All employers, including those which have entered into “work at home” agreements with employees, are responsible for complying with the OSH Act and with safety and health standards.

Even when the workplace is in a designated area in an employee’s home, the employer retains some degree of control over the conditions of the “work at home” agreement. An important factor in the development of these arrangements is to ensure that employees are not exposed to reasonably foreseeable hazards created by their at-home employment.

Ensuring safe and healthful working conditions for the employee should be a precondition for any home-based work assignments. Employers should exercise reasonable diligence to identify in advance the possible hazards associated with particular homework assignments and should provide the necessary protection through training, personal protective equipment, or other controls appropriate to reduce or eliminate the hazard. In some circumstances, the exercise of reasonable diligence may necessitate an on-site examination of the working environment by the employer. Employers must take steps to reduce or eliminate any work-related safety or health problems they become aware of through on-site visits or other means. This is also a good way to determine if the employee has a dedicated space to use for working from home, and is not sitting at a dining room table with the kids, the spouse and everyone else’s paperwork also in the open for all to see.

Certainly, where the employer provides work materials for use in the employee’s home, the employer should ensure that employer-provided tools or supplies pose no hazard under reasonably foreseeable conditions of storage or use by employees.

An employer must also take appropriate steps when the employer knows or has reason to know that employee-provided tools or supplies could create a safety or health risk. Here are frequently asked questions and answers:


Is the employer responsible for compliance with the home itself?


An employer is responsible for ensuring that its employees have a safe and healthful workplace, not a safe and healthful home. The employer is responsible only for preventing or correcting hazards to which employees may be exposed in the course of their work. For example: if work is performed in the basement space of a residence and the stairs leading to the space are unsafe, the employer could be liable if the employer knows or reasonably should have known of the dangerous condition.


Is the employer required to do periodic compliance inspections in the home, which may include safety, health, fire, and environmental issues?


There is no general requirement in OSHA’s standards or regulations that employers routinely conduct safety inspections of all work locations. However, certain specific standards require periodic inspection of specific kinds of equipment and work operations, such as:

  • ladders (§1910.25(d)(1)(x)) and §1910.26(c)(2)(vi));
  • electrical protective equipment (§1910.137(b)(2)(ii));
  • mechanical power-transmission equipment (§1910.219(p));
  • portable electric equipment (§1910.334(a)(2)).

Although some of these operations may not be found in home-based workplaces, nevertheless, if an employer of home-based employees is aware of safety or health hazards, or has reason to be aware of such hazards, the OSH Act requires the employer to pursue all feasible steps to protect its employees; one obvious and effective means of ensuring employee safety would be periodic safety checks of employee working spaces.


What would be OSHA’s inspection procedures in a private home?


OSHA’s health and safety inspection program is directed primarily toward industrial and commercial establishments and construction sites. They do not ordinarily conduct inspections of home-based workplaces, although from time to time we have visited private homes or apartments to investigate reports of sweatshop-type working conditions in the garment industry and other businesses where hazards have been reported. Any OSHA enforcement visit must, of course, be conducted in compliance with the Fourth Amendment which would require that OSHA obtain either consent to inspect or a judicially-issued warrant. It has been reported that home inspections are becoming more commonplace. It is imperative that telecommuters and their employers are aware of the rules.

Below are responses to other general questions from the OSHA workplace site.

Workplace Analysis and Hazard Prevention: The employer is responsible for correcting hazards of which it is aware or should be aware.

If, for example, the work requires the use of office equipment (computer, printer, scanner, fax machine, copying machine, etc.) in an employee’s home, it must be done in a manner to, for example, not overload the home electrical circuits as this could be a fire safety violation.

Programming note: For more on this topic listen to Talk Ten Tuesdays, today when Terry Fletcher reports this story live, 10 Eastern.

References and Resources:

Print Friendly, PDF & Email


Terry Fletcher, BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, CMCS, ACS-CA, SCP-CA, QMGC, QMCRC, is a healthcare coding consultant, educator, and auditor with more than 30 years of experience. Terry is a past member of the national advisory board for AAPC, past chair of the AAPCCA, and an AAPC national and regional conference educator. Terry is the author of several coding and reimbursement publications, as well as a practice auditor for multiple specialty practices around the country. Her coding and reimbursement specialties include cardiology, peripheral cardiology, gastroenterology, E&M auditing, orthopedics, general surgery, neurology, interventional radiology, and telehealth/telemedicine. Terry is a member of the ICD10monitor editorial board and a popular panelist on Talk Ten Tuesdays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

Mastering the Two-Midnight Rule: Keys to Navigating Short-Stay Admissions with Confidence

Mastering the Two-Midnight Rule: Keys to Navigating Short-Stay Admissions with Confidence

The CMS Two-Midnight Rule and short-stay audits are here to stay, impacting inpatient and outpatient admissions, ASC procedures, and Medicare Parts C & D. New for 2024, the Two-Midnight Rule applies to Medicare Advantage patients, requiring differentiation between Medicare plans affecting Case Managers, Utilization Review, and operational processes and knowledge of a vital distinction between these patients that influences post-discharge medical reviews and compliance risk. Join Michael G. Calahan for a comprehensive webcast covering federal laws for all admission processes. Gain the knowledge needed to navigate audits effectively and optimize patient access points, personnel, and compliance strategies. Learn Two-Midnight Rule essentials, Medicare Advantage implications, and compliance best practices. Discover operational insights for short-stay admissions, outpatient observation, and the ever-changing Inpatient-Only Listing.

Print Friendly, PDF & Email
September 19, 2023
Secondary Diagnosis Coding: A Deep Dive into Guidelines and Best Practices

Secondary Diagnosis Coding: A Deep Dive into Guidelines and Best Practices

Explore comprehensive guidelines and best practices for secondary diagnosis coding in our illuminating webcast. Delve into the intricacies of accurately assigning secondary diagnosis codes to ensure precise medical documentation. Learn how to navigate complex scenarios and adhere to coding regulations while enhancing coding proficiency. Our expert-led webcast covers essential insights, including documentation requirements, sequencing strategies, and industry updates. Elevate your coding skills and stay current with the latest coding advancements so you can determine the correct DRG assignment to optimize reimbursement, support medical decision-making, and maintain compliance.

Print Friendly, PDF & Email
September 20, 2023
Principal Diagnosis Coding: Mastering Selection and Sequencing

Principal Diagnosis Coding: Mastering Selection and Sequencing

Enhance your inpatient coding precision and revenue with Principal Diagnosis Coding: Mastering Selection and Sequencing. Join our expert-led webcast to conquer the challenges of principal diagnosis selection and sequencing. We’ll decode the intricacies of ICD-10-CM guidelines, equipping you with a clear grasp of the rules and the official UHDDS principal diagnosis definition. Uncover the crucial role of coding conventions, master the sequencing of related conditions, and confidently tackle cases with equally valid principal diagnoses.

Print Friendly, PDF & Email
September 14, 2023
2024 IPPS Summit: Final Rule Update with Expert Insights and Analysis

2024 IPPS Summit: Final Rule Update with Expert Insights and Analysis

Only ICD10monitor delivers what you need: updates on must-know changes associated with the FY24 Inpatient Prospective Payment System (IPPS) Final Rule, including new ICD-10-CM/PCS codes, plus insights, analysis and answers to questions from the country’s most respected subject matter experts.

Print Friendly, PDF & Email
2024 IPPS Summit Day 3: MS-DRG Shifts and NTAPs

2024 IPPS Summit Day 3: MS-DRG Shifts and NTAPs

This third session in our 2024 IPPS Summit will feature a review of FY24 changes to the MS-DRG methodology and new technology add-on payments (NTAPs), presented by senior healthcare consultant Laurie Johnson, with bonus insights and analysis from two acclaimed subject matter experts

Print Friendly, PDF & Email
August 17, 2023

Trending News