Attention Healthcare Telecommuter? Is Your Workspace HIPAA Compliant? OSHA Compliant?

Your idea of working from home seems pretty cozy. You imagine sitting in your pajamas and your pet sitting at your feet keeping you company. But for medical professionals, working remotely involves some special precautions to ensure patient privacy and data security. 

Furthermore, you are in an “employer workspace” now, so there are also OSHA considerations that must be met to make sure you are compliant.

The pandemic had many healthcare workers— coding, billing and administrative staff— pivot from working in an office to working from home. When this necessary change happened, very few practices considered what that workspace would look like and even if the employee had a “dedicated” workspace available to protect patients from HIPAA breaches, or to protect themselves from a hazardous work environment.

Also, with the relaxed use of telecommunications and the advancement of telehealth, practitioners can treat more patients remotely. In response to the national health emergency (PHE), working from home isn’t just comfortable, but it’s an important way to protect the health of patients and healthcare workers, when necessary.   

HIPAA regulations have been relaxed during the pandemic in order to facilitate safe access to healthcare and remote coverage for patients. Even though “potential” penalties for non-compliance have been waived during this emergency period for good-faith use of telehealth, the law was not removed, and HIPAA compliance is still necessary. 

If proper telecommuting privacy and security measures are not in place, HIPAA Privacy Rule and Security Rule violations may occur. The number of employees working from home now is expected to continue to rise.

HIPAA Compliance and Working from Home

HIPAA rules apply to covered entities employees, whether work is performed at the office or at home, or at a patient’s home. HIPAA compliance and working from home do not fit hand in glove for one simple reason: Working at home (or at a patient’s house) can put patients’ “protected health information (PHI) at risk, consequently presenting HIPAA Privacy Rules concerns and HIPAA Security Rule concerns. Therefore, establishing HIPAA guidelines for employees is important.

Fortunately, these concerns can be addressed systematically, by taking specific measures with respect to specific work-from-home guidelines and requirements.

Employers can, for example, take steps to ensure IT security, such as the following:

  • Encrypt home wireless router traffic.
  • Change default passwords for wireless routers from the existing passwords.
  • Ensure all devices that access your network are properly configured (i.e., are encrypted, with password, firewall, and antivirus protection).
  • Encrypt all PHI before it is transmitted.
  • Require employee use of a VPN when employees remotely access the company Intranet. 

The HIPAA guidelines for working at home have additional steps that employers can take:

  • Develop policies and procedures prohibiting employees from allowing friends and family from using devices that contain PHI. (e.g. laptops, cell phones, etc used to store or transmit ePHI)
  • Have employees sign a Confidentiality Agreement before they begin work. 
  • Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
  • Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
  • Develop and require adherence (through a sanctions policy) to a media sanitization policy. (limit external media connections on work routers)
  • Ensure employees disconnect from the company network when their work is complete. This can be done by applying measures such as IT configuring timeouts. 
  • Maintain and periodically review logs of remote access activity.
The OCR (Office of Civil Rights) Investigations of Telecommuters

OCR investigated incidents of HIPAA breaches caused by telecommuting and determined that certain HIPAA entities, failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in these entities, having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting.

OCR also discovered that these entities, had no written policy regarding the removal of hardware containing PHI into and out of its facilities. 

This lack of a written policy constituted a clear violation of the HIPAA Security Rule. 

One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” 

One of the reported breaches, sounded like something out of a bad HIPAA soap opera. A manager from a specific HIPAA entity- employee and telecommuter, had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cars as a form of data backup.

The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted the main company and the OCR to report he had discovered the private records.  

When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, the care center had failed to implement effective HIPAA compliance guidelines.

Why is OSHA Getting into the act?

The OSH Act applies to work performed by an employee in any workplace within the United States, including a workplace located in the employee’s home. All employers, including those which have entered into “work at home” agreements with employees, are responsible for complying with the OSH Act and with safety and health standards.

Even when the workplace is in a designated area in an employee’s home, the employer retains some degree of control over the conditions of the “work at home” agreement. An important factor in the development of these arrangements is to ensure that employees are not exposed to reasonably foreseeable hazards created by their at-home employment.

Ensuring safe and healthful working conditions for the employee should be a precondition for any home-based work assignments. Employers should exercise reasonable diligence to identify in advance the possible hazards associated with particular homework assignments and should provide the necessary protection through training, personal protective equipment, or other controls appropriate to reduce or eliminate the hazard. In some circumstances, the exercise of reasonable diligence may necessitate an on-site examination of the working environment by the employer. Employers must take steps to reduce or eliminate any work-related safety or health problems they become aware of through on-site visits or other means. This is also a good way to determine if the employee has a dedicated space to use for working from home, and is not sitting at a dining room table with the kids, the spouse and everyone else’s paperwork also in the open for all to see.

Certainly, where the employer provides work materials for use in the employee’s home, the employer should ensure that employer-provided tools or supplies pose no hazard under reasonably foreseeable conditions of storage or use by employees.

An employer must also take appropriate steps when the employer knows or has reason to know that employee-provided tools or supplies could create a safety or health risk. Here are frequently asked questions and answers:

Question:

Is the employer responsible for compliance with the home itself?

Response:

An employer is responsible for ensuring that its employees have a safe and healthful workplace, not a safe and healthful home. The employer is responsible only for preventing or correcting hazards to which employees may be exposed in the course of their work. For example: if work is performed in the basement space of a residence and the stairs leading to the space are unsafe, the employer could be liable if the employer knows or reasonably should have known of the dangerous condition.

Question:

Is the employer required to do periodic compliance inspections in the home, which may include safety, health, fire, and environmental issues?

Response:

There is no general requirement in OSHA’s standards or regulations that employers routinely conduct safety inspections of all work locations. However, certain specific standards require periodic inspection of specific kinds of equipment and work operations, such as:

  • ladders (§1910.25(d)(1)(x)) and §1910.26(c)(2)(vi));
  • electrical protective equipment (§1910.137(b)(2)(ii));
  • mechanical power-transmission equipment (§1910.219(p));
  • portable electric equipment (§1910.334(a)(2)).

Although some of these operations may not be found in home-based workplaces, nevertheless, if an employer of home-based employees is aware of safety or health hazards, or has reason to be aware of such hazards, the OSH Act requires the employer to pursue all feasible steps to protect its employees; one obvious and effective means of ensuring employee safety would be periodic safety checks of employee working spaces.

Question:

What would be OSHA’s inspection procedures in a private home?

Response:

OSHA’s health and safety inspection program is directed primarily toward industrial and commercial establishments and construction sites. They do not ordinarily conduct inspections of home-based workplaces, although from time to time we have visited private homes or apartments to investigate reports of sweatshop-type working conditions in the garment industry and other businesses where hazards have been reported. Any OSHA enforcement visit must, of course, be conducted in compliance with the Fourth Amendment which would require that OSHA obtain either consent to inspect or a judicially-issued warrant. It has been reported that home inspections are becoming more commonplace. It is imperative that telecommuters and their employers are aware of the rules.

Below are responses to other general questions from the OSHA workplace site.

Workplace Analysis and Hazard Prevention: The employer is responsible for correcting hazards of which it is aware or should be aware.

If, for example, the work requires the use of office equipment (computer, printer, scanner, fax machine, copying machine, etc.) in an employee’s home, it must be done in a manner to, for example, not overload the home electrical circuits as this could be a fire safety violation.

Programming note: For more on this topic listen to Talk Ten Tuesdays, today when Terry Fletcher reports this story live, 10 Eastern.

References and Resources:

https://www.jdsupra.com/legalnews/hipaa-compliance-guidelines-for-remote-9027191/

https://www.healthcareitnews.com/blog/hipaa-and-remote-work-top-compliance-risks-address

https://www.hhs.gov/sites/default/files/securely-teleworking-healthcare.pdf

Facebook
Twitter
LinkedIn

Terry A. Fletcher BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, ACS-CA, SCP-CA, QMGC, QMCRC, QMPM

Terry Fletcher, BS, CPC, CCC, CEMC, CCS, CCS-P, CMC, CMSCS, CMCS, ACS-CA, SCP-CA, QMGC, QMCRC, is a healthcare coding consultant, educator, and auditor with more than 30 years of experience. Terry is a past member of the national advisory board for AAPC, past chair of the AAPCCA, and an AAPC national and regional conference educator. Terry is the author of several coding and reimbursement publications, as well as a practice auditor for multiple specialty practices around the country. Her coding and reimbursement specialties include cardiology, peripheral cardiology, gastroenterology, E&M auditing, orthopedics, general surgery, neurology, interventional radiology, and telehealth/telemedicine. Terry is a member of the ICD10monitor editorial board and a popular panelist on Talk Ten Tuesdays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

The Cost of Ignoring Risk Adjustment: How HCCs Impact Revenue & Compliance

The Cost of Ignoring Risk Adjustment: How HCCs Impact Revenue & Compliance

Stop revenue leakage and boost hospital performance by mastering risk adjustment and HCCs. This essential webcast with expert Cheryl Ericson, RN, MS, CCDS, CDIP, will reveal how inaccurate patient acuity documentation leads to lost reimbursements through penalties from poor quality scores. Learn the critical differences between HCCs and traditional CCs/MCCs, adapt your CDI workflows, and ensure accurate payments in Medicare Advantage and value-based care models. Perfect for HIM leaders, coders, and CDI professionals.  Don’t miss this chance to protect your hospital’s revenue and reputation!

May 29, 2025
I050825

Mastering ICD-10-CM Coding for Diabetes and it’s Complications: Avoiding Denials & Ensuring Compliance

Struggling with ICD-10-CM coding for diabetes and complications? This expert-led webcast clarifies complex combination codes, documentation gaps, and sequencing rules to reduce denials and ensure compliance. Dr. Angela Comfort will provide actionable strategies to accurately link diabetes to complications, improve provider documentation, and optimize reimbursement—helping coders, CDI specialists, and HIM leaders minimize audit risks and strengthen revenue integrity. Don’t miss this chance to master diabetes coding with real-world case studies, key takeaways, and live Q&A!

May 8, 2025
2025 Coding Clinic Webcast Series

2025 ICD-10-CM/PCS Coding Clinic Update Webcast Series

Uncover critical guidance. HIM coding expert, Kay Piper, RHIA, CDIP, CCS, provides an interactive review on important information in each of the AHA’s 2025 ICD-10-CM/PCS Quarterly Coding Clinics in easy-to-access on-demand webcasts, available shortly after each official publication.

April 14, 2025

Trending News

Featured Webcasts

Medicare Advantage 2026: Navigating New Rules, Denial Protections & SDoH Shifts

Medicare Advantage 2026: Navigating New Rules, Denial Protections & SDoH Shifts

Stay ahead of Medicare Advantage’s 2025-2026 regulatory changes in this critical webcast featuring expert Tiffany Ferguson, LMSW, CMAC, ACM. Learn how new CMS rules limit MA plan denials, protect hospitals from retroactive claim reopenings, and modify Two-Midnight Rule enforcement—plus key insights on omitted SDoH mandates and heightened readmission scrutiny. Discover actionable strategies to safeguard revenue, ensure compliance, and adapt to evolving health equity priorities before the June 2025 deadline. Essential for hospitals, revenue cycle teams, and compliance professionals navigating MA’s shifting landscape.

May 28, 2025
Navigating the 3-Day & 1-Day Payment Window: Compliance, Billing, and Revenue Protection

Navigating the 3-Day & 1-Day Payment Window: Compliance, Billing, and Revenue Protection

Struggling with CMS’s 3-Day Payment Window? Join compliance expert Michael G. Calahan, PA, MBA, CCO, to master billing restrictions for pre-admission and inter-facility services. Learn how to avoid audit risks, optimize revenue cycle workflows, and ensure compliance across departments. Critical for C-suite leaders, providers, coders, revenue cycle teams, and compliance teams—this webcast delivers actionable strategies to protect reimbursements and meet federal regulations.

May 15, 2025
Audit-Proof Your Wound Care Procedures: Expert Insights on Compliance and Risk Mitigation

Audit-Proof Your Wound Care Procedures: Expert Insights on Compliance and Risk Mitigation

Providers face increasing Medicare audits when using skin substitute grafts, leaving many unprepared for claim denials and financial liabilities. Join veteran healthcare attorney Andrew B. Wachler, Esq., in this essential webcast and master the Medicare audit process, learn best practices for compliant billing and documentation, and mitigate fraud and abuse risks. With actionable insights and a live Q&A session, you’ll gain the tools to defend your practice and ensure compliance in this rapidly evolving landscape.

April 17, 2025
Utilization Review Essentials: What Every Professional Needs to Know About Medicare

Utilization Review Essentials: What Every Professional Needs to Know About Medicare

Dr. Ronald Hirsch dives into the basics of Medicare for clinicians to be successful as utilization review professionals. He’ll break down what Medicare does and doesn’t pay for, what services it provides and how hospitals get paid for providing those services – including both inpatient and outpatient. Learn how claims are prepared and how much patients must pay for their care. By attending our webcast, you will gain a new understanding of these issues and be better equipped to talk to patients, to their medical staff, and to their administrative team.

March 20, 2025

Trending News

Prepare for the 2025 CMS IPPS Final Rule with ICD10monitor’s IPPSPalooza! Click HERE to learn more

Get 15% OFF on all educational webcasts at ICD10monitor with code JULYFOURTH24 until July 4, 2024—start learning today!

CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24