Dental and Medical Counsel Blog

How to Ensure Remote Employees are Not Violating HIPAA

April 23, 2020
HIPAA Compliance for Remote Workers

We are going through unprecedented times with the current COVID-19 pandemic and many dental practices have been forced to resort to working remotely as an option to keep their practices financially sustainable and, most importantly, to keep their patients and team members at home and practicing good social distancing to combat the spread of the virus.

This essentially means that some or all of your dental office team members— schedulers, clinical staff, billing and administrative staff, etc.—may be working from home and transmitting and receiving sensitive patient information remotely via telephones, smartphones, video conferencing platforms, texting and chatting platforms, and other remote communication tools. 

Taking a few minutes to figure out how you can ensure that your dental team has the tools and information needed to easily transition to working from home is the best way to sustain your dental practice and ensure that you stay HIPAA compliant. 

Relaxed HIPAA Enforcement During the COVID-19 Pandemic 

On March 17, 2020, the Office of Civil Rights (OCR) announced that, in order to facilitate remote communication in the furtherance of social distancing, the enforcement of HIPAA compliance will be relaxed for the duration of the COVID-19 crisis to allow health care providers to do the following things:

  • Communicate and provide services through remote communication technologies; 
  • Use professional judgment to assess and/or treat patients remotely; and 
  • Use non-public facing remote communication tools, even if they don't fully comply with HIPAA, provided that they are used in good faith. 

While the use of public-facing platforms such as Facebook, Twitter, Tik Tok, and Twitch is still prohibited, the use of non-public facing platforms that are not fully HIPAA compliant, such Apple FaceTime, Facebook Messenger, Google Hangouts, and Skype will be permitted for the duration of the crisis. 

This "exercise of enforcement discretion", as the ORC calls it, does not circumvent any relevant state laws and regulations. Therefore, dental practices must still take into consideration the applicable state laws governing the transmissions of sensitive patient information over telecommunication channels. 

State laws vary from state to state. So, check with your local state agency for more information. You can also visit the Center for Connected Health's website to find information on state regulations that have been updated during the COVID-19 pandemic. 

HIPAA & Protected Health Information (PHI) 

The Health Insurance Portability and Accountability Act (HIPAA) establishes rules and regulations to protect against the unauthorized disclosure of a patient's protected health information (PHI). In addition, HIPAA establishes a set of national security standards for the protection of PHI that is stored or transferred in an electronic form (ePHI). 

PHI is any information that is individual to your patient with regard to their past, present, or future care and/or their physical or mental health. This includes documentation of visits to your dental practice, charts, and notes made by dentists or other dental team members. It also includes payment information, coordination of dental benefits, and information regarding the status of a claim, regardless of whether that information is transmitted orally or stored in paper or electronic form.

It is your responsibility as a dental practice to ensure that the privacy and security of PHI is maintained in remote work environments. It is also your responsibility to properly prepare your team for the transition to working remotely in a HIPAA compliant manner.

Protecting PHI When Sharing Remotely 

HIPAA covers PHI in any electronic format, including that which is stored on mobile devices such as smartphones, tablets, and laptops, all of which may also be used to transmit ePHI, but only when the necessary safeguards are in place. 

This essentially means that ePHI must be shared or transmitted via an encrypted platform. In other words, you can’t just send someone a text message containing ePHI using standard texting platforms. This is because these platforms have very little encryption and are not HIPAA compliant.

Furthermore, email platforms such as Hotmail, Gmail, Yahoo Mail, and AOL are not HIPAA compliant. Therefore, you should only send PHI by email if you are using a paid service like Microsoft Office 365 or Google G Suite. This is because these providers will sign a business association agreement (BAA) confirming that they will take the necessary steps to ensure the safety and privacy of the PHI you send through their platform. 

Sending PHI by fax is a HIPAA compliant way to do so. That being said, always remember to use a cover sheet when faxing PHI. Also remember that if you mistakenly send PHI by fax, you are required to contact the party you sent it to and request that they destroy the information. Likewise, if you receive PHI by mistake, you are required to notify the person who mistakenly sent it to you and destroy the information.Procedures

Steps Your Dental Practice Can Take to Ensure Your Remote Employees Stay HIPAA Compliant 

HIPAA compliance requires a lot of due diligence, even more, when you have dental team members who are working from home. With penalties reaching in the millions of dollars, it is critical for your dental practice to ensure that your remote team members don't make mistakes that could result in HIPAA violations.

Here are several steps you must take to protect your patients' PHI and set your remote team up for success, while ensuring that they remain HIPAA compliant:

1. Create Work Policies and Procedures

Create remote work policies and procedures that, among other things, define expectations for the printing of protected health information, its destruction, and how documents containing PHI must be saved and secured. 

Your policies should also specify that:

  • Any PHI that your team members will be working with must be properly encrypted before being transmitted. There are many affordable applications that can be used to encrypt PHI before it is transmitted. 
  • If your remote team members will be taking devices that contain PHI home with them, these devices themselves must also be encrypted and password protected; 
  • If your team will be taking paper documents that contain PHI home, there must be a valid business reason for them to do so and the documents must be transported and stored securely.
  • If your remote team members will be using their own personal computers, those devices must:
      • Have the most up-to-date anti-virus solutions installed and running; 
      • Have the proper operating system installed with the latest updates;
      • Only be accessible to the remote team member; and
      • Never be used to access PHI from a public wifi network, such as in a coffee shop, restaurant, etc.

2. Conduct a Router Test

Require each of your remote team members to conduct a router test and provide you with the results. A router test can be performed using a number of free online tools such as the one found at f-secure.com, routersecurity.org, and routercheck.com.

3. Require Use of a Virtual Private Network (VPN)

Require all remote team members to use a VPN. A VPN (Virtual Private Network) is a service that allows information to be transmitted securely and protected from being accessed by others.

4. Use of Non-Public Facing Platforms

Even though the use of non-public facing platforms that are not fully HIPAA compliant, such Apple FaceTime, Facebook Messenger, Google Hangouts, and Skype will be permitted for the duration of the crisis, you should use those that are fully HIPAA compliant, such as Skype for Business, Vsee, Zoom for Health Care, and Doxy.me, wherever possible. 

5. Other Confidentiality Requirements

Constantly remind your remote team that they must:

  • Never let others see their computer screen;
  • Never print documents, unless they can immediately secure them from unauthorized viewers;
  • Never access critical medical records or business systems on a computer shared by other family members or housemates;
  • Always use a secure connection such as a VPN;
  • Never throw away sensitive information, shred it instead;
  • Never have business phone calls to discuss client information where anyone else can hear; and
  • Always remember to log off whenever they walk away from their computer.

Conclusion 

Currently, business is far from business as usual. The COVID-19 pandemic has forced us to quickly transition to a new world that is a lot different than it was when the year began. 

At the beginning of the year, our dental practices were buzzing with people and we were meeting with our patients face-to-face in close proximity. Now, however, we are meeting via Zoom and Microsoft Team, talking more on the telephone, and using technology to do business remotely.

Not only is this new for many of us as dentists, but it is new for our patients as well. On top of all of this, we still have an obligation to ensure that our patients feel comfortable with receiving care in this environment and to comply with HIPAA regulations for the protection of sensitive patient information. 

Therefore as your trusted dental lawyer we hope that this information will be of value to you as you are possibly creating a first-time remote work environment for your dental practice. For more information or assistance, contact Ali Oromchian at Dental and Medical Counsel at 925-999-8200, or click below to contact us by email or to schedule a consultation.

For COVID-19 resources for employers, visit our resources page here.

 Contact Us Today for a Complimentary Consultation!

Img

Subscribe to Our Blog

Stay updated with industry news!