Remote work has become wildly popular since the onset of the COVID pandemic in early 2020. Many workers have found working from home to be more productive, less stressful, and just as conducive to collaboration as being in the office. Employers are finding that such flexible arrangements can help them to attract and retain good workers.
Nevertheless, The concept of remote work raises several new concerns regarding patient privacy and HIPAA compliance. Employees using their personal computers or mobile devices to send, receive, or view protected health information (PHI) could be at risk of a violation. E-mail is inherently insecure, and popular file-sharing services can be risky for organizations that must comply with stringent HIPAA regulations. Fax is the most secure, of course. Nevertheless, there are important considerations for covered entities, even when it comes to secure fax technology.
HIPAA Compliance Pitfalls for Remote Work Scenarios
In any work-from-home situation, there is a risk that PHI could inadvertently be made available to unauthorized persons. Imagine, for example, the following scenarios:
A healthcare office administrator is working from home one day and asks a member of the on-site staff to e-mail her a PDF file containing PHI. After opening the file on her home computer, she finishes, deletes the e-mail, and assumes everything is OK. A copy of that PDF may still be stored on her hard drive. Unless she deletes the contents of her cache folder, it could remain there for some time. If other people in the same household use that computer, they might have access to the PHI.
Another at-home worker chooses the much more secure option, asking that the office staff send over a document via fax. It prints to the employee’s home-office printer, but he forgets to retrieve it. Shortly after that, another member of the family prints a document, picks up the entire pile of printouts, and walks away with the PHI in hand. Neither of these scenarios describes a situation in which there is malicious intent. Nevertheless, they both constitute violations of HIPAA’s Privacy Rule. PHI was not adequately safeguarded by the covered entity.
Now let’s consider a third scenario: the remote worker asks her office staff to send a document using a secure cloud fax service. She gets an e-mail notification when the document arrives, prompting her to log into a secure web portal where she can view all of the information she needs. Nothing is stored on a local hard drive, and there is no need to shred a paper document or worry about leaving something unattended on the printer. If she ever needs to go back and review that document again, it will be there until she deletes it. Unlike our first two scenarios, though, it is stored in a HIPAA-compliant manner.
By combining the best technology with a well-defined series of procedures for handling PHI, covered entities can support remote work while remaining in full compliance with HIPAA.
Staying HIPAA Compliant When Working Remotely
Even when using the most secure technology available, HIPAA-covered entities must adhere to a set of well-defined best practices. Here are some recommended practices when using secure cloud fax from a remote office setting:
- Evaluate your HIPAA Compliant cloud fax service carefully. Although many fax services claim to be HIPAA compliant, they are not all created equal. Look for a company that specializes in HIPAA-compliant fax, understands the implications of a violation, and has taken all appropriate safeguards, including internal training in HIPAA awareness and compliance.
- Include HIPAA-specific cover pages. The right cover page provides a layer of legal protection if a fax is received or viewed by an unauthorized party.
- If hard-copy printouts are retained, be sure to store them securely. This applies to home offices as much as it would apply to an office setting. Destroy documents when they are no longer needed.
HIPAA compliance for remote workers is not very different than in a traditional workplace. However, the presence of family members, guests, contractors, or other visitors calls for special precautions to make sure that PHI remains safe from unauthorized parties.
Cloud-based fax services provide a convenient and highly secure way of sending and receiving PHI documents. As a leading provider of HIPAA-compliant fax services, WestFax has seen a dramatic surge in interest from healthcare providers seeking convenience and ease of use while needing to maintain the highest standards for security. We frequently hear about WestFax users who strongly prefer our cloud-based HIPAA-compliant fax to the hardware-based machines they have used in the past.
If your organization needs to increase its agility and accommodate non-traditional work environments while maintaining strict HIPAA compliance, WestFax can help. Check out our HIPAA-compliant fax offerings here.
