A HIPAA compliant home office is a working environment set up to support HIPAA compliance when a covered entity, business associate, or a member of either’s workforce works from home. Because of the different functions that can be performed from – and services that can be provided by – a home office, the requirements for HIPAA compliance can vary considerably.

What is a Home Office in Healthcare?

Although a home office is most often considered to be a remote working environment “in a location other than an employer’s central workplace”, a home office in healthcare could be the main working environment for a solo healthcare practitioner, a part-time employee of a covered entity, or a home business that provides medical transcription services as a business associate.

Regardless of whether a home office is a remote or a main working environment, is used full-time or part-time, or by an individual or a team, a home office has to be set up to comply with HIPAA whenever the function being performed in – or service being provide by – a home office involves the creation, receipt, maintenance, or transmission of Protected Health Information (PHI).

What Might a Home Office be Used For?

Working from home has become increasingly viable for a range of professions, including many in healthcare. A home office in healthcare can be used to perform many different functions for patients or to provide a range of services to covered entities and business associates. Examples of how a home office might be use for a healthcare function or service include:

• Telemedicine Provider
• Medical Transcriptionist
• Medical Coder/Biller
• Healthcare IT Specialist
• Behavioral Health Professional
• Epidemiologist
• Health Coach
• Patient Navigator
• Biostatistician
• Clinical Research Coordinator
• Medical Educator or E-Learning Specialist
• Medical Customer Service Representative

Some of these home-based functions and services can be subject to state or local employment regulations, while others may require an employee to work from home some of the time and the employer’s central workplace at other times. Nonetheless, whatever the working arrangement, whenever a home office is used to create, receive, maintain, or transmit PHI – in any media or format – it is necessary the home office is a HIPAA compliant home office.

The Requirements for a HIPAA Compliant Home Office

The requirements for a HIPAA compliant home office consist of much more than some people think. This is because the aim of the Administrative Simplification Regulations is to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of electronic PHI regardless of where the information is created, received, stored, or transmitted.

Therefore, it does not matter whether the functions being performed and the services being provided take place in a home office, a healthcare facility, or a secure data center. The requirements for HIPAA compliance are the same. This means the same policies, procedures, and safeguards have to be implemented, and the same penalties can be applied for violations of HIPAA.

The requirements for a HIPAA compliant home office will mean different things to different types of home workers. For example:

• A solo healthcare practitioner will have to comply with all applicable provisions, standards, and implementation specifications of the Administrative Simplification Regulations
• A home business operating as a business associate may only have to comply with the applicable standards of the Privacy Rule and the Security and Breach Notification Rules.
• An employee of a covered entity or business associate will have to comply with their employer’s policies and procedures – which may be different from in the central workplace because of the unique threats of home working.

Consequently, for some home workers, the requirements for a HIPAA compliant home office may include conducting an audit to determine where and how PHI is created, received, stored, or transmitted, conducting a risk assessment to identify potential impermissible uses and disclosures of PHI and security vulnerabilities, and developing procedures for notifying individuals and HHS’ Office for Civil Rights in the event of a data breach.

For homeworkers that maintain PHI in the home office – in any media or format – the requirements for a HIPAA compliant home office may include installing a safe or lockable file cabinet to keep paper records and data backups, developing a continuity of operations plan, and ensuring all devices used to store electronic PHI – including mobile devices – are PIN-locked and have automatic logoff activated to prevent unauthorized access to PHI.

What are the Unique Threats of Home Working?

Home working expands the cyberattack surface, and while cyberattacks are not unique to home working, home offices can be more vulnerable to an attack due to a lack of advanced security defenses and – when a home office is a remote office – less oversight by corporate security teams. In addition to the increased level of vulnerability, there will likely be less support to help home workers respond to and recover from a successful attack.

Other than the cybersecurity threats, home workers may be subject to distractions (children, pets, visitors, etc.) which can result in paper records or electronic devices being left unattended. There may also be times when they forget to lock away paper records and data backups, forget to keep device screens directed away from people who might see what is on them, or carelessly make a comment that constitutes an impermissible disclosure of PHI.

In many cases, one of the most important unique threats of home working is the ease with which it is possible to develop non-compliant practices “to get the job done”. The non-compliant practices can range from failing to provide a patient with a Notice of Privacy Practices, to installing software without the capabilities to support HIPAA compliance, to failing to enter into a Business Associate Agreement before storing PHI in a cloud storage service.

Conclusion: Ensure Your Home Office is HIPAA Compliant

No matter how you use your home office, if the function you perform or the service you provide involves the creation, receipt, storage, or transmission of PHI, you have to have a HIPAA compliant home office. If you fail to ensure your home office is HIPAA compliant, it is more likely you will be the victim of a cyberattack or other HIPAA violation for which the financial penalties can be substantial.

If you are unsure of the home office compliance requirements – either as an individual or an employer with a remote working team – it is recommended you review our HIPAA compliance checklist to better understand which provisions of HIPAA may be applicable. Alternatively, it is advisable to seek professional compliance advice about which standards of HIPAA you are required to comply with and how best to comply with them.

The post What is a HIPAA Compliant Home Office? appeared first on HIPAA Journal.