This article is co-authored with Thomas Hiney.

The modern workplace is undergoing massive changes. It is estimated that 44% of employees currently work at home, and a recent survey report stated that the number of full-time employees that employers expect to stay at home permanently is three times the number before the pandemic.

The implications of this shift will not only affect productivity and company culture, but also policies and operations involving finance, human resources, IT, and countless other business functions. It can be said that the risks in the healthcare industry are even higher. In addition to dealing with many of the same challenges in other industries, the healthcare industry must also consider how remote labor affects HIPAA compliance.

In the above survey, the distribution of respondents in various industries is relatively even, of which 15% are from the healthcare industry. Two-tenths of the interviewees stated that they provide sufficient tools and resources to support employees who work remotely for a long time. This may bring a series of challenges to meeting HIPAA requirements.

According to HIPAA, any covered entity or business partner that collects, processes, or stores protected health information is required to implement security and privacy controls to protect its confidentiality, integrity and availability or CIA.

The good news is that as long as the final result of maintaining the CIA is achieved, the law does not overstate how companies handle privacy and security. This gives organizations the flexibility to achieve compliance and determine specific strategies and processes that suit their unique needs.

However, this flexibility must not be confused with leniency. Compliance with HIPAA is a serious, enforceable issue that must be properly addressed in the context of workplace challenges and changes that have occurred during the pandemic.

Data privacy in a remote world

Working from home conditions affect HIPAA and privacy compliance practices in many ways. The U.S. Department of Health and Human Services reported that so far this year, there have been more than 300 violations of PHI, thereby destroying the personal data of 10.8 million people.

This underscores the importance of health care organizations in addressing the many gaps that PHI may expose. These include:

• paper. Many aspects of healthcare business processes are still paper-based, such as billing/coding and revenue cycle management. This means that employees are printing documents containing sensitive financial information and/or PHI at home, and other family members can also view paper documents. Such exposure, whether it is innocent, will constitute a violation of HIPAA.
• Right to use. The healthcare IT department faces a huge burden on the hub network infrastructure, so it allows employees to continue working and securely access the systems and documents they need. Remote access control must balance the efficiency and requirements of employees to ensure the privacy of patient information. Strains on remote systems can also lead to poor availability, increasing the risk of employees using shortcuts and sharing information using unsecured channels.
• deal with. When employees are in the office, maintaining compliance with HIPAA requirements for document retention and disposal is a fairly simple process. Veterinary treatment suppliers usually have a contract to clean the safe container once a day or at least once a week. Implement inspections and systems to ensure that PHI records are stored securely and kept for no longer than legally permitted. When employees use physical documents or electronic copies stored on personal devices to work remotely, this becomes a very vague question.
• Safety. This year, the increase in data breaches proves what security professionals already know: Data is vulnerable to attacks. This worry and risk increase only when employees work from home. Do employees access company systems through a secure network? Are employees still following best safety practices? What additional pressures did the company’s IT and infrastructure put on? Is the network performance degradation due to the increase in the number of remote employees, which forces the IT department to formulate an exception policy? These are important safety precautions.
• The office reopened. With the reopening of companies, many companies are implementing revised work schedules that require employees to stay out of the office for long periods of time. This coming and going may disrupt workflows that support privacy control, for example, prompting people to increasingly use USB or cloud-based sites to store and move documents. When this happens on a large scale, it is difficult for the compliance team to fully track and manage each PHI.
• Supplier management. Similar to the challenges faced by the company, the company’s suppliers are also facing the same challenges faced by an increasing number of remote workforces. If these suppliers handle PHI on behalf of the company, then a more routine supplier assessment will need to be performed.
• comply with. Regardless of the size of the company, when considering some of the above issues, maintaining reliable privacy compliance procedures is essential to ensure proper governance and decision-making. The new normal of remote work may result in the need for complete exceptions to existing or new strategies. When formulating exceptions to company policies or formulating new policies, how does the company track and ensure compliance with the policies?

Meet the new normal of HIPAA

Legal and compliance teams that comply with HIPAA requirements must work with key stakeholders (including their IT department) to begin to understand all the challenges their organization faces due to employees working from home.

Evaluation by an internal team or external experts is an important step to understand the scope of PHI for which the organization is responsible and the business functions and PHI for which employees have access to regulated data.

In any situation where an organization or certain business units must deviate from HIPAA’s standard operating procedures, the team must record the reason and establish auxiliary control measures to ensure that the new process does not destroy personal data. These activities and the way employees move data must be closely monitored to ensure that unauthorized shortcuts are not used.

HIPAA has been around for a long time, and most healthcare organizations have settled in their compliance processes for many years. However, with the shift to remote work, the situation has changed significantly this year. At the same time, new privacy regulations and many new systems have emerged in which regulated data is generated, shared, and retained.

It is important to remember that all these changes may affect HIPAA compliance. Organizations need to continue to prioritize HIPAA and should consider the pandemic as a mandatory function to reassess and update past policies to ensure that they meet the requirements of today’s new normal.

Louise Rains-Gomez is the managing director of the technical department of FTI Consulting, focusing on information governance and data management challenges.

Thomas Hiney is the head of the technical department of FTI Consulting, focusing on privacy program management and optimization, HIPAA compliance and more.