HIPAA Compliance Strategies

Featured Health Business Daily Story October 26, 2007

Patient Privacy Risks Increase With More Work-at-Home Options for Health Care Workers

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

As the health care industry joins other sectors in offering its staffers more work-at-home options, CEs are seeking ways to make sure this phenomenon doesn't increase the risks of PHI falling into the wrong hands — including those of curious family members. Compliance officers contacted by RPP say new technology and policies can protect against HIPAA violations occurring when employees work offsite, but one expert contends that accessing PHI at home raises a "big red flag" for patient privacy mishaps.

The compliance community is grappling with the issue. In a posting on an industry list serve, an individual described PHI concerns around a new information technology system that allows select management staff to access the company's network and databases from remote or home locations.

'Nightmare' Could Occur at Home

One of the greatest risks CEs face involves employees whose out-of-control curiosity causes them to access inappropriately the PHI of family, ex-spouses, friends, community leaders or celebrities who are treated in their facilities. The likelihood is great that, for many such individuals and perhaps their family members who live under the same roof, this curiosity may be even more difficult to control in the privacy of their own homes than it is on a hospital work station. Additional training for offsite staffers should emphasize the grave risks of this needless prying into PHI files.

"In my nightmares I'm envisioning them getting up from their home computers to get a drink, go to the bathroom, while a family member then sits down at the computer and sees our clients' PHI," says the posting on the list serve, talk-about-compliance@hub.xc.org, which is run by The Council of Ethical Organizations' Health Ethics Trust division.

Mark Ruchie, director of IS security and compliance program at Allina Hospitals & Clinics in Minneapolis, says such a scenario is a definite compliance concern. But with proper technology security controls and company policies in place, a CE can minimize the risk of a PHI breach, he adds.

"You have to have policies and procedures that say, 'OK, this [computer] has to be in a place in your house that is away from the main area'" Ruchie tells RPP. In addition, HIPAA requires computers used by CEs to be outfitted with an automatic logout system, he says. "So if the person does walk away within a reasonable period — five, 10 or 15 minutes — that application or network connection would log off," Ruchie explains.

For its part, Allina lets physicians access PHI from their homes through the use of a "key fob," a small hardware device with a built-in authentication mechanism. The health system also uses a virtual private network (VPN), which is an encrypted network layered on the existing network. "As long as you have a strong authentication and encryption, people felt pretty good about that," Ruchie says, cautioning that this confidence can change completely if, in fact, the physicians are storing PHI at home.

The Harrison Medical Center in Bremerton, Wash., also allows physicians and some personnel at doctors' offices to access remotely the PHI stored on the hospital's network system. Providers are required to sign a confidentiality agreement regarding remote access, Butch Tilton, director of corporate compliance and the privacy officer at Harrison, says of doctors and office managers who access the center's STAR System. "They're given a password, and they're able to gain access to the system.and find out information about their patient," he says. Security controls are able to track who has been on the system, when they went in and what they looked at, he tells RPP.

The medical center doesn't expressly prohibit doctors from accessing PHI from their homes, Tilton adds. "If they wanted to check it from home, remote access is remote access," he says. "They're given a password, so they probably could be able to do it. In talking to doctors, most of them don't do it like that. They do it mostly from their offices, when they're looking for information."

Tilton says security of data always is a concern when somebody has remote access. "You cannot control the data, and what they do with the data once they have printed it off." But he also says the risks are manageable, at least in his situation. "Knowing the physicians and staff around the Bremerton area, it doesn't bother me as much as some of the other things that we deal with on a daily basis," Tilton adds.

CMS, Expert Caution Against Practice

Still, CMS expressed strong reservations about allowing offsite PHI access in its January 2007 "HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information (EPHI)".

"In general, covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI," the guidance states. "There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity's business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA privacy rule."

Examples of when such access is appropriate, CMS says, including a home health nurse collecting and accessing patient data using a personal digital assistant or laptop during a visit, and a physician accessing an e-prescribing application on a PDA while out of the office to respond to patient requests for refills.

A legal expert on privacy issues says accessing PHI at home raises a "big red flag" for compliance violations. "Most hospitals have a policy that prohibits physicians and other medical staff from taking home charts, or from accessing them electronically from home," says Kirsten Smolensky, associate professor of law at The University of Arizona's James E. Rogers College of Law.

"The concern is that a family member is going to see a chart that is laid out on a table, or someone is going to leave information up on a computer and a family member might see it, which would then be a HIPAA violation," she tells RPP.

Smolensky acknowledges that electronic safeguards and special training programs can mitigate risks of a PHI breach. And she notes that physicians see the appeal of accessing data from home in some situations, including when dictating patients' charts. "It's a lot easier to do it at home than it is to go into the hospital and sit in an office or room, oftentimes with several other people and try to dictate charts," she says.

But one slip-up — in which a teenage son, for example, e-mails PHI to his friends — can become "your worst nightmare," Smolensky warns. "If you're an attorney advising a hospital, you're going to advise them to put a policy in place that prohibits employees from doing this," she says of home access.

More CE Employees Are Working From Home

Nevertheless, Allina's Ruchie says it is becoming impossible for CEs to prevent certain employees from accessing PHI from their homes.

"The health care providers are in challenging financial times, and there are savings to operations if you can have some individuals working at home (e.g., doing transcriptions)," he says. "Also, as more and more CEs implement electronic medical records, you have IT staff that needs to be on-call and support from home, and they will need that capability. I think as work-from-home initiatives gain popularity, it will only grow."

Tilton also recognizes the changing workforce needs, and says more and more people are starting to work from home, including outside billers and those who work on coding. Staffers at Harrison haven't yet inquired about this option, he says. "But I know it is one of these trends that is going to start to happening. We would be developing a plan in order to handle that, and how we would handle individual requests."

To access the HIPAA guidance, visit www.cms.hhs.gov/SecurityStandard/Downloads/
SecurityGuidanceforRemoteUseFinal.pdf

Advertise With AIS

Privacy

Site Map