How to Stay HIPAA Compliant While Employees Work Remote
Ever since the United States introduced the Health Insurance Portability and Accountability Act (HIPAA) in 1996, organizations that deal with health information have been greatly restricted in the way they store, transmit, and process data.
Until recently, for example, nearly every company in the health industry knew not to use unsecured networks, unencrypted devices, and shared data hosting in their work.
With the arrival of the COVID-19 pandemic, however, things changed.
Thousands of organizations were forced to transition their operations to the new decentralized environment (although some have even decided to stay that way indefinitely).
But what’s important to understand is that, remote or not, every regulated workplace is still required to stay HIPAA-compliant throughout.
So what does following HIPAA regulations mean for remote companies? And how can everyone ensure the way they work right now is fully compliant?
Let’s start with reviewing data requirements.
What Are HIPAA Data Requirements?
If you read the official HIPAA regulation and try to boil it down to actionable insights, you’d deduct two distinct requirement categories, relating to tools and rules.
Tools include all the equipment, hardware, and software your company needs to operate as well as the way the whole ecosystem should be set up, from encrypted data to the use of virtual private networks (VPNs).
Rules include all the essential guidelines your employees have to follow to stay HIPAA-compliant, from signing confidentiality agreements to recognizing data access restrictions.
Tools: Hardware and Software
The first step to compliant data protection is to ensure that your employees are only using your company’s devices for work-related activities.
It’s also recommended to have robust mobile device management (MDM) solution in place to oversee all the computers and be able to interfere (e.g. wipe them out) if required.
When it comes to individual devices you give out, verify that all of them have pre-approved software installed, with two-factor authentication enabled (where possible), including an active top-grade antivirus.
Configure protective firewalls that limit certain incoming connections and set the hard drives to encrypt their contents automatically. Turn on the lock screen functionality that requires a password after a short period of inactivity.
Next, thoroughly instruct employees on proper home Wi-Fi setup. They should use unique and complex passwords on their Wi-Fi networks, with at least WPA2 (or better WPA3) certifications and AES-based encryption modes — all of which could be adjusted from the admin router settings. Offer to exchange any old routers that only support the outdated WEP security.
Finally, carefully calibrate your own internal network, so that it only lets your employees’ devices (using VPNs) through its firewall, and establish various levels of access. Write timeout scripts to scan all remote access activity to cut off any suspicious (or old) connections.
And these are only a few of the HIPAA-Compliance challenges that you will face.
Rules: Employee Guidelines
To meaningfully change behavior within your newly remote company, you have to invest in cybersecurity training.
After all, your company security and HIPAA compliance is only as strong as its weakest link, and it takes just a single phishing email to unwind years of your efforts.
From the very first day, every employee should understand their role in effectively handling any protected health information (PHI) as well as the level of their organizational access. Dedicate some time for everyone to read, question, and sign confidentiality and non-disclosure agreements.
Remind your employees that they should avoid transporting company computers without valid business reasons or copying PHI data to any external devices without prior approval. Most importantly, they can’t share access to their computers with anyone, under any circumstances, not even with family members.
If your line of work requires processing physical documents, make sure that every employee who needs to handle paper forms has a lockable cabinet or safe and is able to destroy the files with a shredder when they are no longer needed.
Servers: Information Flow
You might be surprised that the directives above don’t mention any HIPAA requirements related to the servers that host your data. That’s not because there are none, but rather because there are too many.
HIPAA-compliant hosting requires the highest level of uptime, truly redundant backup management, advanced safeguards, and even a list of physical security policies. The truth is that HIPAA server requirements are just too numerous and difficult for most companies to implement.
So when you decide that your company should go remote, you should go above and beyond to verify that all the tools (hardware, software) and rules (employee guidelines) are in place, and leave the server-side management to a hosting company that has already built its whole business around HIPAA compliance.
Your data is at the heart of your operations, and no one understands that better than a team of professional technicians at Liquid Web.
Not sure how to safely migrate your data to a HIPAA-compliant data center? Contact Liquid Web and we’ll advise and walk you through all the necessary policies and server reconfigurations that your business needs today.
Download our HIPAA Hosting FAQ
Melanie Purkis is the Director of Liquid Web's Managed Hosting Products & Services. Melanie has more than 25 years of experience with professional leadership, project management, process development, and technical support experience in the IT industry.
Keep up to date with the latest Hosting news.