As healthcare organizations consider options to address social distancing recommendations, various roles may be identified as appropriate for telecommuting. This use of technology for remote workers also carries privacy and security risks, as well as leadership and management challenges. The recommendations provided here will aid in navigating the various regulatory and compliance aspects of engaging in telecommuting operations for staff and healthcare providers. Resources are also included that will support organizational leadership in their efforts to communicate, support, and guide their remote workforce.
Telecommuting Guide for Healthcare Organizations
Allowing employees to work from home is one way to decrease transmissibility of an infectious disease during a pandemic. This limits exposure from infected patient to staff and also limits exposure from infected staff to other staff and patients. Additionally, it is important to expect that schools and daycare facilities may be closed during a pandemic in order to achieve the same goal. Many staff members may be required to stay home to care for their children. If existing policies on telecommuting limit this ability, consider amending to account for emergency scenarios such as pandemics.
A policy and procedure for telecommuting should be developed outlining the following:
- Physical work environment requirements (home office, co-working space, acceptable noise level)
- Technology requirements (equipment, software, internet, IT support personnel contact information)
- An outline of expectations for the workday (total hours, start/end time, flexible work hours, etc)
- HIPAA Compliance (when applicable)
- Establish a separate policy and procedure or amend an existing one to address PHI in the remote work environment
- Must be able to create a HIPAA secure environment or location within the home from which to work and attest to that in writing
- All work must be done electronically – no printing permitted and no patient information may be kept/stored at the remote work site or on personally-owned equipment or devices
- All work should be done over secure, encrypted connections to resources using HIPAA compliant remote access to either company servers or cloud-based systems
- Confirm with your IT vendor that necessary requirements are met and have them “sign off” on the security of the method
- Update your HIPAA Security Risk Assessment to formally address the introduction of a new potential security threat and how it is being addressed
- Have your staff test their remove work environment in the earlier stages of a pandemic to ensure functionality. Instruct them to do the following:
- Take their laptop home to test and confirm that they can successfully connect to the network.
- Attempt to perform their common workday tasks from their remote work site to ensure that they have the necessary software installed and can connect to all necessary systems.
- Test forwarding functionality of their office phone to their computer, home phone, or mobile phone.
- Get into the habit of taking their laptop home every night and forwarding their desk phone when they leave as the threat becomes more imminent so that they are prepared if they need to or want to work remotely.
- Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency
- Minimizing risks associated with healthcare workers telecommuting
- HIPAA Compliance in the Telecommuting Age
- AHIMA (American Health Information Management Association): Safeguards for Remote Access
- HIPAA Training Manual for Telecommuters
- Meeting HIPAA Requirement When Working Remotely
- DHHS HIPAA Security Guidance