Perhaps your healthcare organization, like many others, has had to initiate a remote workforce rapidly in response to COVID-19. Or maybe you had to quickly roll out a secure telehealth solution for provider visits. Shuffling people around with minimal disruption is never an easy task but it is especially difficult when the stakes are high and there is a sense of urgency- a global emergency, to be precise.
You may have used a thought process similar to the following:
Identify employees that can work remotely- check.
Remove non-essential workers to a safe, contactless work environment- check.
Locate equipment for remote workers or establish a bring-your-own-device plan for equipment shortages- check.
Setup secure connections and access for virtual work and telehealth visits- check.
Once the dust settled slightly on your plans, did you check to see if you were still operating within your organization’s privacy and security policies? Did you test for vulnerabilities or perform regular audits?
There are some critical aspects of these policies to consider such as:
ensuring physical workspace security is maintained
protecting remote systems from cybersecurity threats
accessing and moving information between systems securely
disposing of protected health information (PHI)
Your policies may have addressed the onsite staff but now that the workforce is remote- temporarily or permanently- the policies need to be made current with your practices.
Privacy and Security in Healthcare: Policy Examples
Since every healthcare organization is required to have a compliance plan that enforces HIPAA privacy and security, the potential impacts listed above are likely to already be included in existing policies. The aspect that is concerning, however, is that some existing policies may have prohibited certain activities that are being used today with a remote workforce or telehealth environment such as removing equipment or having PHI in your personal possession. Let’s take a look at some examples of typical policies you may have had in place prior to COVID-19.
- Policy Example #1:
Acceptable Use of Computer Equipment and Internet
Purpose: Minimize risk of compromised or stolen PHI from physical or virtual threats.
Policy Contents: Equipment physical security, desk location, encryption, anti-virus software, firewalls, network security and VPN, audits, confidentiality breaches, personal use of equipment/internet/email, employee agreement and signature.
In policy example #1, the purpose is to minimize the risks to PHI. One of the ways this policy may have addressed this in the past could have been a strict rule around not allowing equipment to be removed from a location, room, or building. When deploying a remote workforce using organization-owned equipment, you are now no longer in compliance with this policy.
- Policy Example #2:
Bring Your Own Device (BYOD) Policy
Purpose: Establishes guidelines for employees to use personal electronic devices including but not limited to personally owned cell phones, tablets, and computers to perform work duties.
Policy Contents: Permission/Authorization to BYOD, software and applications, encryption, password or pin protection, antivirus and firewall requirements, internet connection requirements, syncing devices with other home devices such as Smart TVs and mobile technology
A similar issue seen in policy example #1 arises with policy example #2. If written permission is required to allow an employee to use their personal device to access work material and certain applications must be installed by information systems professionals, this may be challenging to coordinate for hundreds or thousands of remote employees in a short amount of time.
- Policy Example #3:
Disposition of Protected Health Information (PHI)
Purpose: Any disposition and destruction of PHI will follow HIPAA guidelines.
Policy Contents: Printing, shredding, medical record documents, data storage, radiology films, printed or saved reports
Policy example #3 creates a unique challenge when employees are accustomed to shredding documents in the office and are now in need of a secure method to destroy any paper created by their remote job tasks. Specific guidelines for protecting and disposing of PHI in remote work environments must be in place, especially if and when these remote work conditions become permanent.
Review Healthcare Privacy and Security Policies Made in Crisis Mode
The need to revise the language in these policies could pose a challenge in an already disparate work environment. Perhaps the policy committee involves a manual process to meet, review, revise, and adopt changes to policies. A plan for less formal, expedited, emergency policy revisions is required and must be ongoing. Organization-wide policies must be accurate, approved, and accessible to all staff at all times regardless of the employee’s physical location.
Initially, decisions may have been made quickly and in crisis-mode but now is the time to go back and make sure everything is in good order. Many lessons have been learned thus far and this pandemic will likely continue to pose challenges to healthcare operations. As organizations continue to look for ways to keep staff and information safe in this new environment, strong privacy and security policies are going to serve as the guiding principles paving the way to a compliant future.