Top HIPAA Violation Risks to Watch for in Work-from-Home Situations
To minimize the threat COVID-19 posed to its workforce’s health, many healthcare organizations transitioned their medical coders and billers to work remotely from home. This working situation may be permanent in some cases. And, while employees can greatly minimize their risk of exposure by working from home, employees face a different type of issue – HIPAA violation risks.
Last year, 24.5 million patient records were exposed or stolen after approximately 493 data breaches in the U.S. healthcare sector post-COVID-19 outbreak (March-December 2020)1. In the first two months of 2021 alone, there were 77 data breaches, exposing more than 5.7 million patient records1.
The most common causes of these breaches include email/web browsing phishing attacks and network server issues1. Here are several remote-work situations where sensitive patient data can be exposed and pose HIPAA violation risks2:
Paper-based coding and revenue cycle management processes
Many healthcare facilities and practices still use paper-based procedures for some elements of their operations. This includes medical coding and billing, as well as revenue cycle analysis and management. Working from home has not changed these procedures. As a result, employees are printing files that may contain sensitive patient data or financial information at home.
A breach may occur if the employee does not take proper measures to secure the paper printouts and someone else in the household views the file. Even if this breach is a harmless exposure, compliance officers still consider it a HIPAA violation.
Unsecure access to company networks / security breaches
Network infrastructure for healthcare organizations is experiencing major shifts as more coding and billing teams move to working from home. IT departments are updating these systems so that employees can securely connect to the company’s servers and access their work files remotely. These networks are feeling the strain, causing employees to seek out shortcuts – possibly unsecure channels – to access sensitive patient data.
Accessing company systems remotely potentially makes the organization vulnerable to security breaches. If clicked on by employees, email phishing attacks or unsecure websites may give unauthorized users access to the company’s servers. Furthermore, network security may degrade as a result of the increased number of remote users.
Improper disposal of files
Healthcare organizations have HIPAA-compliant disposal procedures in place to destroy physical and digital PHI files in the office. For physical files, they may outsource their document destruction needs to a secure, approved disposal vendor. Other systems ensure digital files are secured on safe, encrypted storage devices and deleted automatically when necessary.
However, with most of these HIM teams working remotely, organizations are struggling to equip employees with secure methods to properly dispose of these files at home. Since employees do not have access to disposal procedures or equipment, these sensitive files may end up in the individual’s trash bin, where they could be easily accessed.
Inadequate compliance program
Organizations can prevent exposure of patient data and breaches by implementing a thorough compliance program. Inadequate compliance policies leave room for improper disposal of PHI, security breaches, and other HIPAA violations.
Many healthcare organizations already have compliance programs in place. However, these firms need to amended or rewrite their programs entirely to address remote-work scenarios. Policies may continuously evolve as companies and employees adjust to these new working realities.
Is your healthcare facility or practice struggling to maintain compliance with remote-work staff? Entrust YES with your coding support, auditing, denials management, and education needs. Or, our credentialed HIM consultants can help your organization develop a coding compliance plan.
YES’ team of coding and auditing experts are working remote in the U.S. We’ve had an efficient, robust HIPAA compliance program in place for our remote workers since our company’s inception in 2007.