As the healthcare industry has expanded to providing home healthcare services, more service providers are allowing their employees to work remotely, i.e., telecommuting. The flexibility for healthcare workers to work from anywhere with an Internet connection has some advantages, but it also has many dangerous disadvantages. One specific disadvantage in the healthcare space is the increased potential for mishandling personal health information (PHI) because many telecommuters must be able to access patient information remotely to perform their job duties. This need for access and subsequently mishandling of protected information has caused Federal enforcement agencies to put a spotlight on healthcare providers
The Health Insurance Portability and Accountability Act (HIPAA) includes measures for both the security and privacy of patient information. Covered entities are required to self-report data breaches to the Office for Civil Rights (OCR), the agency charged with enforcing the HIPAA Privacy Rule, and the OCR is required to investigate all data breaches that expose the PHI of more than 500 patients. While action is taken by OCR in most reported-breach cases – 99.9% – most of the time the breaching entity enters into a Corrective Action Plan (CAP), which identifies a set of actions the entity must take to bring data privacy and security standards up to HIPAA’s standards. That is not always the case, however, and the OCR has started levying hefty financial penalties against healthcare providers in telecommuter breach cases in large part because those entities failed to properly oversee and manage their telecommuters’ access and protection of PHI.
Lincare: In February 2016, the OCR levied a $239,800 fine against respiratory care provider Lincare as the result of a “breach of HIPAA” or “failure to prevent disclosure of PHI.” The OCR's investigation of Lincare began after the agency received a complaint that a Lincare employee removed documents that contained the PHI of 278 patients from Lincare’s office, left the information exposed and available to an unauthorized person and abandoned the information. The Administrative Law Judge who upheld the OCR’s fine noted that Lincare did not have adequate policies and procedures in place to safeguard patient information that was taken offsite despite the fact that employees who worked in patients’ homes routinely removed PHI from Lincare offices. Lincare also had an unwritten policy that required certain employees to store PHI in their vehicles for extended periods.
Cancer Care Group: The OCR and U.S. Department of Health and Human Services (HHS) entered into a $750,000 settlement with Cancer Care Group, an Indianapolis radiation oncology practice, after unencrypted backup tapes that contained the PHI of more than 50,000 patients were stolen from a telecommuting employee’s vehicle. The OCR started investigating after Cancer Care Group notified it of a breach of unsecured electronic PHI (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media with significant PHI.
The OCR determined that prior to the breach, Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule including its failure to have conducted an enterprise-wide risk analysis when the breach originally occurred. OCR also found that Cancer Care Group did not have a written policy regarding the removal of hardware and electronic media containing ePHI into and out of its facilities even though doing so was common.
Takeaways: The OCR’s stance in regards to the Lincare and Cancer Care Group fines demonstrates what the OCR deems clearly unacceptable by healthcare employers. The first is that it is taking aim at healthcare companies that have no safeguards or policies addressing secure handling of offsite PHI. The second is the OCR’s “concerns over” written or unofficial company policies that require or allow employees to store PHI in vehicles. The third area of focus is on companies having unreasonable responses to the theft or exposure of PHI. The last is with companies that have no policy to monitor documents removed from offices.
These are somewhat simple initiatives that healthcare companies can easily employ to guard against financial penalties, but doing so does require companies engage in proactive measures to audit compliance with their current policies, PHI safeguards, restrictions on PHI access and storage, and employee behavior regarding PHI and take steps to properly secure, protect, monitor PHI, and investigate any and all disclosure incidents. Five easy steps companies can work with their counsel to implement include:
1. Establishing policies and training to address PHI that is taken offsite gathered in the field, at facilities, or in residential-based offices; or accessed remotely. These policies should include employee personal devices and expressly prohibit the downloading of PHI to such devices and other personal computers.
2. Establishing policies to track and monitor offsite PHI and ensure all PHI is returned.
3. Ensuring all PHI is password protected, encrypted or otherwise segregated.
4. Ensuring insurance covers the telecommuting by employees with PHI.
5. Responding immediately and effectively to any security incidents concerning PHI.