1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your...
Transcript of 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your...
![Page 1: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/1.jpg)
© Compliancy Group LLC. Private & Confidential
1
HIPAA Tips on Working from Home,
Telehealth, & Telecommuting
![Page 2: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/2.jpg)
© Compliancy Group LLC. Private & Confidential
2
Compliancy Group Free Education Series
EDUCATION
Upcoming & past webinars: http://compliancy-group.com/webinar/
Free Resources (whitepapers, articles, infographics)
https://compliancy-group.com/blog/
Please ask questions If we are unable to address them during the webinar, you will
receive a response via email within 24-48 hours.
![Page 3: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/3.jpg)
© Compliancy Group LLC. Private & Confidential
3
We simplify compliance so you can confidently focus on your business.
Endorsed by: • Health Care standard - 40+ medical associations;
• Industry Leading MSPs, SaaS providers, Hosting providers,
Security consultants, top medical & Insurance specialties
Recognized Leader of Compliance & Cyber Security • 2020 CRN Channel Chief
• CRN Emerging technology • CompTIA Channel Advisory Board – Co Chair • CompTIA Business Applications Advisory Council – Co Chair
Subject Matter Experts • National Publications – Becker’s Hospital Review,
ChannelE2E • Recognized National speaker - CompTIA , MedPRO360
• Software Executive Magazine - editorial Board
No client has ever Failed an OCR or CMS audit!
![Page 4: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/4.jpg)
© Compliancy Group LLC. Private & Confidential
4
Key Takeaways from Today
❏ Specific requirements for employers and employees
❏ The basics of HIPAA in a virtual world
HIPAA Compliance & Working from Home
❏ Technologies used in telehealth
❏ What to watch out for! HIPAA for Telehealth
❏ Basics of HIPAA compliant video conferencing
❏ Tips and Tricks on how to be compliant and safe!
HIPAA Compliant Video Conferencing
![Page 5: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/5.jpg)
© Compliancy Group LLC. Private & Confidential
5
Poll #1 - What are you looking to learn from today?
![Page 6: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/6.jpg)
© Compliancy Group LLC. Private & Confidential
6
HIPAA During Emergencies
1 Expansion of access and coverage for patients to receive services without
having to travel.
2
Flexibility for healthcare providers to reduce or waive Medicare beneficiary
cost-sharing for telehealth visits.
3
Waiving of potential HIPAA penalties for good-faith use of telehealth during
the emergency.
● Permitted non-public-facing apps Apple FaceTime, Facebook Messenger video
chat, Google Hangouts video, Zoom, GoToMeeting, and Skype.
● Public-facing, FaceBook Live, Twitch & TiKTok, should not be used.
The three steps HHS has taken to expand telehealth access include:
![Page 7: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/7.jpg)
© Compliancy Group LLC. Private & Confidential
7
FAQs on Telehealth During COVID-19
Are my employees still HIPAA compliant working at home?
How do I talk to my patients?
How do I address my employees?
How can I do all of this safely?
Are there new training requirements?
![Page 8: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/8.jpg)
© Compliancy Group LLC. Private & Confidential
8
HIPAA for Telehealth
• Technologies in telehealth
Video conferencing & Messaging
Sharing of patient records
Mobile health apps
Remote patient monitoring (RPM)
![Page 9: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/9.jpg)
© Compliancy Group LLC. Private & Confidential
9
How do I talk to my patients?
• Using a HIPAA compliant telehealth service! For example:
Providers using Zoom must make the
platform HIPAA compliant!
Providers using Skype for Business
must make the platform HIPAA
compliant!
![Page 10: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/10.jpg)
© Compliancy Group LLC. Private & Confidential
10
HIPAA Compliance & Working from Home
1 3
2 4
5
6
CHANGE DEFAULT PASSWORDS FOR WIRELESS ROUTERS
ENCRYPT & PASSWORD PROTECT, PERSONAL DEVICES
ENCRYPT ALL PHI BEFORE IT IS TRANSMITTED
PROTECTED DEVICES: BACK-UPS, ANTI-VIRUS/ANTI-MALWARE REQUIRE EMPLOYEE USE OF VPN
BRING YOUR OWN DEVICE (BYOD) AND REMOTE EMPLOYEE
POLICY AND PROCEDURES
![Page 11: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/11.jpg)
© Compliancy Group LLC. Private & Confidential
11
Poll #2- Do you know what a VPN is?
![Page 12: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/12.jpg)
© Compliancy Group LLC. Private & Confidential
12
Internal Communications
![Page 13: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/13.jpg)
© Compliancy Group LLC. Private & Confidential
13
How can I do all of this safely?
1 Don’t let others see your screen!
2
Don’t access critical medical records or business systems on a computer your family shares!
3
Don’t print documents, unless you can immediately secure them from unauthorized viewers!
4 Do use a secure connection such as a VPN!
5 Don’t throw away sensitive information. Shred it!
6 Don’t have business phone calls to discuss confidential information where anyone else can hear!
7 Don’t fall for email scams asking for sensitive or personal information!
8 Do log off if you walk away from your computer!
![Page 14: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/14.jpg)
© Compliancy Group LLC. Private & Confidential
14
Poll #3 - Do you have a work from home policy?
![Page 15: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/15.jpg)
© Compliancy Group LLC. Private & Confidential
15
HIPAA Warning!
COVID-19 Phishing Emails: Avoid Becoming a Victim
How to recognize a Phishing Email:
• The email asks for personal information.
• Sender’s email address doesn’t look genuine.
• It’s poorly written.
• It’s trying to force you to their website.
• It contains an unsolicited attachment.
• Company links match legitimate URLs.
Be careful where you click!
![Page 16: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/16.jpg)
© Compliancy Group LLC. Private & Confidential
16
5 Ways to Manage HIPAA Compliance Virtually
1 Security Risk Analysis
2 BYOD, Remote Employee Policies & Procedures
3 Require all employees to use a VPN
4 Use HIPAA compliant solutions with Business Associate Agreements
5 Monitor Usage, Encryption & Back up
![Page 17: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/17.jpg)
© Compliancy Group LLC. Private & Confidential
17
HIPAA Compliance • Assess Risk
• Fix Vulnerabilities
Happy Employees • Policy and
Procedures
• Business Continuity
Patient Loyalty • Better Service
• Telehealth Communications
15% Increased
Profit
• Trained
• Prepared
• Reduce Risk
HIPAA protects and helps satisfy your patients:
![Page 18: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/18.jpg)
© Compliancy Group LLC. Private & Confidential
18
https://www.comptia.org/blog/eight-cybersecurity-tips-for-working-
remotely
Do’s and Dont’s
![Page 19: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/19.jpg)
© Compliancy Group LLC. Private & Confidential
19
How Simple Is It?
PROCESS
3 • Compliance with Confidence • Culture of Compliance
• Protect Your Reputation
Maintain Compliance
2 • Reports • Seal of Compliance
• Audit Response ProgramTM
Illustrate Compliance
• Compliance Coaching • We guide you through the whole process!
• 5-8, 30-min. sessions (2 hours preparation per)
Achieve Compliance
1
6 AUDITS
![Page 20: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/20.jpg)
© Compliancy Group LLC. Private & Confidential
20
Free HIPAA & COVID-19 Resources
Find all these FREE resources on our website!
https://compliancy-group.com/blog/
● Is GoToMeeting HIPAA Compliant?
● Is Microsoft Teams HIPAA Compliant?
● Is Skype HIPAA Compliant?
● FAQs on Telehealth
● Free HIPAA Training
● HIPAA Cybersecurity Ebook
● BYOD and Remote Employee Policy and Procedures
855-854-4722
www.compliancygroup.com
https://compliancy-group.com/simple-hipaa-compliance-checklist/
Free HIPAA Security & Compliance Checklist
![Page 21: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/21.jpg)
© Compliancy Group LLC. Private & Confidential
21
HIPAA Done Right!TM
Secure & Compliant
NOT HIPAA Lite*
Security
* Missing pieces of compliance will
result in partial compliance and may
lead to fines, civil penalties.
![Page 22: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/22.jpg)
© Compliancy Group LLC. Private & Confidential
22
Physical Audit
Requires safeguards to ensure only those who should have access to electronic protected health information (ePHI) will have access.
Security Rule
Administrative & Privacy Audit Security/Technical
Audit
Sets standards for when
protected health information
(PHI) may be used and
disclosed.
Privacy Rule
Breach Notification Business Associate
Omnibus Rule
Meaningful Use/MIPS Risk Assessment
SRA
One Third of One Rule
![Page 23: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/23.jpg)
© Compliancy Group LLC. Private & Confidential
23
Questions?
Marc Haskelson
855-85-HIPAA | 855-854-4722
www.compliancygroup.com
FREE Security & Compliance Checklist
https://compliancy-group.com/simple-hipaa-compliance-checklist/
![Page 24: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/24.jpg)
© Compliancy Group LLC. Private & Confidential
24
Steps for Remote Employees
1. Develop policies and procedures prohibiting employees from allowing friends
and family from using devices that contain PHI.
2. Create a Bring Your Own Device (BYOD) Agreement, with clear usage rules.
3. Have employees sign a Confidentiality Agreement
4. Maintain and periodically review logs of remote access activity.
![Page 25: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/25.jpg)
© Compliancy Group LLC. Private & Confidential
25
HIPAA Compliant Video Conferencing
• Security components:
End-to-end encryption
Secure connection verification
A private cloud web
conferencing option
• Video conferencing should
offer SSL/TSL encryption that
can provide proxy and firewall
traversal for a secured
platform.
• Verification technology verifies
that a genuine connection
has been made to the correct
server, and not an imposter
server.
• A private cloud offers a
heightened level of security.
This is because the information
is stored behind the provider
organization’s firewall.
![Page 26: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/26.jpg)
© Compliancy Group LLC. Private & Confidential
26
Password controls
Provider/host security controls
Securing the operating system
HIPAA Compliant Video Conferencing
• Password control should be
implemented. These controls
provide for the password to be
changed after a set number of
days, and ensure passwords meet
a minimum length, uppercase
letters, special characters, etc.
• This allows a healthcare
organization to lock out a video
conference or telehealth
session until the host arrives.
• To minimize the vulnerability of
video systems to security issues,
administrators should use
properly configured firewalls and
strong administrator credentials
• Security components:
![Page 27: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/27.jpg)
© Compliancy Group LLC. Private & Confidential
27
HIPAA Safeguards Required
Access Controls
Audit Controls
Automatic Log-off
Encryption Business Associate Agreement
![Page 28: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/28.jpg)
© Compliancy Group LLC. Private & Confidential
28
BCP vs Disaster Recovery Plan
Business Continuity Plan Disaster Recovery Plan
PROACTIVE
● This outlines how a business will
continue operating during an
unplanned disruption in service.
● Contains contingencies for business
processes, assets, human resources
and business partners (every aspect of
the business that may be affected)
REACTIVE
● This describes how an organization can
quickly resume work after an unplanned
incident.
● A DRP aims to help an organization
resolve data loss and recover system
functionality so that it can perform in the
aftermath of an incident.
![Page 29: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/29.jpg)
© Compliancy Group LLC. Private & Confidential
29
HIPAA Compliance & Working from Home
• Mobile Device Security
1 3
2 4
5
6
CHANGE DEFAULT PASSWORDS FOR WIRELESS ROUTERS FROM THE
EXISTING PASSWORDS
ENCRYPT & PASSWORD PROTECT, PERSONAL DEVICES EMPLOYEES
MAY USE TO ACCESS PHI
ENCRYPT ALL PHI BEFORE IT IS TRANSMITTED
ENSURE ALL DEVICES THAT ACCESS YOUR NETWORK ARE PROPERLY
PROTECTED: BACK-UPS, ANTI-VIRUS/ANTI-MALWARE
ENCRYPT HOME WIRELESS ROUTER TRAFFIC
REQUIRE EMPLOYEE USE OF VPN WHEN EMPLOYEES REMOTELY
ACCESS THE COMPANY INTERNET
![Page 30: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/30.jpg)
© Compliancy Group LLC. Private & Confidential
30
Security Risk Analysis
• A telehealth provider security risk analysis includes 6 elements:
Collecting data
Identifying and documenting potential threats and
vulnerabilities
Assessing current security measures
Determining the likelihood of threat occurrence
Determining the potential impact of threat occurrence
Determining the level of risk
![Page 31: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/31.jpg)
© Compliancy Group LLC. Private & Confidential
31
Fines Caused by Working from Home
Cancer Care Group (CCG) - $750,000
• Employee who was telecommuting, lost their laptop and backup drive as a result of
car theft. The laptop contained the PHI of over 50,000 patients.
• Failed to conduct risk analysis and lack of policies and procedures.
Lincare - $240,000
• Manager left 300 patient records in her car, after deciding to leave her husband.
• The husband continued to have access to the records. He later contacted Lincare to
report the missing records.
• Failed to implement effective HIPAA compliance guidelines
![Page 32: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/32.jpg)
© Compliancy Group LLC. Private & Confidential
32
Poll #1: Who are you?
![Page 33: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/33.jpg)
© Compliancy Group LLC. Private & Confidential
33
HIPAA during Emergencies
● Expansion of Medicare telehealth access, patients can receive services
without having to travel to a healthcare facility.
● Flexibility to reduce or waive Medicare beneficiary cost-sharing for
telehealth visits paid for by federal healthcare programs, such as
Medicare.
● Waiving of potential HIPAA penalties for good-faith use of telehealth
during the emergency. ▪ Permitted non-public-facing apps include Apple FaceTime, Facebook Messenger video chat, Google Hangouts
video, Zoom, GoToMeeting, and Skype.
▪ Notify patients potentia are public-facing, and should not be used
![Page 34: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/34.jpg)
© Compliancy Group LLC. Private & Confidential
34
Business Associate Agreements (BAA)
Zoom ❏ Is Zoom HIPAA compliant?
❏ Will Zoom sign a BAA?
Skype ❏ Is Skype HIPAA compliant?
❏ Will Skype sign a BAA?
FaceTime ❏ Is FaceTime HIPAA compliant?
❏ Is FaceTime a conduit or a business associate?
![Page 35: 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your screen! 2 Don’t access critical medical records or business systems on a computer](https://reader034.fdocuments.us/reader034/viewer/2022052012/602968b097f8ca269339c6b0/html5/thumbnails/35.jpg)
© Compliancy Group LLC. Private & Confidential
35
https://www.comptia.org/blog/eight-cybersecurity-tips-for-working-
remotely
Do’s and Dont’s