1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your...

© Compliancy Group LLC. Private & Confidential

1

HIPAA Tips on Working from Home,

Telehealth, & Telecommuting


2

Compliancy Group Free Education Series

EDUCATION

Upcoming & past webinars: http://compliancy-group.com/webinar/

Free Resources (whitepapers, articles, infographics)

https://compliancy-group.com/blog/

Please ask questions If we are unable to address them during the webinar, you will

receive a response via email within 24-48 hours.


3

We simplify compliance so you can confidently focus on your business.

Endorsed by: •  Health Care standard - 40+ medical associations;

•  Industry Leading MSPs, SaaS providers, Hosting providers,

Security consultants, top medical & Insurance specialties

Recognized Leader of Compliance & Cyber Security •  2020 CRN Channel Chief

•  CRN Emerging technology •  CompTIA Channel Advisory Board – Co Chair •  CompTIA Business Applications Advisory Council – Co Chair

Subject Matter Experts •  National Publications – Becker’s Hospital Review,

ChannelE2E •  Recognized National speaker - CompTIA , MedPRO360

•  Software Executive Magazine - editorial Board

No client has ever Failed an OCR or CMS audit!


4

Key Takeaways from Today

❏ Specific requirements for employers and employees

❏ The basics of HIPAA in a virtual world

HIPAA Compliance & Working from Home

❏ Technologies used in telehealth

❏ What to watch out for! HIPAA for Telehealth

❏ Basics of HIPAA compliant video conferencing

❏ Tips and Tricks on how to be compliant and safe!

HIPAA Compliant Video Conferencing


5

Poll #1 - What are you looking to learn from today?


6

HIPAA During Emergencies

1 Expansion of access and coverage for patients to receive services without

having to travel.

2

Flexibility for healthcare providers to reduce or waive Medicare beneficiary

cost-sharing for telehealth visits.

3

Waiving of potential HIPAA penalties for good-faith use of telehealth during

the emergency.

●  Permitted non-public-facing apps Apple FaceTime, Facebook Messenger video

chat, Google Hangouts video, Zoom, GoToMeeting, and Skype.

●  Public-facing, FaceBook Live, Twitch & TiKTok, should not be used.

The three steps HHS has taken to expand telehealth access include:


7

FAQs on Telehealth During COVID-19

Are my employees still HIPAA compliant working at home?

How do I talk to my patients?

How do I address my employees?

How can I do all of this safely?

Are there new training requirements?


8

HIPAA for Telehealth

•  Technologies in telehealth

Video conferencing & Messaging

Sharing of patient records

Mobile health apps

Remote patient monitoring (RPM)


9

How do I talk to my patients?

•  Using a HIPAA compliant telehealth service! For example:

Providers using Zoom must make the

platform HIPAA compliant!

Providers using Skype for Business

must make the platform HIPAA

compliant!


10


1 3

2 4

5

6

CHANGE DEFAULT PASSWORDS FOR WIRELESS ROUTERS

ENCRYPT & PASSWORD PROTECT, PERSONAL DEVICES

ENCRYPT ALL PHI BEFORE IT IS TRANSMITTED

PROTECTED DEVICES: BACK-UPS, ANTI-VIRUS/ANTI-MALWARE REQUIRE EMPLOYEE USE OF VPN

BRING YOUR OWN DEVICE (BYOD) AND REMOTE EMPLOYEE

POLICY AND PROCEDURES


11

Poll #2- Do you know what a VPN is?


12

Internal Communications


13

How can I do all of this safely?

1 Don’t let others see your screen!

2

Don’t access critical medical records or business systems on a computer your family shares!

3

Don’t print documents, unless you can immediately secure them from unauthorized viewers!

4 Do use a secure connection such as a VPN!

5 Don’t throw away sensitive information. Shred it!

6 Don’t have business phone calls to discuss confidential information where anyone else can hear!

7 Don’t fall for email scams asking for sensitive or personal information!

8 Do log off if you walk away from your computer!


14

Poll #3 - Do you have a work from home policy?


15

HIPAA Warning!

COVID-19 Phishing Emails: Avoid Becoming a Victim

How to recognize a Phishing Email:

•  The email asks for personal information.

•  Sender’s email address doesn’t look genuine.

•  It’s poorly written.

•  It’s trying to force you to their website.

•  It contains an unsolicited attachment.

•  Company links match legitimate URLs.

Be careful where you click!


16

5 Ways to Manage HIPAA Compliance Virtually

1 Security Risk Analysis

2 BYOD, Remote Employee Policies & Procedures

3 Require all employees to use a VPN

4 Use HIPAA compliant solutions with Business Associate Agreements

5 Monitor Usage, Encryption & Back up


17

HIPAA Compliance • Assess Risk

• Fix Vulnerabilities

Happy Employees • Policy and

Procedures

•  Business Continuity

Patient Loyalty • Better Service

•  Telehealth Communications

15% Increased

Profit

• Trained

• Prepared

•  Reduce Risk

HIPAA protects and helps satisfy your patients:


18

https://www.comptia.org/blog/eight-cybersecurity-tips-for-working-

remotely

Do’s and Dont’s


19

How Simple Is It?

PROCESS

3 •  Compliance with Confidence •  Culture of Compliance

•  Protect Your Reputation

Maintain Compliance

2 •  Reports •  Seal of Compliance

•  Audit Response ProgramTM

Illustrate Compliance

•  Compliance Coaching •  We guide you through the whole process!

•  5-8, 30-min. sessions (2 hours preparation per)

Achieve Compliance

1

6 AUDITS


20

Free HIPAA & COVID-19 Resources

Find all these FREE resources on our website!

https://compliancy-group.com/blog/

●  Is GoToMeeting HIPAA Compliant?

●  Is Microsoft Teams HIPAA Compliant?

●  Is Skype HIPAA Compliant?

●  FAQs on Telehealth

●  Free HIPAA Training

●  HIPAA Cybersecurity Ebook

●  BYOD and Remote Employee Policy and Procedures

855-854-4722

[email protected]

www.compliancygroup.com

https://compliancy-group.com/simple-hipaa-compliance-checklist/

Free HIPAA Security & Compliance Checklist


21

HIPAA Done Right!TM

Secure & Compliant

NOT HIPAA Lite*

Security

* Missing pieces of compliance will

result in partial compliance and may

lead to fines, civil penalties.


22

Physical Audit

Requires safeguards to ensure only those who should have access to electronic protected health information (ePHI) will have access.

Security Rule

Administrative & Privacy Audit Security/Technical

Audit

Sets standards for when

protected health information

(PHI) may be used and

disclosed.

Privacy Rule

Breach Notification Business Associate

Omnibus Rule

Meaningful Use/MIPS Risk Assessment

SRA

One Third of One Rule


23

Questions?

Marc Haskelson

855-85-HIPAA | 855-854-4722

[email protected]

www.compliancygroup.com

FREE Security & Compliance Checklist

https://compliancy-group.com/simple-hipaa-compliance-checklist/


24

Steps for Remote Employees

1.  Develop policies and procedures prohibiting employees from allowing friends

and family from using devices that contain PHI.

2.  Create a Bring Your Own Device (BYOD) Agreement, with clear usage rules.

3.  Have employees sign a Confidentiality Agreement

4.  Maintain and periodically review logs of remote access activity.


25


•  Security components:

End-to-end encryption

Secure connection verification

A private cloud web

conferencing option

•  Video conferencing should

offer SSL/TSL encryption that

can provide proxy and firewall

traversal for a secured

platform.

•  Verification technology verifies

that a genuine connection

has been made to the correct

server, and not an imposter

server.

•  A private cloud offers a

heightened level of security.

This is because the information

is stored behind the provider

organization’s firewall.


26

Password controls

Provider/host security controls

Securing the operating system


•  Password control should be

implemented. These controls

provide for the password to be

changed after a set number of

days, and ensure passwords meet

a minimum length, uppercase

letters, special characters, etc.

•  This allows a healthcare

organization to lock out a video

conference or telehealth

session until the host arrives.

•  To minimize the vulnerability of

video systems to security issues,

administrators should use

properly configured firewalls and

strong administrator credentials

•  Security components:


27

HIPAA Safeguards Required

Access Controls

Audit Controls

Automatic Log-off

Encryption Business Associate Agreement


28

BCP vs Disaster Recovery Plan

Business Continuity Plan Disaster Recovery Plan

PROACTIVE

●  This outlines how a business will

continue operating during an

unplanned disruption in service.

●  Contains contingencies for business

processes, assets, human resources

and business partners (every aspect of

the business that may be affected)

REACTIVE

●  This describes how an organization can

quickly resume work after an unplanned

incident.

●  A DRP aims to help an organization

resolve data loss and recover system

functionality so that it can perform in the

aftermath of an incident.


29


•  Mobile Device Security

1 3

2 4

5

6

CHANGE DEFAULT PASSWORDS FOR WIRELESS ROUTERS FROM THE

EXISTING PASSWORDS

ENCRYPT & PASSWORD PROTECT, PERSONAL DEVICES EMPLOYEES

MAY USE TO ACCESS PHI

ENCRYPT ALL PHI BEFORE IT IS TRANSMITTED

ENSURE ALL DEVICES THAT ACCESS YOUR NETWORK ARE PROPERLY

PROTECTED: BACK-UPS, ANTI-VIRUS/ANTI-MALWARE

ENCRYPT HOME WIRELESS ROUTER TRAFFIC

REQUIRE EMPLOYEE USE OF VPN WHEN EMPLOYEES REMOTELY

ACCESS THE COMPANY INTERNET


30

Security Risk Analysis

•  A telehealth provider security risk analysis includes 6 elements:

Collecting data

Identifying and documenting potential threats and

vulnerabilities

Assessing current security measures

Determining the likelihood of threat occurrence

Determining the potential impact of threat occurrence

Determining the level of risk


31

Fines Caused by Working from Home

Cancer Care Group (CCG) - $750,000

•  Employee who was telecommuting, lost their laptop and backup drive as a result of

car theft. The laptop contained the PHI of over 50,000 patients.

•  Failed to conduct risk analysis and lack of policies and procedures.

Lincare - $240,000

•  Manager left 300 patient records in her car, after deciding to leave her husband.

•  The husband continued to have access to the records. He later contacted Lincare to

report the missing records.

•  Failed to implement effective HIPAA compliance guidelines


32

Poll #1: Who are you?


33

HIPAA during Emergencies

●  Expansion of Medicare telehealth access, patients can receive services

without having to travel to a healthcare facility.

●  Flexibility to reduce or waive Medicare beneficiary cost-sharing for

telehealth visits paid for by federal healthcare programs, such as

Medicare.

●  Waiving of potential HIPAA penalties for good-faith use of telehealth

during the emergency. ▪  Permitted non-public-facing apps include Apple FaceTime, Facebook Messenger video chat, Google Hangouts

video, Zoom, GoToMeeting, and Skype.

▪  Notify patients potentia are public-facing, and should not be used


34

Business Associate Agreements (BAA)

Zoom ❏ Is Zoom HIPAA compliant?

❏ Will Zoom sign a BAA?

Skype ❏ Is Skype HIPAA compliant?

❏ Will Skype sign a BAA?

FaceTime ❏ Is FaceTime HIPAA compliant?

❏ Is FaceTime a conduit or a business associate?


35

https://www.comptia.org/blog/eight-cybersecurity-tips-for-working-

remotely

Do’s and Dont’s

1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your...

Documents

Transcript of 1 HIPAA Tips on Working from Home, Telehealth, & Telecommuting · 1 Don’t let others see your...