Read these expert pointers given by our expert in a HIPAA conference and ensure HIPAA compliance.
It used to be considered that you wouldn't necessarily need to encrypt everything. But the one thing have turned out and based on the guidance from the Federal Government and also based on really what's come out with a lot of PCI enforcement is any kind of portable device that's something that’s easy to walk off, easy for somebody to carry out or easy for somebody to steal, the information is on those devices. These days the consensus is that you really have to that information encrypted.
You really can't depend on just physical protection of a device. And if you're taking a laptop home and it gets stolen out of your car and has some health information on it, that's a bad thing. Or if you have a memory stick, these things fall out of your pocket, these things you may lose on bus somewhere and people will pick this things up and the first thing they want to do is see what's on it maybe just to find out and to figure out who it is and get it back to them, but maybe so they can find out what's in there and keep it for themselves.
So, any kind of portable information whether it's a laptop or whatever, you do need to have in place talk to your tech guys and see what you can do about having the hard drive and having the data on these devices encrypted because it really is called for in the guidance from the Federal government and these are the kinds of things that the folks at the HHS have actually handed out fines for, for having unprotected information that has been stolen. You don't want to get hit with that.
So, make sure that you have portable information before it leaves your building and perhaps even if you don’t intend for to leave your building if it's just easy to pick up and carry off, the information should be encrypted. There are fairly transparent ways of doing this. So, it doesn't have to get in the way of your conducting your business. But if you don't do this you really are leaving yourself open to a lot of problems.
It's generally a good idea. If your cleaning crew is working on a contract basis pretty much as a member of your workforce they should be signing your in house HIPAA compliance agreement at least some kind of a confidentiality agreement. They're not the kind of organization that you'd want to have a business associate agreement with. A business associate agreement is for someone who has actually doing something with your information on your behalf.
HIPAA Training Tip: Now you would hope that your cleaning crew isn't doing anything with your information. They shouldn't be doing anything with your information but they’re maybe occasionally exposed to it as part of their just being in the office and doing things.
So you'll definitely want to have them under some kind of a confidentiality agreement or if not a confidentiality agreement as part of whatever agreement you put your regular staff under. But you don't necessarily need to have a business associate agreement. That's really just for when you have people doing something that you want them to do with your information. The cleaning crew shouldn't be doing anything with your information but they may encounter it so you definitely want to have some kind of confidentiality agreement.
A lot of people like to work from home. Well here's the idea if it's going to be good for your organization to have people working at home because it will mean better productivity or people will be able to get more work done and provide better services, you want to be able to accommodate that.
But one of the most important things these days is it's pretty much accepted practice that if you're going to be having a computer that deals with your private business information and in this case we're talking about health information, that that computer first of all should be one that is used only by that employee.
It shouldn't be a home computer that they share with others at home. Ideally that's one that you provide to them so that you have absolute control over that you can say, “Bring us in that computer. We need to check it and make sure that it's properly secured and has all these patches and updates and has any virus and things like that.
Obviously, you want to have some remote access policies in place about how people can work and where they should work and how they should do things. And in fact, they shouldn't be working at the kitchen tail with their kid looking at over their shoulders and things like that.
But anybody who's working at home they should have a dedicated computer. You need to have a good remote access policy in place about how they should do it and where they should do it. And you need to have if possible have your own device so that you can have some control over it so that you can bring it in and if there's any kinds of HIPAA breach situations or any kinds of problems like that that you were able to say, “Sorry, you have to bring that in and we need to have it so that we can clean up.”
But you have to have that kind of control. That's where all these policies for is to give you the right to be able to control things that need to be able to be controlled.
So, you want to consider all these kinds of things but it's, you know, certainly nothing that you want enter into lightly. Make sure it really meets your business needs and if doesn't, then find some other way to get the same things done.
Get more HIPAA training to avoid HIPAA breaches, visit our HIPAA conference page.