When it comes to HIPAA compliance, the mobile nature of home healthcare presents additional challenges over work in a fixed healthcare institution.
Home health workers provide invaluable support to less able patients and are integral to a successful and effective public health service. However, when it comes to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the mobile nature of their work presents additional challenges they would not face working in a fixed healthcare institution. Outlined below are a number of these unique challenges, along with some tips for minimizing the risk of a potential data breach occurring while carrying out care work in the field.
Secure Communication
While there are no specific technology safeguards outlined by the HIPAA Security Rule, it is crucial that security measures for all operating procedures are current, effective and understood by all staff members to ensure a high level of security is achieved at all times.
Messages containing Protected Health Information (PHI) should only be sent through secure channels, and all records of communication containing PHI, such as email trails or message history, must be stored in a secure location with restricted access.
As well as communication via mobile devices, tablets or laptops, it is important to ensure that any face-to-face or telephone discussions regarding PHI take place in a private environment to minimize the risk of unauthorized individuals overhearing confidential information relating to patient(s).
Unsecured Wireless Networks
Free Wi-Fi hotspots are incredibly useful for remote workers, however, they also provide a great opportunity for hackers to intercept any unsecure connections and retrieve personal or sensitive information. To avoid any potential data breaches, employers should ensure all home health workers are aware of the dangers surrounding unrecognized networks and that they have the appropriate safeguards in place, such as the use of VPNs (virtual private networks) and the correct permission settings on their devices.
Disclosure of Information
Due to the nature of home healthcare, patients may require additional help around the home, therefore, family members or friends may sometimes be present during visits from health workers. However, this does not mean they are necessarily authorized to have access to the patient’s medical information. It is important that all home caregivers have received training in this area and understand only to discuss PHI with the patient and authorized persons to avoid putting all parties present in a difficult or uncomfortable situation, and most importantly, to protect the patient’s right to confidentiality.
Misplaced Information: Devices & Paperwork
With home health workers visiting several patients every day, device security (smartphones, laptops, tablets) becomes a major challenge as there is an increased possibility items could be misplaced, left unattended or even stolen. This can have disastrous consequences, particularly if there are accessible files or messages containing PHI saved on the device.
To minimize the risk of a potential data breach due to a lost or stolen mobile device, workers should:
- Check they have their devices on their persons when they arrive at a patient’s home and when they leave.
- Ensure there are sufficient access restrictions on the device – such as fingerprint recognition or active screen lock – so that, should it fall into the wrong hands, any sensitive data will remain secure.
While ePHI and digital records are paving the way to a more secure auditing system for confidential medical data, due to the nature of home healthcare, paper charts and records are still a common way of recording patient’s progress during home visits. As it is not possible to password-protect written records, extra care must be taken to ensure they are guarded at all times when in the health worker’s possession, and transferred to a secure location once visits are completed.
To minimize the risk of a potential data breach due to lost paper records, workers should:
- Ensure that no paperwork containing PHI is left in an unsecure place, for example, on a desk or in an unmanned car overnight.
- Store the paperwork in a securely locked filing system when not in use.
- Destroy any records once they are no longer required either by shredding or burning the documents so that they are no longer readable and cannot be restored to a legible condition.
When it comes to HIPAA compliance, the ultimate responsibility lies with the employer. Through implementing training and compliance workshops, undertaking regular risk analysis, and investing in HIPAA-secure tools that facilitate safe communication, collaboration, and data storage, the risk of a data breach can be significantly reduced.
About the Author: Michael Senter joined DocbookMD in March 2015. He has over 15 years of experience providing solutions to highly regulated industries, including healthcare. Most recently, Michael has been focusing on the unique challenge of IT security in healthcare organizations. To find out more about how DocbookMD is improving communication and compliance in home health, visit https://www.docbookmd.com/explore/providers/home-health/.
HIPAA requires proper disposal methods for protected health information (PHI), according to a new infographic by First Healthcare Compliance.
As healthcare moves out of the brick-and-mortar traditional setting into patients’ homes and their workplaces, and becomes much more proactive, the University of Pittsburgh Medical Center (UPMC) has been expanding its remote patient monitoring program. The remote patient monitoring program at UPMC has its roots in the heart failure program but has since expanded to additional disease states across the integrated delivery system’s continuum of care. 
The 2016 Healthcare Benchmarks: Data Analytics and Integration
