February 25, 2002 Telecommuting Review Article:

Hipaa, Hipaa, Hooray? Telecommuting and Privacy Legislation

If you're involved in the world of health care in any way in the US, you're probably aware of HIPAA - otherwise known as the "The Health Insurance Portability & Accountability Act of 1996" - which calls for "Improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data through setting and enforcing standards."

[That definition, plus a great deal of helpful background information and links, can be found at the HIPAA Advisory site.]

I'd heard the acronym mentioned now and then but never knew much about the details until I received a call from a client recently with an interesting question about HIPAA's implications for telecommuting. The client - an agency that provides home health care services - is setting up a telecommuting program for about 15 case managers. These employees oversee the work of several hundred staff who actually make visits to patients' homes and arrange the details of care delivery. The case managers have always spend a good deal of time in the field but had offices in the agency's headquarters; due to space constraints, this group will start telecommuting later this spring. Neither the case managers nor their staff making the home visits actually deliver any services - they arrange for services provided by various other agencies, and oversee the treatment plans, file the necessary paperwork, and so on.

My client reported that its funding agency - the health care arm of the state in which the agency operates - had begun asking questions about whether these new telecommuters would be able to work from home without violating some of the privacy provisions of HIPAA. [If you want to read all about the act, its history and the implementation plan, visit the U.S. Health and Human Services site]. The act doesn't take full effect until April 2003, but because of the widespread implications of its rules all affected agencies and providers are already taking it into account.

In a nutshell, HIPAA has numerous, detailed regulations about maintaining the privacy of medical information and records. The act came about because of past abuses in how this information was stored, shared, and used for dubious or even fraudulent purposes. With typical legislative zeal, Congress came up with a solution that is overwhelming in its complexity and coverage - and therefore everyone in the health care field is struggling to interpret the regulations.

As far as I could see in the regulations themselves and in supporting documentation, there is nothing affecting telecommuting per se - or even anything about remote or mobile workers. That doesn't mean we don't have to be concerned; in fact, COMPUTERWORLD ran an excellent article last year on some of the telecommuting implications.

You can get an indication of these implications from this statement from the FAQ section on the HHS site:

"Q: What does this regulation require the average provider or health plan to do?

A: For the average health care provider or health plan, the Privacy Rule requires activities, such as:

• Providing information to patients about their privacy rights and how their information can be used.
• Adopting clear privacy procedures for its practice, hospital, or plan.
• Training employees so that they understand the privacy procedures.
• Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
• Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Responsible health care providers and businesses already take many of the kinds of steps required by the rule to protect patients' privacy. Covered entities of all types and sizes are required to comply with the final Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,

• The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
• The training requirement may be satisfied by a small physician practice's providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
• The policies and procedures of small providers may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system."

There appears to be nothing in the regulations that prohibits off-site work by health care providers of any kind, but that doesn't exempt them. All it means is that off-site workers have the same compliance requirements as anyone else.

I advised my client to do the following, and offer these suggestions as general guidance - with the understanding that I am definitely not a HIPAA regulatory expert. If your telecommuters are affected by HIPAA, get the advice of an expert before deciding how to comply:

1. LOCK IT UP - The agency had already decided to give each telecommuter a locking filing cabinet for their homes. I suggested they include in their training and policy the statements that the cabinets must remain locked whenever the employee is not in the home office, that the keys must not be left accessible to others, and that any papers or files in use must be returned to the locking cabinet whenever the employee leaves the home office area. Similarly, any time the telecommuters are in the field and have files or papers in their cars, they must be instructed to always lock their cars when not in them, and to keep all papers in their possession when away from the car.

2. WRITE IT DOWN - A detailed privacy policy must be written - perhaps as an extension of the telecommuter's agreement - describing these privacy requirements, and stating that noncompliance may result in discipline or termination. Telecommuters must sign a document saying they have read and understand the policy - and this should be renewed annually.

3. TRAIN, TRAIN, TRAIN - Develop a training program (or section of your existing telecommuting training) that specifically addresses HIPAA compliance. Completion of the training (no matter what form it takes) is required before the telecommuter begins work away from the office, and that completion must be documented and certified by the employee and the trainer or manager.

These steps are, of course, in addition to whatever other policies or training would be in place for all employees in the organization.

The logical question to ask is, "How will we know if telecommuters are complying?" and the logical, honest answer is, "You won't - unless they don't comply and do so in a way that leads to problems." This is not much different from any other remote-management issue, and must be treated as such.

There is one important distinction, however: failure to comply with the privacy provisions can results in civil and criminal penalties. According to the HHS site, "civil fines are capped at $25,000 per year per violation, and criminal penalties are graduated, with the maximum penalty of 10 years in prison and a $250,000 penalty." That in itself is good reason to take HIPAA seriously when planning and overseeing your telecommuting programs.