HIPAA Q & A: Are there privacy concerns with off-site workers?

[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. The cautions listed below apply not only to employees working at remote locations, but also to off-site, third-party independent contractors such as a transcription service.]

Question: If an employee works out of his or her home, either full-time or part-time (e.g. during maternity leave, on weekends or evenings, or as part of telecommuting job description), do the HIPAA security regulations apply? If so, how do we ensure compliance?

Answer: If the employee is working at home with electronic protected health information (EPHI), the security regulations apply, according to Robert W. Markette Jr., an Indianapolis attorney. Compliance will depend upon a number of factors:

  • Does the employee access EPHI remotely?
  • Does the employee maintain EPHI on the home personal computer (PC)?
  • Who in the home can access the PC?
  • How is EPHI stored and retrieved?

"If the employee is accessing EPHI remotely, I would recommend at least evaluating the security of EPHI in transit," says Markette. "If you have concerns about the security of that transmission, you might consider steps to increase the security."

There are numerous technologies that could work in this environment, and each entity will need to assess the risks and determine what is needed for an appropriate operating procedure, he adds.

You also may want to establish password-protected access if other people have access to the employee’s computer.