Ophthalmology and Optometry Coding Alert

Reader Question:

Take Your Work Home Without Revealing PHI

Question: Thank you for last month’s article about HIPAA (This Clinic Got Hacked, Had to Pay $400K HIPAA Breach Penalty). It got us thinking about our office staff, who often work from home processing claims. Is it legal for them to work from home when they’re handling protected health information (PHI)?

Codify Subscriber

Answer: You don’t necessarily need to stop bringing your work home, but you should definitely establish a policy on taking charts, computers, and other items that have patient data on them to any remote workplace. Unless handled very carefully, you could violate HIPAA and face penalties even if you just misplace one superbill in your home or forget your cell phone in a bathroom stall.

If you or your staff must take charts or other data, electronic devices, or any ambiguous materials that might contain PHI from the office, it’s a good idea to implement a log-out system. That way, you’ll know where each patient’s information is, and there’s some accountability should a breach occur.

Construct guidelines: Implement policies that require all practice personnel to safeguard any patient information »» when they remove it from the office, since the HIPAA laws protect the patient’s privacy no matter where the chart happens to be. Consider these five things every time you take work from the office that includes PHI or ePHI:

  • Were the files and devices logged out properly and approved by the administration under the aforementioned office HIPAA plan?
  • Where can these materials and devices be securely stored at my remote location?
  • Do my mobile devices, laptops, and at-home desktop computers include strong passwords with multi-factor authentication?
  • Is encryption software utilized and updated for at-home or remote review of patient charts?
  • Are the necessary resources readily available to alert compliance personnel should a breach occur while these materials are in my possession?

Tip: Enlist a reputable healthcare attorney or compliance consultant to ensure that all staff members are up-to-date on health IT privacy and security — both at home and at the office.