Breaking Compliance News Blog

HIPAA & COVID-19: Working from home

Posted by Margaret Scavotto, JD, CHC on 3/23/20 1:00 PM

Find me on:

Blog Series: Staying HIPAA Compliant During COVID-19

Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek, St. Louis 

Bethany Baty, Digital Marketing Director, HIPAAtrek, St. Louis

Margaret Scavotto, JD, CHC, President, MPA, St. Louis 

The coronavirus pandemic is an unprecedented challenge for healthcare providers. Hospitals are facing increased workloads and fear supply shortages. Nursing homes have shut their doors to most visitors while they try to keep their residents and employees safe. Providers across the country are embracing telehealth, figuring out public health disclosures, and have to think fast about how to respond to an increase in inquiries from patients, families, and the media.

For the next five days, HIPAAtrek and MPA will shed the light on five key HIPAA issues that are relevant during COVID-19. Our goal is to help you stay compliant during these challenging times.

  • Monday:       Working from home
  • Tuesday:      Disclosing to public health and the authorities
  • Wednesday: Watch out for cyber scams
  • Thursday:     What’s waived?
  • Friday:          Using telehealth safely

Working from Home During the Coronavirus Pandemic

Woman at Computer-1As the nation continues to respond to the COVID-19 pandemic, it is important that we work together to help facilitate the effort to contain and prevent. An integral part of this effort is requiring staff to work remotely when possible - and this includes compliance professionals. MPA and HIPAAtrek are both working remotely in order to hopefully flatten the curve of the COVID-19 pandemic.

Here are some steps you can take to stay HIPAA compliant while sending your workforce home.

One of your first considerations is to ensure that all employees understand the same privacy and security standards apply when working from home – and, potentially, a few more. This presents a unique and unprecedented situation for compliance teams across the country. Issues requiring immediate attention include:


Bring Your Own Device (BYOD)

It is highly probable that many of your employees have never worked remotely before. It is also likely the facility does not have enough workstations to facilitate working from home. Requiring employees to use their own workstations is acceptable; however, it is imperative that you create and follow a BYOD policy. If you need a policy, please contact HIPAAtrek. We can send you a template to help you get this started.


The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an Alert on March 13 encouraging employers to use virtual private networks (VPNs) for teleworking employees. VPNs provide an added level of security when employees are accessing your network from home. CISA also recommends keeping VPNs patched and updated to guard against a rise in malicious cyberthreats by hackers seeking to take advantage of security weaknesses inherent in telework. CISA’s complete recommendations can be found in their Alert.

Train employees on patient privacy requirements while working remotely

Special training should be provided to ensure the employee understands the unique challenges to patient privacy while working from home. This should include:

  • Protecting patient privacy from family members, roommates, or other individuals in the home or remote working location. Employees will need to set up their work environment to ensure members of their household or visitors do not have access to any patient information.
  • Ensuring proper internet protocols. This includes not using public WIFI or leaving workstations logged into WIFI when they are not in use. If possible and as CISA recommends, use VPN.

Minimum Necessary Rule

Remind remote employees to follow the minimum necessary rule.

The OCR has made it easier for healthcare facilities to manage their HIPAA compliance programs during this time by announcing a limited waiver to the Privacy Rule and by allowing for non-HIPAA compliant communications to facilitate telehealth visits. Even with these waivers on penalties, it is important that patient privacy be upheld whenever possible – and the minimum necessary rule still applies! Make sure employees understand these waivers and that they have a point of contact within your organization to ask compliance questions.

HIPAAtrek and MPA can help make HIPAA compliance easier with policy downloads, training, and HIPAA software. Let us know if we can help. 

SIGN UP for MPA and HIPAAtrek's webinar:

Surviving HIPAA During COVID-19

March 25, 1:00 p.m. CST


MCS Signature November 2018

missing hipaa policies snip


Topics: HIPAA, security, COVID-19, privacy

    Privacy Policy           Terms of Use