Obtaining HIPAA Compliance for Work-at-Home: The Zventus Approach
The Health Insurance Portability and Accountability Act (HIPAA) is the global standard for protecting sensitive patient data, which is why service providers with healthcare clients must demonstrate 100% HIPAA compliance, no matter their location.
Once work-at-home became the norm, many organizations began to realize that their in-office HIPAA compliance measure would no longer suffice. To protect data in a new environment, they’d have to implement several regulations that were specific to work-at-home. In most cases, failure to do would result in hefty fines and irreversible damage to brand reputation.
The work-at-home environment has leveled the playing field across the board. In the office environment, organizations had to invest a significant sum in acquiring HIPAA certifications. Preventing access to the facility required secure gates and doors, secure access protocols, security guards on-site, internal access control like keycards and readers, and much more.
With a hybrid approach to business operations, the costs associated with complying with HIPAA in-office may be lower. However, there are still plenty of considerations that companies must understand if they’re to obtain HIPAA compliance at home.
Here at Zventus, our team took an agile approach, ensuring our entire work-at-home workforce was entirely HIPAA compliant in less than three weeks. For companies wondering how to do the same, here’s how we achieved it.
Start with the Right Leaders
Soon after the COVID-19 pandemic began, Carmen Reynoso, Insurance Client Delivery Manager and Privacy Officer, took point on our work-at-home HIPAA compliance project. During her first three years at the company, Carmen led several different projects at Zventus, both internal and client-facing, making her the perfect fit for the job.
On day one, Carmen tasked her team to research the new HIPAA work-at-home guidelines issued by the US government. The process involved cross-checking the various guidelines on HIPAA websites with the best practices for working at home, along with researching success stories of other organizations that had already pivoted to a remote working model.
Training and Legal Protection
The main challenge we faced in achieving work-at-home HIPAA compliance was developing a deep awareness and understanding of the rules within our workforce.
After going through a deep investigation process, we launched a new training course to cover the work-at-home elements. Some of the new guidelines included not using company equipment for personal gain and not allowing unauthorized persons to use the equipment—anything to prevent patient data from falling into the wrong hands.
The training is mostly about improving awareness. For example, friends or family members must respect that you need privacy, even when working from home, so that awareness often needs to extend beyond your workforce. We also instruct employees on basic cybersecurity practices, like not opening suspicious emails to prevent viruses and malware.
As things moved forward quickly, we decided who would go home immediately and focused on training them first. While the training courses were in full swing, Carmen consulted with our legal department to draft a commitment letter for all work-at-home employees.
With most of our workforce located in Mexico, we leveraged our translation talent to draft the letter in Spanish, outlining the HIPAA requirements that allow us to serve our US clients. The document ensured that everyone was 100% committed to using our equipment correctly and guaranteed that they would follow all the necessary steps for HIPAA compliance at home.
Addressing the New Guidelines with Technology
The significant gaps in the transition to work-at-home are physical security and a lack of visibility or control over sensitive data. With HIPAA, we needed tight control over the company-owned equipment and assets that were processing this sensitive data in our employees’ homes.
We had to ensure that we encrypted all hard drives and that all machines were completely locked down, with no ability to write and store data in external programs out of our control. Another critical consideration was using dual-band routers with robust security protections, splitting each home’s internet connection between home and work use.
It’s vital to use desktop monitoring tools and VPN access with admin privileges to check settings and ensure nobody is tampering with anything. These tools also help track if employees are using the machines outside of work hours or for personal use. In some cases, biometric devices and facial detection tools will lock the machines if another person attempts to use the computers.
Expanding HIPAA Benefits to Everyone
HIPAA compliance is advantageous for every client when it comes to information security. The benefits of data protection and employee training make companies feel much more comfortable working with third-party business service providers.
At Zventus, we chose to integrate HIPAA compliance across our entire company, not just our healthcare clients. This decision has enabled us to grow faster, hire more people, and provide more clients with the peace of mind that their customers’ data is 100% secure.
If you’d like to learn more about our HIPAA compliance implementation or chat about information security in the age of work-at-home, we’d be happy to speak with you.
ABOUT THE AUTHOR.
Angel Alban is President of Zventus, a leader with 25 years of experience in strategy, operations, and technology. Zventus helps healthcare providers to innovate and improve patient care and services. With services covering front desk operations, a call center supporting 220+ languages, authorizations, billing & coding, medical records management, and technology. Imagine the possibilities to improve every part of the healthcare process with all-in-one services by Zventus.
If you’d like to learn more about our healthcare solutions or the benefits of outsourcing, get in touch by contacting us here.