Maintaining HIPAA compliance for remote employees can be a daunting task, but it doesn’t have to be. Read on to learn how remote access and support can make it easy.
Most healthcare organizations have been comfortably settled into their HIPAA compliance processes for years. However, in the past two years the landscape has changed significantly with the rise of remote work, telehealth, and increasing cyber threats to protected health information (PHI).
Gartner recently estimated that 51 percent of knowledge workers will be performing their work remotely in early 2022. This shift to remote work has significant implications for organizations that must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations.
Are Remote Workers a HIPAA Compliance Risk?
No, remote workers themselves aren’t inherently a risk. However, IT teams who aren’t prepared to equip remote workers with the resources needed to comply with data privacy regulations are a risk. A 2021 Healthcare IT News article pointed out that just 2 out of every 10 IT teams said they have provided adequate tools and resources to support employees working remotely long term. This lack of preparedness puts organizations at risk of violating the data and electronic medical record (EMR) protection regulations of HIPAA.
In fact, the U.S. Department of Health and Human Services (HHS) specifically noted the HIPAA compliance risk when workers use remote access systems that lack HIPAA compliance features. In describing the need to regularly review and modify security policies to align with HIPAA, HHS stated, “This is particularly relevant for organizations that allow remote access to EPHI (Electronic Protected Health Information) through portable devices or on external systems or hardware not owned or managed by the covered entity.”
HIPAA Violations are an Expensive Oversight
HIPAA violation penalties can escalate rapidly, reaching up to $1.8 million per violation. On top of that, a requirement to follow a costly corrective action plan (CAP) is recommended to prevent future violations. Penalties and CAP requirements were established by the Health Information Technology for Economic and Clinical Health Act (HITECH) that took effect in March of 2013. They apply to many more organizations than just healthcare providers – health plans, healthcare clearinghouses, all covered entities and business associates of covered entities.
For example, a recent National Law Review article described how Peachstate Health Management, Inc. negotiated their HIPAA violation penalty down to $25,000. Yet, the CAP they had to implement came with far higher costs, because it required Peachstate to do the following:
- Conduct an enterprise-wide risk analysis
- Develop and implement a risk management plan
- Develop policies and procedures designed for HIPAA Security Rule compliance
- Distribute the policies and procedures
- Develop training materials for the workforce
- Designate an independent monitor
- Submit implementation reports, non-compliance reports, and annual reports
Hiring an expert independent monitor would far exceed the $25,000 fine, especially since they have to be approved by OCR (the Office for Civil Rights at the U.S. Department of Health and Human Services).
How Can Splashtop Remote Access and Support Solutions Help You Comply?
First, and most important to note, Splashtop does not have access to patient information or records (EMR, PACS, etc.). Splashtop solutions process the desktop streaming in an encrypted remote access or support session. In doing so, Splashtop never has access to the session data.
Not accessing session data is an important distinction. It means that Splashtop can provide remote access and support services under the HIPAA Conduit Exception Rule. The conduit exception is limited to transmission services (whether digital or hard copy) including any temporary storage of transmitted data incident to such transmission. This excludes services like Splashtop from having to enter into business associate agreements with covered entities.
This enables our customers to rapidly implement Splashtop solutions without the need for extensive contracts tied to HIPAA. Moreover, they know that their patient information and records remain within their system, never crossing outside of their organization’s perimeter.
Additional Splashtop Security Measures That Ensure Your Data’s Safety
Splashtop has developed “Security Policies” as a subset of our Technical and Organizational Measures (TOMs). These describe the security measures and controls implemented and maintained by Splashtop to protect and secure the data we store and process. Our IT security policies are regularly reviewed and amended by our IT security experts.
On top of that, Splashtop employees complete information security training twice a year. As part of this training, they agree to comply with ethical business conduct, confidentiality and security policies as stated in our “Code of Conduct.”
Splashtop’s security policies are backed by a robust data security architecture that has many features. Encryption and access control are the two most important for maintaining data protection when your employees work remotely.
- Encryption: Splashtop encrypts all user data in transit and at rest, and all user sessions are established securely using TLS. The content accessed within each session is always encrypted via 256-bit AES.
- Access Control: Splashtop has implemented access controls to manage electronic access to data and systems. Our access controls are based on authority levels, need-to-know levels and the separation of duties for those who access the system. We follow up role-based access with regular account reviews, access monitoring and logging.
Splashtop remote access introduces even more security features, such as device authentication, two-factor authentication (2FA), single sign-on (SSO) and more. If you’d like to learn more, we’ve put together a full list of Splashtop’s HIPAA-supporting security features.
Keep Your Organization HIPAA Compliant with Remote Access and Support
With remote work here to stay, many organizations are leveraging remote access and support solutions to securely handle EMRs and other patient data. To keep your organization HIPAA compliant, you need to adopt safe and secure remote access and support.
Splashtop provides hundreds of healthcare organizations with safe and secure remote access and support – aligned with HIPAA and other consumer privacy regulations. To find out how Splashtop can enable your organization to keep remote workers in compliance with HIPAA, contact a Splashtop expert today.