COVID-19 HIPAA Compliance Checklist

Our HIPAA Compliance partner TOTALHIPAA created this compliance checklist for employers with remote employees due to the COVID-19 Stay at Home requirements. There is great information to protect your company and confidential information.

How do companies who do not usually allow working from home adapt to the COVID-19 crisis? COVID-19 is changing the way we do business and remote work comes with all kinds of administrative and technical challenges. Both employers and employees have questions.

Implementing the items on this checklist can help ensure employee safety and productivity, as well as continuity of operations and business plans. Remember, you must maintain HIPAA compliance even while working from home.

Tips for Employees

• Know your organization’s remote work policies. These include when and where you are allowed to work and any security measures or best practices.
• Only use devices approved by your organization. Refrain from using personal computers, tablets, or smartphones that have not been approved or configured by IT.
• If possible, use your organization’s VPN (virtual private network). These provide a direct, secure connection to your organization’s network from any location. They are an important safeguard that helps protect client PHI and other confidential information.
• Disconnect from your organization’s network when you finish working. In some cases, IT may configure timeouts.
• Encrypt and password protect all devices that access Protected Health Information (PHI) or Non-Public Private Information (NPPI).
• Install firewalls and anti-malware software on your devices.
• Store all hard copy PHI in a locked filing cabinet or safe when you are not using it. 
• Secure your router. Router traffic should be encrypted, software should be updated to its most current form, and passwords should be unique. Do not use the WiFi password that comes with your router.
• Lookout for malware. Avoid opening suspicious emails or attachments. In general, it’s best to stay on the safe side and either delete these or forward them to IT for review.
• Never leave devices unattended. Guard all laptops, tablets, cellphones, and USB or external storage devices. Your work devices and accounts should not be shared with family, friends, or others.
• Create strong passwords. These should include a mix of upper and lowercase letters, numbers and symbols. Avoid using obvious key words, and never enter passwords while others can view your screen. Use a password manager if possible.
• Don’t share passwords with coworkers. If absolutely necessary, call the person or send it in an encrypted format. Many password manager services have a secure sharing option.
• Use two-factor authentication. This provides an extra layer of security against hackers trying to access your systems or accounts.
• Never copy PHI to any media or devices not approved by your organization. This includes flash drives and hard drives.

Advice for Organizations

• Create remote work policies. These should be documented in your Security Policies and Procedures.
• Keep track of who is working remotely and regulate their access levels. These should be designated according to the employee’s role.
• Keep logs of remote access activity. These should be reviewed periodically. IT should disable any accounts that are inactive for more than 30 days.
• IT should configure all devices before allowing them access to the network. Specify what brands or versions of personal devices that are allowed to access company data.
• Have each employee sign a Confidentiality Agreement. 
• Create a BYOD (Bring Your Own Device) Agreement. This should have clear usage rules regarding when, where, and which devices may be used.
• Have a Media Sanitization Policy that indicates how employees should dispose of PHI and NPPI. This may include rules regarding how to shred or destroy hard copy PHI & NPPI and how to delete electronic PHI & NPPI.
• Train staff on how to recognize social engineering attacks. This may come in the form of a phishing scam or other malware discharged by a hacker.
• Ensure that your systems are secure. Your VPN and other remote access systems should be fully patched.
• Enhance system monitoring. Configure your network so that you receive early detection or alerts for abnormal activity. It might be the result of hackers and/or malware.
• Require multi-factor authentication on all staff members’ accounts that access PHI & NPPI. 
• Test the capacity of remote access solutions. If found to be necessary, increase the capacity.
• Brief employees on IT support mechanisms. It’s better to be overprepared than underprepared. Instruct employees to double-check with IT before opening any suspicious messages or attachments.
• Update or review your Disaster Recovery Plan. Your mindset should be: not if, but when. Be prepared to handle breaches and other incidents that may arise from changes in the locations and circumstances in which employees will be working.
• In cases of disaster, redundancy is key. Cross-train staff and IT personnel. Have multiple backups of data, in multiple locations. Always overprepare, so that nothing takes you by surprise.

As always, if you have any HR questions or need assistance, please contact JorgensenHR at (661) 600-2070, email info@jorgensenhr.com or visit www.jorgensenhr.com.