Sign in

Best HIPAA Practices Working From Home During the COVID-19 Emergency

By: PrivaPlan Associates

March 17, 2020


During the Coronavirus emergency, physicians and healthcare providers may want to adopt telemedicine as a way to provide patient care. This is an acceptable practice under HIPAA and California data and privacy laws but some precautions should be followed.

These include:

  • Ideally use a professional telemedicine platform for these calls like Zoom. If you will be recording and saving the telemedicine visit be sure to have a HIPAA business associate agreement in place with the vendor.
  • If you don’t need to record the visit you can use Facetime or WhatsApp both of which encrypt the meeting; you can also use Skype or other video meeting technology
  • Be sure that you follow all good HIPAA security practices, especially if you will provide this from your home computer or personal smartphone”
  • Ensure home wifi is secured with WPA2 encryption (fairly easy to do if not already)
  • Work from as private an area at home as possible-and don’t allow family members or others to shoulder surf or see your workstation screens
  • Always log off when you get up and leave your workstation at home unattended-and this is not a screen saver but log off
  • Don’t use sticky notes or write down your passwords and keep them near the workstation

While the President has waived HIPAA “enforcement” for use of telemedicine during this emergency,(for example HHS will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency, State data and security laws may remain in effect; also patients still could hold a health care provider responsible if their PHI or personal information is breached.

Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such application. ALSO- Facebook Live, Twitch, TikTok, and similar video communication applications that are public facing, should not be used in the provision of telehealth by covered health care providers.

Certain HIPAA Privacy requirements are also waived:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

PrivaPlan offers all the services you need to stay compliant.
SECURITY RISK ANALYSIS • HIPAA EDUCATION AND TRAINING • HIPAA BREACH NOTIFICATION REVIEW AND REMEDIATION SERVICES • HIPAA POLICIES AND PROCEDURES REVIEW/DEVELOPMENT • NETWORK VULNERABILITY SCANNING • CONSULTING

Need more information? Contact the HIPAA experts at PrivaPlan.