Remote Compliance Audits: Adjusting to the ‘New Normal’ of Remote Work

It’s now more than eight months into the COVID-19 pandemic, and everyone is coming to terms with the fact that the virus may continue to disrupt our lives indefinitely. Health information management (HIM) leaders are also realizing that staff may need to work remotely for the foreseeable future—perhaps permanently in some cases.

Part of this realization includes acknowledgement that the “temporary” setup many of us have used for the last several months won’t be effective long term. That futon and card table you’ve been using as a desk and chair? Those definitely aren’t solutions, ergonomic or otherwise. Your 20-year-old shredder? It probably won’t cut it (literally and figuratively) in the months ahead. That computer monitor you thought nobody could see? It’s a different story when you’re working side-by-side with your teenage son who is doing distance learning.

It’s time to bite the bullet and admit that working from home may be here to stay—and that some of us may need to make some serious changes.

If your organization doesn’t already have a telecommuting policy/agreement, drafting one and asking employees to sign it should be a top priority. Keep in mind that even if you had a policy in place before COVID-19, you may need to revise it to permit greater flexibility given the unique aspects of today’s work-from-home challenges.

Whether new or revised, there are some essential areas covered by a solid telecommuting policy:

• Childcare: Will you require proof of childcare assistance during work hours?
• Covered costs: What costs will the company cover to support remote work?
• Downtime: What is the procedure if home technology or remote access go down?
• Productivity and quality standards: How will you monitor and manage these standards?
• Response time: Will you require specific response times to emails or phone?
• Work hours: How will work hours be established and will there be flexibility?
• Workspace: What will be required to ensure privacy and safety in the remote workspace?

With a policy in place, the next step is having the ability to perform a remote compliance audit. Anyone can sign an agreement, so how do you know they’re truly following what’s required? That’s where the audit comes in.

Explaining the Purpose of the Audit

While nonhealthcare industries probably don’t need to audit their remote staff, healthcare is different because employees use and access protected health information (PHI) regularly, and the fines for HIPAA breaches are significant. However, a remote compliance audit is not meant to scare or intimidate employees. Instead, the purpose of the audit is to protect patient information while also keeping employees healthy and productive. Many employees may not even realize that their work environment and workstation, for example, can affect their health and wellness. In addition, most security vulnerabilities occur due to an employee’s genuine lack of awareness. Audits can help raise that awareness and trigger management and human resources (HR) to intervene with supporting education and assistance.

Conducting the Audit

The logistics of conducting a remote compliance audit are fairly straightforward. Managers can use Microsoft Teams or similar video conferencing technology to request that employees turn on their cameras and give a tour of their workspace.

Is it in a separate room or area that does not receive visitors or family members during work hours? How does the employee secure the work area? Does the home have an alarm system? Do doors have sufficient locks to prevent unauthorized entry? What if the space is in a nonlocking room? Is there adequate lighting? A smoke detector? Fire extinguisher within the room or adjacent to it? Ergonomic chair, keyboard, mouse, monitor, desk, etc.?

In addition to “touring” their home offices, managers should also make sure that employees are keeping data on their laptops secure. Ask the employee to share their screen so you can view any open windows and browsing history.

Remote compliance audits should be conducted randomly on an annual basis. Some managers may choose to give employees a 30-minute warning as a courtesy while others may choose to give no warning at all.

Using the Audit Data

Once audits are concluded, use that data to identify high-risk areas that could pose a threat to PHI security. For example, does an employee struggle with keeping their computer screen private because their spouse is in the same room also working from home? If so, can the organization provide a privacy screen or room divider to minimize compliance risk?

Help brainstorm creative and flexible solutions. For example, can an employee with young children work longer shifts every other day so they can split caretaking responsibilities with their spouse? Is there an ergonomically friendly alternative for an employee who is waiting for a desk on back order?

In addition, review the data to look for larger trends. Are there risk regions (e.g., rural areas without easy access to ergonomic equipment)? What about type of employee (e.g., those with school-age children or elderly dependents)? How can you partner with HR to minimize these risks? HR may be able to provide educational materials, community resources, or webinars. HR can also be a great resource on stress management, offering tips for working from home, participating in remote meetings, and more. There are countless opportunities for partnership that HIM managers shouldn’t overlook. Remember: When we take care of our staff, they, in turn, take care of our patients, providing high-quality customer service.

Elizabeth Delahoussaye, RHIA, CHPS, (elizabeth.delahoussaye@cioxhealth.com) is chief privacy officer at Ciox Health. Rohini Shankar (rohini.shankar@cioxhealth.com) is chief human resources officer at Ciox Health.