Compliance Week: Managing Telecommuter Risk
Many healthcare organizations are seeking to reduce expensive physical office space, improve employee morale, and offer flexible options for the workforce; telecommuting has emerged as a commonplace solution for many of us. How can a compliance officer embrace these more prevalent and relevant offsite employee worksite opportunities while still demonstrating they are managing risks to the organization? A less controlled home office environment can be seen as risky, especially in an industry where regular access to member/patient information is often required by employees (and breaches can and do occur).
Many of us, including medical coders and other healthcare business professionals, may find also ourselves on the other side of this equation, where we are the home office telecommuters. We may ponder what we can do to mitigate risks to our members or patients, our organization, and to ourselves at the same time?
Privacy/Security is not the only issue, safety and other regulatory considerations are risk domains that can be compounded by telecommuting employees. Employees working in spaces where the employer is not ensuring Occupational Safety and Health Administration (OSHA), ergonomic, fire, safety, electrical standards, etc. are met (as they would in a corporate office) can create a confusing dilemma. There is often not clear guidance on how the compliance, safety, information security, regulatory, human resources, and legal departments manage the risks for the remote employees to reduce the inherent safety, privacy, security, and other threats.
Compliance leaders globally have asked if new solutions are needed to address the telecommuter employee. Shareholders are increasingly demanding better assurances from compliance that the organization’s exposure be mitigated. What solutions can better reassure everyone that all telecommuters are working in both a safe and compliant home office environment?
The U.S. Department of Health and Human Services (HHS) holds that covered entities that allow employees to telecommute or work out of home-based offices, and have access to electronic private health information (e-PHI), must implement appropriate safeguards to protect the organization’s data.
While OSHA’s position has wavered on responsibilities for employers regarding the safety of telecommuter home offices, employers still find themselves responsible for the aspects of home-based worksites to minimize other liabilities such as workers compensation cases or tort litigation from damage to employee personal property. Increasing cases of ergonomic injuries such as carpal tunnel syndrome or back strain is also a growing concern.
A combined approach of focused telecommuter attestations, policies, training, surveys, and audit programs maybe a best practice for organizations to consider in addressing the telecommuter employee.
The following are opportunities to consider with telecommuters:
Attestations: On hire into a telecommuter position, annually and/or as advised by your legal counsel, telecommuters can be required to attest to policies and protocols your organization deems necessary in accepting the offsite job responsibility. Employees might slowly transition into a telecommuter (work-at-home) role, and the signing of the attestations might be easily missed. There may also be internal discussions needed to define who is a telecommuter.
There are both off-the-shelf and custom systems that can assist in the automation (assignments, tracking, reporting) of the attestation process, and these might be combined with other annual signature requirements. The attestation can include not only traditional compliance department risks but also safety, human resources, and other areas that you deem important. Part of the attestation might include the agreement to accept a potential unannounced remote work-at-home audit to maintain work-at-home status, and notification that violations may lead to termination of telecommuter status, among other sanctions.
Policies: For those employees transitioning into part-time or full-time telecommuting positions, Mangers may decide to consider reasonable requests from employees to telecommute. The intent is that by offering telecommuting arrangements to staff, managers can better attract and retain qualified team members. Management, with the support and assistance of the human resources and leadership, may develop a policy in which employees can be held accountable, such as requiring:
- Telecommuters follow the same organization policies and procedures as onsite employees.
- Employees can transition to telecommuting hours based on proven ability to perform the department job responsibilities with little direction.
- Employees may be selected to telecommuting jobs based on seniority.
- Employees with no current active corrective actions are qualified to telecommute.
- Telecommuters must meet technology requirements, such as having high speed internet access available, and are required to use a company router and computer or provide equipment that meets information security requirements,
- Telecommuters have a separate home office work area, such as a room separated from other family members by a door, and a shredder to dispose of PHI.
- Telecommuters have reasonable ergonomics in place such as a functional workstation and chair.
- All cable and electrical cords must be in good repair with no exposed wires or frayed extension and no trip/fall or fire hazards.
- The employer reserves the right to inspect the telecommuter work area.
Training: Only a portion of your employee workforce might fall into the telecommuter category. If so, a decision might need to be made whether to integrate work-at-home best practices into the training for all employees or carve out a unique program targeted for that audience. Some companies implement a blended learning approach to telecommuter compliance training and have managers provide in-person training during (or shortly after) new hire orientation, and then assign an online primer or recorded webinar annually.
Online courses can be structured with tabs where certain cohorts of employees will optionally be diverted to a different series of slides.
Other awareness activities, such as intranet posts, Compliance Week handouts, AAPC resources, best practice cases, and brief reminders in regional meetings, might be helpful.
Surveying: Sending surveys to current telecommuters and those to be on-boarded to assess their current work-at-home environment may also be telling for the compliance group in assessing the current situation. If the majority of telecommuters are working in remote satellite locations (such as in member/patient homes, shared spaces in your or other medical facilities and hospitals, health departments, private billing companies, etc.) as opposed to their own personal home, this may present some insights to the type of risks to which they may be exposed.
The surveys may include privacy/security questions to query if telecommuters have, for example, locked file cabinets to protect member written information, a shredder to properly dispose of confidential documentation, a private area for phone discussions where verbal PHI could be disclosed, equipment issued by the organization so computer drives and equipment are properly secured, etc.
Input from the information systems, information security, and other departments may be part of the solution to determine if, for example, the employee has proper internet and secure technology.
Safety questions maybe included to query if telecommuters were have grounded outlets to prevent electrical shock, cables aligned to baseboards to avoid trips and falls, file cabinets are arranged so open drawers do not block exit routes for safe evacuation, workspaces are free from obstructions that would prevent safe visibility and movement, etc.
Surveys with users predefined drop-down menus or yes/no will later be more easily summarized into tables vs. open-ended questions for reporting.
Auditing: The expense of auditing every telecommuter’s home office is generally cost prohibitive depending on the size of the organization and whom you designate formally as a full-time “telecommuter”. However, this does not preclude a small sample audit to gather a collective picture of the various department office spaces that are telecommuting. As important, random audits will send a message to all telecommuters that an audit/inspection could occur at any time.
Auditors might want to audit for telecommuters with desks that are set up in open areas such as living rooms without doors, where other family members and guests can easily overhear conversations where member/patient information, such as diagnosis, is being shared, and require they use a more private location. Also, audits can assist in determining if telecommuters are using your company’s secure portals, assigned equipment (asset tags or serial numbers), have locked file cabinets, shredders, reasonable electrical outlets, and no dangerous conditions. Audits can also be informative in determining if full-time telecommuters are even working at all in a designated home office (shows as working at home, but not home, in the office, nor a satellite location).
Compliance might want to send a notice to the department leader and all employees denoting the photos of the compliance auditors and explain the scenario so that the telecommuter is aware and refuse the auditor entry. Having at least two auditors traveling together might be a best practice in a personal home audit so, for example, a male auditor is not being asked to audit a female’s home office (which may be located in her bedroom). Generally, audits to businesses might be more formally scheduled so to not interrupt business operations and to ensure the office manager is available to answer questions, or if the auditor needs to travel great distance and wants to be more assured the telecommuter is actually home). The auditor can have a checklist designed to ensure consistency in the audits. As much as the auditor can respect the sensitivity of a home office audit, it is suggested to allow the telecommuter a few moments to remove any personal items even if it slightly reduces the validity of the audit so the employees feel it is less of a personal intrusion in their home. Telecommuters who are call representatives might need a few moments to complete a member/patient call or to call their manager to inform them of the reasons for the lapse in productivity.
Reporting: Depending on how the survey and audit was conducted, and systems utilized, reporting back to departments and to various committees can be structured in a variety of ways to inform the company on the findings and recommendations. A listing of telecommuters audited by department and results can often be helpful for department managers on trends and users who need some additional training and guidance. Depending on the severity of any violations, information security, human resources, or the department leader may need to be immediately informed. The majority of the findings that suggest corrections might be dealt with using focused training or consults with compliance and the department leader.
Employ Best Practices
Telecommuters are seen by some organizations as high compliance risks, either by these staff being unaware of protocols or by the nature of the work environment. Education on compliance, privacy, and security policy is a best practice. Compliance professionals can employ several strategies, as outlined in this article, to help mitigate some of the issues inherent with telecommuter staff positions and employ best practices proactively.
Donna Schneider, RN, MBA, CPHQ, CPC-P, CHC, CPCO, CHPC, is a progressive, visionary healthcare executive with demonstrated accomplishments in corporate compliance, privacy, internal audit, managed care contracting, physician relations, and quality improvement. She has comprehensive experience in hospital operations, involvement in inpatient, and ambulatory and physician group practice management in an integrated healthcare delivery system. Donna also has managed care and self-insured employer group health plan experience in conjunction with a messenger model physician delivery network tenure. Schneider has been a member of the HCCA Boston Regional Planning Committee, New England Internal Auditors Conference Board, and the Health Care Finance Administration Board RI/MA. She has also been a mentor for Year Up, Rhode Island since 2018.
Yesenia Contreras, MHA, CIC-I, has 24 years of experience in the healthcare industry. Her proficiency includes developing and implementing audit and education activities required to comply with federal guidelines and other compliance related requirements. Contreras’ expertise includes working with regulations that govern the activities of outpatient physician services, behavioral health services, and community practices. In addition, she strives to increase and strengthen healthcare providers’ awareness and understanding of medical record documentation guidelines and coding principles.
AAPC's annual salary survey gives a good understanding of the earning potential within the medical coding profession.
See what actually is going on in the healthcare business job market.