Watch Out for Telecommuter Compliance Risks
Manage telecommuter risk by knowing what you are up against and applying compliance solutions.
Many healthcare organizations want to reduce expensive physical office space, improve employee morale, and offer flexible options for the workforce — telecommuting has emerged as a commonplace solution for this. Compliance officers want to embrace these up-and-coming offsite, or remote, employee opportunities; however, risk management must still be demonstrated in the organization. A less controlled home office environment is risky, especially in an industry where regular access to member/patient information is often required by employees (and breaches can and do occur).
Many of us, including medical coders and other healthcare business professionals, may also find ourselves on the other side of this equation, as home office telecommuters. You may wonder what you can do to mitigate risks to members, patients, your organization, and yourself at the same time. Let’s visit the compliance risks and discuss your solutions.
Become Familiar with the Risks
Privacy and security are not the only issues, safety and other regulatory considerations are risks that can be compounded by telecommuting employees. Employees working in spaces where the employer is not ensuring Occupational Safety and Health Administration (OSHA), ergonomic, fire, safety, electrical standards, etc., are met (as they would in a corporate office) can create a confusing dilemma. There is often not clear guidance on how the compliance, safety, information security, regulatory, human resources, and legal departments manage the risks for remote employees to reduce inherent safety, privacy, security, and other threats.
Compliance leaders globally have asked if new solutions are needed to address telecommuter employees. Shareholders are increasing demands for better assurances from compliance that the organization’s exposure is mitigated. What solutions can better reassure everyone that all telecommuters are working in both a safe and compliant home office environment?
The U.S. Department of Health and Human Services (HHS) holds that covered entities that allow employees to telecommute or work out of home-based offices and have access to electronic private health information (e-PHI), must implement appropriate safeguards to protect the organization’s data.
Although OSHA’s position has wavered on responsibilities for employers regarding the safety of telecommuter home offices, employers still find themselves responsible for the aspects of home-based worksites to minimize other liabilities such as workers’ compensation cases or tort litigation from damage to employee personal property. Increasing cases of ergonomic injuries such as carpal tunnel syndrome or back strain are also a growing concern.
A combined approach of focused telecommuter attestations, policies, training, surveys, and audit programs may be a best practice for organizations to consider in addressing the telecommuter employee.
The following are risk solutions to consider with telecommuters:
On hire into a telecommuter position, annually and/or as advised by your legal counsel, telecommuters can be required to attest to policies and protocols your organization deems necessary in accepting the offsite job responsibility. Employees might slowly transition into a telecommuter (work-at-home) role, and the signing of the attestations might be easily missed. There may also be internal discussions needed to define who is a telecommuter.
There are both off-the-shelf and custom systems that can assist in the automation (assignments, tracking, reporting) of the attestation process and these might be combined with other annual signature requirements. The attestation can include not only traditional compliance department risks but also safety, human resources, and other areas that you deem important. Part of the attestation might include the agreement to accept a potential unannounced remote work-at-home audit, to maintain work-at-home status, and to notify that violations may lead to termination of telecommuter status among other sanctions.
For those employees transitioning into part-time or full-time telecommuting positions, managers may decide to consider reasonable requests from employees to telecommute. The intent is that by offering telecommuting arrangements to staff, managers can better attract and retain qualified team members. Management, with the support and assistance of human resources and leadership, may develop a policy in which employees can be held accountable, such as requiring:
- Telecommuters follow the same organization policies and procedures as onsite employees.
- Employees can transition to telecommuting hours based on proven ability to perform the department job responsibilities with little direction.
- Employees may be selected for telecommuting jobs based on seniority.
- Employees with no current active corrective actions are qualified to telecommute.
- Telecommuters must meet technology requirements, such as having high-speed internet access available and are required to use a company router and computer or provide equipment that meets information security requirements.
- Telecommuters have a separate home office work area, such as a room separated from other family members by a door, and a shredder to dispose of PHI.
- Telecommuters have reasonable ergonomics in place such as a functional workstation and chair.
- All cable and electrical cords must be in good condition with no exposed wires or frayed extensions and no trip/fall or fire hazards.
- The employer reserves the right to inspect the telecommuter work area.
Only a portion of your employee workforce might fall into the telecommuter category. If so, a decision might need to be made whether to integrate work-at-home best practices into the training for all employees or carve out a unique program targeted for that audience. Some companies implement a blended learning approach to telecommuter compliance training and have managers provide in-person training during (or shortly after) new hire orientation, and then assign an online primer or recorded webinar annually.
Online courses can be structured with tabs where certain cohorts of employees will optionally be diverted to a different series of slides.
Other awareness activities, such as intranet posts, Compliance Week handouts, AAPC resources, best practice cases, and brief reminders in regional meetings, are helpful.
Sending surveys to current telecommuters and those to be on-boarded to assess their current work-at-home environment may also help the compliance group assess the current situation. If the majority of telecommuters are working in remote satellite locations (such as in member/patient homes, shared spaces in a medical facility and hospitals, health departments, private billing companies, etc.) as opposed to their own personal home, this may present some insights to the type of risks to which they may be exposed.
The surveys may include privacy and security questions to ask telecommuters if they have:
- Locked file cabinets to protect member written information
- A shredder to properly dispose of confidential documentation
- A private area for phone discussions where verbal PHI could be disclosed
- Equipment issued by the organization, so computer drives and equipment are properly secured
Input from the information systems, information security, and other departments may be part of the solution to determine if, for example, the employee has proper internet and secure technology.
Safety questions may be asked if telecommuters have grounded outlets to prevent electrical shock, cables aligned to baseboards to avoid trips and falls, file cabinets arranged so open drawers do not block exit routes for a safe evacuation, workspaces free from obstructions that prevent safe visibility and movement, etc.
Surveys with pre-defined, drop-down menus, or yes/no questions will later be more easily summarized into tables versus open-ended questions for reporting.
The expense of auditing every telecommuter’s home office is generally cost-prohibitive, depending on the size of the organization and who is designated formally as a full-time telecommuter. This, however, does not preclude a small sample audit to gather a collective picture of the various telecommuting office spaces. As important, random audits will send a message to all telecommuters that an audit or inspection could occur at any time.
Auditors may want to audit for telecommuters with desks that are set up in open areas such as living rooms without doors — where other family members and guests can easily overhear conversations about member/patient information, such as a diagnosis being shared — and require they use a more private location. Audits can help determine if telecommuters are using your company’s secure portals, assigned equipment (asset tags or serial numbers), have locked file cabinets, shredders, reasonable electrical outlets, and no dangerous conditions. Audits can also be informative in determining if full-time telecommuters are even working at all in a designated home office (shows as working at home, but not home, in the office, or a satellite location).
Compliance should consider sending a notice to the department leader and all employees, denoting the photos of the compliance auditors, and explain the scenario to make the telecommuter aware, so they are not afraid of the auditor and refuse their entry. Having at least two auditors traveling together might be a best practice in a personal home audit, so, for example, a male auditor is not being asked to audit a female’s home office (which may be located in her bedroom). Generally, audits to businesses might be more formally scheduled to not interrupt business operations and to ensure the office manager is available to answer questions, or if the auditor needs to travel a great distance and wants to be more assured the telecommuter is actually home). The auditor can have a checklist designed to ensure consistency in the audits. As much as the auditor can respect the sensitivity of a home office audit, it is suggested to allow the telecommuter a few moments to remove any personal items even if it slightly reduces the validity of the audit, so the employees feel it is less of a personal intrusion in their home. Telecommuters who are call representatives might need a few moments to complete a member/patient call or to call their manager to inform them of the reasons for the lapse in productivity.
Depending on how the survey and audit were conducted and systems utilized, reporting back to departments and various committees can be structured in many ways to inform the company on the findings and recommendations. A listing of telecommuters audited by the department and results can often be helpful for managers to discover trends and users who need some additional training and guidance. Depending on the severity of violations, information security, human resources, or the department leader may need to be immediately informed. Most of the findings that suggest corrections might be dealt with using focused training or consults with compliance and department leaders.
Mitigate Telecommuter Risks in Your Organization
Telecommuters are seen by some organizations as high compliance risks, either because staff is unaware of protocols or the nature of the work environment. Education on compliance, privacy, and security policy is best practice. Compliance professionals can employ several strategies in this article to help mitigate some of the issues inherent with telecommuter staff positions and employ best practices proactively.
Yesenia L. Contreras, MHA, CPC-I, is executive director of corporate compliance and internal audits with 24 years of experience in the healthcare industry. Her proficiency includes developing and implementing audit and education required to comply with federal guidelines and requirements. Contreras assists physicians in understanding the complexity of billing rules, identifies lost revenue opportunities and overpayments made due to errors in coding, insufficient medical record documentation, etc. Her expertise includes outpatient physician services, behavioral health services, and community practice regulations. Contreras is fully bilingual (English/Spanish) and is up to date on the impact of the Affordable Care Act for all, including the people of Puerto Rico. She is a member of the New Bedford, Mass., local chapter.
Donna Schneider, RN, MBA, CPHQ, CPC-P, CHC, CPCO, CHPC, is a progressive, visionary healthcare executive that’s accomplished in corporate compliance, privacy, internal audit, managed care contracting, physician relations, and quality improvement. She has comprehensive experience in hospital operations, involvement in inpatient, and ambulatory and physician group practice management and has managed care and self-insured employer group health plan experience. Schneider has been a member of the HCCA Boston Regional Planning Committee, New England Internal Auditors Conference Board and the Health Care Finance Administration Board. She has also been a mentor for Year Up, Rhode Island since 2018, and is a member of the Providence, R.I., local chapter.
AAPC's annual salary survey gives a good understanding of the earning potential within the medical coding profession.
See what actually is going on in the healthcare business job market.