As small businesses adapt to a remote workforce during the COVID-19 pandemic, many risk falling prey to compliance violations without knowing it, particularly in highly regulated sectors, such as healthcare and finance.
Small businesses in both sectors are learning to embrace digital transformation as a resourceful and immediate way to handle the remote telework needs presented by the pandemic. That’s only the first step. They must also educate themselves on regulations and prevent violations from happening while their staff is remote working. With a remote and largely unsupervised workforce that isn’t always mindful of compliance, the risk is ever-present and difficult to monitor. For financial services, there are pitfalls in the FINRA regulations, and for healthcare providers, the Health Insurance Portability and Accountability Act (HIPAA) provides particularly cumbersome traps.
The Transition to Digital Has Its Challenges
When it comes to embracing new technology, banking and financial services providers have traditionally been on the cutting edge as early adopters, even without an ongoing coronavirus crisis. Vanguard, for example, is already piloting a digital-only planning and advice product. This means that down the line, smaller firms may also have to adopt a digital-only model to compete. Many boutique wealth management firms are turning to informal channels that include Facebook, Skype, and WhatsApp, as opposed to creating a platform wholesale.
Although some financial clients may prefer engaging with their financial planning experts on familiar applications, problems occur when wealth management firms don’t have the capability to monitor and record interactions on these channels for appropriate conduct. Under FINRA rule 3110, financial services firms must have the capability to monitor customer interactions to prevent inappropriate trades or unsound advice. In addition, SEC’s Regulation Best Interest (Reg BI) package of rules, effective June 30, requires a higher standard of conduct for financial advisors.
On the healthcare side, the Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS), recently announced they will loosen enforcement of HIPAA compliance during the pandemic, particularly when organizations use FaceTime, Skype, or videoconferencing. But don’t get too comfortable. They also said they will resume normal enforcement as soon as the crisis has passed.
Monitoring Employees Is Critical
The biggest concern with maintaining compliance with a remote workforce is the difficulty of monitoring employees who may not focus on compliance when they are out of their traditional work setting. A good example of a HIPAA slip-up could come when, for example, a doctor working at home asks his long-time patient to send an x-ray to his wife’s phone because his device is temporarily unavailable. This is a HIPAA violation right off the bat, but it could also be compounded if the wife’s phone stores this x-ray for automatic display later on Facebook.
Social media HIPAA violations are costly to the bottom line and an organization’s brand. For instance, a dental practice recently had the OCR hammer come down when it was fined $10,000 for disclosing a patient’s name and health condition in a response to a Yelp review of the practice.
As the world transfers more and more of its interactions online, it is important to remember that patient privacy must be protected despite the channel or circumstance. Any public disclosure of PHI will be frowned upon and certainly not considered acceptable, even with relaxed HIPAA enforcement. Protection of patient privacy has not gone away – only the immediacy of its enforcement.
By the same token, financial companies that don’t have a system to monitor their financial advisors across digital channels will have no way of knowing if they’re complying with Reg BI rules. Regulators don’t care if organizations have put those systems in place, either. The onus of responsibility is squarely on the organization.
Here are some tips for remote compliance in both industries:
Establish an official presence on nontraditional channels.
If you don’t have an official channel to connect clients with advisors, your employees are likely to find a channel themselves without regard to privacy and this poses significant risk. For example, right now, 40% of millennials in the Asia-Pacific region contact their wealth managers using WhatsApp. In other words, if you’re not on WhatsApp, you’re missing out on an opportunity to connect with a wealthy and upwardly mobile segment of the global population. When your salespeople go after this population using their own personal WhatsApp profiles, this leaves your company vulnerable to compliance violations. An unmonitored communication channel is likely to result in problems.
Create a centralized monitoring platform.
It’s a good idea to have an official presence on all your customer channels and to have your representatives use those channels. With that said, you still need to archive all of your communication records in a single, centrally-available and secure storage environment. If not, the records of your conversations on various channels are siloed and kept only in those platforms.
Unify your communications.
Having your employees constantly switch between applications in order to contact various customers is a chore that adds unnecessary complexity and eats into productivity. Instead, why not have a single platform for, chat, fax, voice, video, and SMS that allows your representatives to communicate on any channel?
Conduct an effective risk assessment.
Under HIPAA, healthcare providers must conduct an accurate and thorough risk analysis and have a risk management plan. Failure to take these basic requirements puts the privacy and security of patient information at serious risk, and the ramifications aren’t small. For example, on March 3, OCR fined a gastroenterological practice in Utah $100,000 for failing to conduct an effective risk assessment on the privacy of its more than 3,000 patients.
Report breaches as required.
The blatant failure to report breaches, even if they occur during this time of crisis, may result in aggressive enforcement from OCR when full enforcement of HIPAA returns. OCR reached a settlement with a hospital system for $2.175 million late last year when the hospital mailed the PHI of nearly 600 patients to the wrong address, then incorrectly concluded that only eight patients were affected by the breach. Because of that false assumption, the hospital did not report the incident to OCR, nor did it notify patients involved. The price for that mistake was high.
Repeat HIPAA offenders must be more on-guard.
OCR has made it clear that repeat HIPAA violators are on its radar. Last December, OCR slapped an ambulance company with a $65,000 fine for repeated offenses when the company lost a laptop computer with an unencrypted hard drive that contained the PHI of more than 500 patients.
The protection of PHI from exposure continues to be a HIPAA concern and will certainly remain the case after COVID-19 has run its course.
Joel Maloff is the Chief Compliance Officer for Phone.com, a cloud-based, unified communications, collaboration, and business phone systems provider trusted by more than 32,000 businesses across the U.S and Canada. With award-winning U.S-based 24/7 customer service, and over 50 customizable features, including audio and video conferencing, call forwarding, collaboration, voicemail transcription, IVR, vanity and virtual toll-free 800 and local numbers, Phone.com is a complete solution that allows you to connect with anyone, anywhere, and at any time.