Technology & Innovation

HIPAA and security at home – is someone peeking at your screen?

A woman holding a phone and sitting in front of a computer

I recently interviewed security expert Paul Johnson, who is a partner at Wipfli LLP’s Risk Advisory Services Practice, on HIPAA and information security during the November session of the Healthcare Hangout (insert link). Paul provided some interesting insight into HIPAA in the age of COVID-19, as well as some things to think about for your 2021 security planning. Of note, you may need to ask yourself, “is someone peeking at your screen?”. Read more to find out about this!


Unsurprisingly, much of our conversation centered on the security implications of working from home. According to a Stanford study1, 42% of US workers are now working from home. Many families have had to set up makeshift offices in their home. Doing this creates a need for security/privacy safeguards for these work at home arrangements. According to Paul, “There are several security challenges that come with having a home office. Computers and other materials/media containing Protected Health Information (PHI) may be accessible in paper form, or visible on computer screens by other family members or guests.” You need to ask yourself who can also see your screen at home.

Tip #1-Shore up your information.

Make sure that any confidential information or PHI is not accessible to others in the home. Lock away files, password protect your computer, and make sure to log out every time you leave your workspace. You don’t want to end up on the HHS Breach Report2 often referred to as the wall of shame.

Deadlines are fast approaching for the 21st Century Cures Act – Information Blocking Final Rule and Certification. The Final Rule supports seamless and secure access, exchange, and use of electronic health information. A recent article on the ONC website3 detailed that, “Patients need more power in their health care, and access to information is key to making that happen.” Among that information is transparency into the cost and outcomes of their care.

Tip #2-Understand and plan for the Information Blocking Final Rule and Certification.

There will be a continuation into 2021 of the OCR enforcement discretions regarding HIPAA. According to Paul, “HHS’ Office of Civil rights issued a number of announcements related to COVID-19. Many were related to enforcement discretion regarding things like community testing, first responders, uses and disclosures by business associates, and telehealth. These actions are in effect until the health emergency is declared to be over and so will likely continue well into 2021.

Tip #3 – check out and understand your HIPAA obligations.

Information Security

Healthcare is the most targeted sector globally for phishing and malware attacks4. We are seeing phishing and malware attacks aimed at teleworkers. According to a recent ZDNet article5, “While employees and their PCs were once safely behind the office firewall, now they’re perched at a makeshift workstation in their kitchen or bedrooms, using all manner of cobbled-together technologies to get the job done.” When discussing this with Paul, he added, “We are seeing phishing and malware attacks aimed at teleworkers, as many organizations were not well set up to work from home, and so they had to rush to get their workforce set up-implementing remote access systems. Some have not set it up properly and created vulnerabilities into the organization’s network. They may not be using multi-factor authentication, which can lead to account compromise.”

Tip #4-make sure you are using multi-factor authentication and test your remote access systems for vulnerabilities.

Healthcare organizations should also be vigilant about protecting against ransomware.

Tip #5-Review your cyber insurance coverage and make sure your systems are backed up.

Cyber-attacks are on the rise during COVID-19. Be sure to check your coverage to ensure it is adequate. A recent Security Magazine article6 found that, “…Newer strains of ransomware have been particularly malicious, with costly ransom demands and criminal actors threatening to expose an organization’s data if they don’t pay the ransom.” 

You can learn more about HIPAA and Healthcare Security on Wipfli’s Healthcare Risk Practice page, including:

  • Cybersecurity Testing
  • HIPAA Security Risk Assessment
  • HIPAA Privacy Assessment
  • Incident Response and Handling
  • HITRUST Services


1 –

2 – 

3 –

4 –

5 –

6 –