W2 versus 1099: Privacy and Security Requirements for Remote Workers
by Kelly McLendon
We recently heard from a colleague discussing the upside and downside of working from home: “Sorry, no thanks! I’ll stay on the right side of the law. A surprising number of ‘remote’ workers are violating HIPAA and don’t have proper safeguards in place to protect PHI. Not to mention many employers misclassify remote workers as 1099 contracted consultants rather than W2 employees.”
As our colleague’s post suggests: it is important for remote workers, whatever their employment relationship, to be in compliance with applicable privacy and security regulations, such as HIPAA.
Remote workers may be W2 employees, in which case the responsibility for ensuring they meet all HIPAA privacy and security regulations is based upon their employers compliance plan, polices, procedures etc. These employees must be adequately trained and monitored to ensure they abide by privacy and security policies and procedures that their employer puts into place. Many times employers require additional confidentiality statements ensuring the employee understands their responsibilities as a remote worker.
But 1099 workers are different. They are independent contractors and must sign a Business Associate Agreement (BAA) with the Covered Entity or Business Associate they are contracted. In the BAA, they will attest that they independently meet all applicable HIPAA privacy and security regulations. This can be very challenging for independent contractors, but mandatory if they are signing a BAA. The CE or BA must then get ‘satisfactory assurances’ the contractors are adequately managing privacy and security. These assurances can vary depending upon the organization.
Either employment relationship, whether W2 or 1099, can be made to work so long as sufficient attention is paid to ensuring compliance with applicable privacy and security regulations.