HIPAA Compliance in the Age of COVID-19
It’s been 24 years since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. Designed to protect the privacy, security and integrity of protected health information (PHI), the law has been notoriously difficult to comply with and requires organizations to have specific measures in place to safeguard this information. Combine these challenges with a global pandemic, and compliance officers across the globe are stretched thin as they work to ensure their organization is fully compliant.
Dramatic shifts in virtual work and a rise in telehealth appointments seemingly happened overnight, leaving many health care providers and related organizations unprepared. These types of occurrences can leave both small and large organizations vulnerable to a myriad of outside and inside threats, as well as reputation-damaging fines. Now is the time for compliance officers to get a better grasp on compliance and continuity across the organization. Let’s explore just how to achieve this:
COVID-19’s Impact on HIPAA
In March, the U.S. Department of Health and Human Services (HHS) chose not to impose penalties for noncompliance around telehealth during COVID-19. While this has allowed health care providers to deliver care from wherever they are, organizations that handle protected health information (PHI) must remain vigilant. Telehealth services have been critical to providing continuity of care but this efficiency can put personal patient information at higher risk of unauthorized access leading to a greater number of data breaches.
With so many touchpoints, organizations and personnel handling PHI on a daily basis, remaining compliant is already a major challenge. But the urgency to manage COVID-19 has created an environment where organizations may be moving too fast for their own good. For example, a business may have the best intentions by creating a customer sign-in register with a temperature check before they enter the premises, but where is this data being stored? And more importantly, who has access to it? These are questions some organizations may have never had to consider, but now, it is at the forefront of every compliance officer’s mind.
This isn’t to say organizations should not collect this information, as it is critical to the health of other customers and employees. However, they should be hyper-aware of its value, location and security measures. While the long-term effects of COVID-19 remain to be seen, the collection of PHI may become more prevalent as companies look for a better snapshot of their customer base.
Virtual Work & PHI Compliance
As a result of HIPAA’s far reaching regulatory arm, any organization that manages, transmits or comes in contact with PHI is subject to its rules. As this data is shared between providers, billing companies, third-party vendors and others, it is at risk of being saved in unsecure locations like localized folders, the cloud, internal messaging apps and a number of other locations. This vulnerability is heightened by the rise in remote work across the world. Small to mid-size companies that don’t have the capital of larger companies may have been caught off guard, and are therefore at increased risk of HIPAA violations.
This new period of remote work may be here to stay, and if it is, maintaining the level of security control for protecting data needs to be a primary goal. The first step when handling any type of sensitive data in a remote setting is to review your existing procedures and controls, including:
- Defining device ownership – Ideally an organization will own all of the devices its employees use on its network to ensure no sensitive information is saved in personal folders. Full device ownership also allows organizations to remotely monitor devices to validate devices as secure.
- Reconsider existing security policies – By performing a complete review of your existing security policy and standards, organizations can assess how robust its current employee security procedures are given increased remote work and a broader storage of data. Common security measures can include the permitted use of company devices by employees only, the forbidden use of personal printers or portable storage, and limitations on the types of data that can be stored on local devices or team accessible locations.
- Educate staff – Once device ownership and security standards have been re-established, organizations must take the time to educate employees on keeping client’s data safe in today’s working environment. As organizations increasingly focus on the value of data, employees are making decisions with data everyday that have major impacts on business operations. Investing time in interactive training can show employees the importance of their decisions is the best way to mitigate risk.
Ultimately, the enforcement of these standards may fall on a compliance officer or CISO but it needs to be the role of every employee to make the right decision with sensitive data.
How to Ensure Compliance by Starting With Data
Beyond reviewing security standards and training employees, given recent changes to working practices, there are some specific precautions and protection measures for maintaining HIPAA security compliance. The first of which is conducting a ground-up data discovery scan to determine where all PHI data is located and identifying who has access to this information. The number of users with access should be as limited as possible, thus mitigating the risk of breach or access by unauthorized users, whether they’re inside or outside the organization.
By data mapping all forms of storage such as on-premise databases, remote endpoint laptops or desktops, backup archives and all remote cloud storage, organizations can begin to truly understand the scope of risk as it pertains to where data is located and mitigate this with effective safeguards reduce the potential for a data breach.
Data discovery scans are foundational to understanding data risk and should be conducted regularly, to ensure a strong overall security posture of the organization. In addition to regular scans, there are other best practices to guide HIPAA compliance efforts, including:
- Encryption – The encryption of PHI data has several benefits including the protection of data from unauthorized users, and serves as a way to verify the origin and integrity of the data.
- De-identification – Commonly referred to as the “Safe Harbor” method, de-identification strips the identifiable information from health data, making the data no longer considered PHI. The value in the “safe harbor” method is that it allows organizations to use the data in market research, case studies and partnership collaborations.
- Dispose – Once all legal requirements to retain PHI data have expired, covered entities can begin the process of disposing of the data. While there is no particular disposal method, HHS recommends physical records containing PHI be shredded, burned or pulverizing the copy until it is determined to be unreadable. Electronic copies of PHI (ePHI) should be securely deleted or purged and destroyed.
As technology continues to advance, especially in the healthcare industry, and the value of data continues to rise, organizations need to anticipate security risks before they occur. The best way to achieve this is by consistently monitoring for the spread of PHI and other forms of personal data-using regular data discovery scans that can locate data wherever it rests. However, data compliance and security does not end there.
Even with the most advanced technology, an organization’s defenses are only as strong as its weakest link which can often be the people on the front line accessing data as part of their day to day job. Organizations must remain vigilant in providing adequate proactive education on what following security best practice truly means. By implementing the right procedures and training, an organization can ensure their people are equally prepared to defend against attacks and ultimately avoid falling victim to a data breach.