It’s been 24 years since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. Designed to protect the privacy, security and integrity of protected health information (PHI), the law has been notoriously difficult to comply with and requires organizations to have specific measures in place to safeguard this information. Combine these challenges with a global pandemic, and compliance officers across the globe are stretched thin as they work to ensure their organization is fully compliant.
Dramatic shifts in virtual work and a rise in telehealth appointments seemingly happened overnight, leaving many health care providers and related organizations unprepared. These types of occurrences can leave both small and large organizations vulnerable to a myriad of outside and inside threats, as well as reputation-damaging fines. Now is the time for compliance officers to get a better grasp on compliance and continuity across the organization. Let’s explore just how to achieve this:
COVID-19’s Impact on HIPAA
In March, the U.S. Department of Health and Human Services (HHS) chose not to impose penalties for noncompliance around telehealth during COVID-19. While this has allowed health care providers to deliver care from wherever they are, organizations that handle protected health information (PHI) must remain vigilant. Telehealth services have been critical to providing continuity of care but this efficiency can put personal patient information at higher risk of unauthorized access leading to a greater number of data breaches.
With so many touchpoints, organizations and personnel handling PHI on a daily basis, remaining compliant is already a major challenge. But the urgency to manage COVID-19 has created an environment where organizations may be moving too fast for their own good. For example, a business may have the best intentions by creating a customer sign-in register with a temperature check before they enter the premises, but where is this data being stored? And more importantly, who has access to it? These are questions some organizations may have never had to consider, but now, it is at the forefront of every compliance officer’s mind.
This isn’t to say organizations should not collect this information, as it is critical to the health of other customers and employees. However, they should be hyper-aware of its value, location and security measures. While the long-term effects of COVID-19 remain to be seen, the collection of PHI may become more prevalent as companies look for a better snapshot of their customer base.
Virtual Work & PHI Compliance
As a result of HIPAA’s far reaching regulatory arm, any organization that manages, transmits or comes in contact with PHI is subject to its rules. As this data is shared between providers, billing companies, third-party vendors and others, it is at risk of being saved in unsecure locations like localized folders, the cloud, internal messaging apps and a number of other locations. This vulnerability is heightened by the rise in remote work across the world. Small to mid-size companies that don’t have the capital of larger companies may have been caught off guard, and are therefore at increased risk of HIPAA violations.
This new period of remote work may be here to stay, and if it is, maintaining the level of security control for protecting data needs to be a primary goal. The first step when handling any type of sensitive data in a remote setting is to review your existing procedures and controls, including:
Ultimately, the enforcement of these standards may fall on a compliance officer or CISO but it needs to be the role of every employee to make the right decision with sensitive data.
How to Ensure Compliance by Starting With Data
Beyond reviewing security standards and training employees, given recent changes to working practices, there are some specific precautions and protection measures for maintaining HIPAA security compliance. The first of which is conducting a ground-up data discovery scan to determine where all PHI data is located and identifying who has access to this information. The number of users with access should be as limited as possible, thus mitigating the risk of breach or access by unauthorized users, whether they’re inside or outside the organization.
By data mapping all forms of storage such as on-premise databases, remote endpoint laptops or desktops, backup archives and all remote cloud storage, organizations can begin to truly understand the scope of risk as it pertains to where data is located and mitigate this with effective safeguards reduce the potential for a data breach.
Data discovery scans are foundational to understanding data risk and should be conducted regularly, to ensure a strong overall security posture of the organization. In addition to regular scans, there are other best practices to guide HIPAA compliance efforts, including:
As technology continues to advance, especially in the healthcare industry, and the value of data continues to rise, organizations need to anticipate security risks before they occur. The best way to achieve this is by consistently monitoring for the spread of PHI and other forms of personal data-using regular data discovery scans that can locate data wherever it rests. However, data compliance and security does not end there.
Even with the most advanced technology, an organization’s defenses are only as strong as its weakest link which can often be the people on the front line accessing data as part of their day to day job. Organizations must remain vigilant in providing adequate proactive education on what following security best practice truly means. By implementing the right procedures and training, an organization can ensure their people are equally prepared to defend against attacks and ultimately avoid falling victim to a data breach.