The sudden and unexpected COVID-19 pandemic has created a tough dilemma in responding to the pandemic while also safeguarding protected health information (PHI). The capacity of the health system has increased through temporary facilities, healthcare delivery via telehealth, and testing sites. Consequently, the ability of the healthcare system to manage a complex flow of information through an underprepared infrastructure has been put to the test.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule ensures the security of patients’ PHI and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued guidance to help covered entities and business associates understand their obligations during the COVID-19 pandemic. This has come in the form of bulletins, notifications of enforcement discretion, and other announcements regarding important changes to how the OCR will enforce HIPAA, and its privacy, security, and breach regulations.
These modifications are intended to give covered entities such as hospitals, testing centers, and telehealth providers greater flexibility in how they process PHI in response to the pandemic. However, the OCR makes it clear that waivers are only temporary and that privacy rule protections are not waived even in an emergency.
While these changes are intended to address the immediate needs of the COVID-19 pandemic and are set to expire once the COVID-19 public health emergency ends, they may have a longer-lasting impact than OCR anticipates, as they may lead to calls for more permanent HIPAA reforms.
How has patient privacy been affected throughout the past year of COVID-19?
The requirement to test, treat, and vaccinate COVID-19 patients quickly outweighed certain privacy concerns. Patients had to be swabbed in parking lots, results were sent to lab facilities that had recently been set up in former office buildings, and the results had to be returned to the patients in some way.
On the other hand, healthcare companies that used to have employees working in an office setting had to transition to remote work in various home offices. Therefore, HIPAA enforcement was eased in order to prepare for an unforeseeable set of circumstances.
Loosened HIPAA regulations enabled providers to deploy large-scale telehealth services that allowed employees to work from home, but because there was little time to complete this task, vulnerabilities went unaddressed, and the security of company data was jeopardized. At the same instant, cyber adversaries were not idle, and they took advantage of the crisis to make money by launching a wave of COVID-related ransomware attacks and stealing sensitive information.
Several examples of privacy violations, such as misrouted emails, have emerged since the beginning of the pandemic. HHS set a new record in 2020 for the number of breaches and financial penalties imposed. Many of these compromises occurred via email or a network server. This was most likely caused by the COVID-19 pandemic.
On Jan. 19, 2021, the Office of Civil Rights announced its decision to exercise its enforcement discretion and not impose penalties for violations of the HIPAA rules on covered entities or their business associates for the scheduling of individual appointments for COVID-19 vaccinations during the pandemic in connection with the good faith use of online or web-based scheduling applications (WBSAs).
Vendors of such applications may be unaware that HIPAA-covered entities are using their products to build, obtain, manage, or transmit ePHI, and that as a result a WBSA vendor may meet the HIPAA rules’ concept of a business associate. In such cases, OCR will not enforce penalties for noncompliance in connection with the good faith use of a WBSA for arranging COVID-19 vaccination appointments for individuals.
The notification also promotes the use of appropriate protections to preserve the privacy and protection of individuals’ confidential health information, such as using only the minimal amount of PHI, encryption technology, and allowing all available privacy settings, despite OCR’s compliance discretion.
What causes potential HIPAA breaches during COVID-19?
This list of breaches of unsecured protected health information affecting 500 or more individuals was published by the U.S. Department of Health and Human Services’ Office of Civil Rights. It can be seen that the healthcare industry has been heavily targeted throughout the pandemic.
In 2020, healthcare data breach reports were dominated by hacking/IT incidents, according to published healthcare data breach figures on the OCR website.
Unauthorized access/disclosure, theft, improper disposal, and loss of data were the other reasons. Phishing attacks continue to be a leading cause of data breaches in healthcare, and they are frequently the first stage of a multi-stage attack that includes the deployment of malware or ransomware. The second largest HIPAA violation penalty ever, $6.85 million, was announced in 2020 and resulted from a phishing attack that introduced malware into the victim’s IT systems and remained undetected for nearly nine months.
How can HIPAA-covered entities make sure they have safeguards in place to stay compliant despite the new challenges of COVID-19?
HIPAA requires covered entities to safeguard data at all times, including when it is at rest, in transit, and in storage. Healthcare providers should modify their security programs to fill gaps that arise when employees work remotely in order to avoid breaches and other HIPAA violations and make sure they’ve gone through HIPAA compliance training.
Hospitals can no longer rely on traditional network and perimeter defenses to compensate for device security flaws, or skilled personnel to securely configure and maintain them. With the rise of telework and conference calling, it is almost impossible to ensure a safe data path through the home, public network, and cloud infrastructure; therefore, proactively securing all devices and encrypting data at the source become critical.
Good cybersecurity practices, such as using an email encryption vendor, can help to prevent data breaches. Many of these services will automatically encrypt PHI-containing messages or alert employees if they are about to send an unencrypted email outside their organization.
Having a whistleblowing system can help aid in the prevention of data leaks because employees can anonymously report illegal activity and suspicious behavior.
Standard practices and procedures, such as access levels and controls, as well as network security safeguards such as firewalls and using VPNs, should be re-evaluated.
Being vigilant, performing periodic testing, and constantly reassessing policies and security programs are all part of good security practices. Installing forced updates on all devices or updating applications on a regular basis, installing patches, and backing up data in multiple locations will help staying compliant despite the new challenges of COVID-19.