Featured Articles: General News

Maintaining Privacy and Security During COVID-19

Monday, September 14, 2020   (0 Comments)
Share |


Written by:  Joe Gellatly, CEO and co-founder of Medcurity, Inc.

In response to the COVID-19 pandemic, the Department of Health and Human Services and the Office for Civil Rights (OCR) have issued waivers and notices of enforcement discretion for some areas of Health Insurance Portability and Accountability Act (HIPAA) compliance.

The waivers have been designed to support telemedicine and data sharing for a rapid transition to safe, remote patient care. These changes remain in effect while the Federal Public Health Emergency (PHE) is active. The PHE was declared on January 27, 2020, and must renewed every 90 days; it is currently set to expire on October 23, 2020.

Health centers should note that OCR has not indicated that any aspect of these flexibilities will be sustained after the PHE, and additionally, the waiver of HIPAA penalties does not allow for lax privacy and security practices. Some appropriate privacy and security measures need to be put into place when taking advantage of these temporary rules.

OCR’s waivers and enforcement discretion opened up the potential to leverage a variety of platforms for telemedicine, even if the platform was not compliant with the HIPAA privacy rule. The OCR provided additional guidance stipulating that privacy practices must be followed, public-facing platforms are not allowed, and end-to-end encryption must be enabled. Additionally, enforcement of some requirements for data sharing and public testing sites has also been relaxed during the PHE.

These temporary flexibilities eliminated some barriers to providing patient care during this crisis. However, community health centers must continue to be vigilant in their work to comply with privacy and security requirements. System and workflow changes and new threats this year are driving a significant increase in risk for healthcare organizations.

Many health organizations rapidly made significant business changes to serve their patients to be able to continue to save their patients. While initial focus may have necessarily been functionality, all providers must now be sure to review all new systems and workflows from privacy, security, and compliance perspectives.

Per the HIPAA Security Rule, all covered entities are required to conduct an organization-wide security risk analysis (SRA) on a regular basis. This process should help assess the risk and any compliance gaps in a health center’s new business processes and new technologies. The SRA should include a risk assessment of all HIPAA-required safeguards, including an organization’s administrative, physical, and technical controls. The assessment should include a review of the

organization’s policies, procedures, as well as patient forms and notices, to ensure all have been updated and are accurate in the current environment.

Past research has shown that 90% of the organizations that have incurred financial settlements or penalties related to a breach of protected health information had failed to conduct a recent, complete SRA. Platforms such as Medcurity offer a guided SRA to help group document and assess their risks. Medcurity also provides dashboards for measuring risk, ongoing guidance on compliance, and action item tracking for remediation throughout the year following the SRA.

Technology-based threats are increasing as well. Industry experts report that more than 200 phishing websites are being created daily so far in 2020. A variety of opportunist pandemic-related phishing emails have been targeting healthcare workers.

Phishing emails are just one of the paths that bad actors take to attempt to access healthcare or financial information, for theft, ransom, or other destructive purposes. The efforts are frequently successful. As one indicator, the OCR’s Breach Report site indicates that there has been an IT-related HIPAA breach of over 500 patient records on nearly a daily basis over the past three months.

Health center leaders can use ongoing training and phishing simulation exercises to build employee awareness of these risks. Emails must be regarded with a healthy level of paranoia to protect the organization. Additionally, health centers are encouraged to conduct regularly network vulnerability assessments and penetration tests to validate the security of their IT infrastructure.

Community health centers continue to adapt and lead the way in responding to a variety of crises. In these times of rapid change, any privacy or security breach would add tremendous and unwanted challenges to an already-complex environment. Incorporating compliance and security into all strategies will help protect the health center and keep the team focused on the mission.

Joe Gellatly is the CEO and co-founder of Medcurity, Inc. Medcurity.com is an online platform for conducting HIPAA Security Risk Assessments, creating and maintaining policies, and managing business associate agreements.






NWRPCA welcomes and regularly publishes white papers and articles submitted by members, partners and associates with subject matter expertise. The appearance of any guest publication in our Health Center News database represents the views of the author and does not constitute endorsement by NWRPCA of the stated opinions or perspectives, nor does it suggest endorsement of the contributor's products or services.

Membership Software Powered by YourMembership  ::  Legal