HIPAA, or the Health Insurance Portability and Accountability Act, is a set of laws that define the ways that healthcare providers and organizations must protect the privacy of their patients’ medical information. The COVID-19 pandemic has transformed the way in which the world views the role of patient privacy and the importance of HIPAA’s privacy and security protections. As a means of protecting patient privacy and security, HIPAA has been continually challenged with the COVID-19 pandemic.
The healthcare system has struggled to manage a complex flow of information through an underprepared infrastructure. A significant obstacle was, however, that healthcare providers do not yet have a comprehensive understanding of the potential impacts of COVID-19 on patient data or privacy-protection solutions. In addition, the regulatory and industry framework around HIPAA needs to adapt to the unprecedented scenario of the pandemic to manage healthcare data and keep it safe, secure, and accessible to patients, healthcare providers, and healthcare systems.
Consequently, the HIPAA Privacy Rule was amended to allow healthcare providers to share patient information with third parties in order to prepare for the unforeseen circumstances of the COVID-19 outbreak. The transition from office work to remote work, and the easing of HIPAA enforcement, helped healthcare companies prepare for the new normal.
The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is giving covered entities such as hospitals, testing centers, telehealth services, and other healthcare providers greater flexibility as they manage the pandemic. But they still need to keep strict security measures in place to protect patient privacy.
How Has COVID-19 Affected Patient Privacy?
It was a difficult decision, but because the requirement to diagnose, treat, and vaccinate people quickly outweighed privacy concerns, the healthcare industry was forced to make changes in order to prepare for an unforeseeable set of circumstances. This new situation also enabled large-scale telehealth services, but it didn’t allow enough time for proper implementation, which led to company data being jeopardized and cyberattacks taking advantage.
This is a perfect example of how the healthcare industry needs to think about patient privacy to be prepared for the future. Not that the threat is as high as it normally would be for the healthcare industry, but because healthcare companies have to be more mindful about patient data and are in need of privacy-aware cybersecurity solutions.
Staying Compliant As A HIPAA-Covered Entity
HIPAA is a federal law that requires healthcare providers to safeguard patient data at all times. The Office of Civil Rights has decided not to enforce penalties on covered entities for violations of HIPAA rules for certain areas and provided flexibility, but the OCR’s new guidelines are to promote the use of appropriate measures to protect individuals’ confidential health information. The best way to do this is to allow all available privacy settings, use encryption technology, review entities’ HIPAA compliance policies, and modify security programs to fill gaps that arise when employees work remotely.
Due to the increased use of technology for remote work, healthcare providers should review their HIPAA compliance policies and modify their security programs to avoid breaches and HIPAA violations. With the rise of telework and cloud calling, it is almost impossible to ensure a safe data path through the home, public network, and cloud infrastructure. Network and perimeter defenses are no longer enough to compensate for device security flaws. Data must be encrypted at the source to protect sensitive information.
Proactively securing all devices and encrypting data at the source becomes a critical responsibility. Encrypting emails, which will help to prevent data breaches, is a good cybersecurity practice. Not only will it automatically encrypt PHI-containing messages or alert employees if they are about to send an unencrypted email outside of their organization, but it can also block spam and phishing messages.
Security is a never-ending process. Reviewing controls, performing tests, and reassessing policies are all part of good security practices. Installing updates and patches on all devices, updating applications, and backing up data in multiple locations will help organizations stay compliant. Regularly arranging HIPAA compliance training for employees would, of course, support organizations’ attempts to maintain a high level of understanding. It is time to be vigilant, perform periodic testing, and constantly reassess policies and security programs in order to stay compliant.