COVID-19 and HIPAA

The World Health Organization (WHO) has declared the recent coronavirus outbreak, otherwise known as Coronavirus Disease 2019 (COVID-19), a public health emergency of international concern. On March 11, WHO characterized COVID-19 as a pandemic, detected in 114 countries around the globe as of that date.¹

The outbreak has prompted many employers in the U.S. to request that workers take sick leave, work from home, or use various other precautions to ensure the safety of themselves and the business. Organizations that must comply with HIPAA should have a Disaster Recovery Plan in place for such a situation. We’ll walk you through preventative measures, necessary supplies, sick leave, remote access, and other protocols that should be addressed during this outbreak.

Stock Up on COVID-19 Supplies

Coronavirus has hit some portions of the country harder than others, prompting different response levels from different communities. Regardless of where you fall on this spectrum, it’s important to take both proactive and reactive measures to safeguard your business operations and your employees’ health.

Frequent hand washing and sanitation should be encouraged. You should also stock up on COVID-19 supplies. These should include:

  • Hand sanitizer
  • Bottled water
  • Disinfection wipes
  • Plastic gloves
  • Hospital masks
  • Thermometers
  • Towels 
  • Plates and plastic silverware
  • Personal hygiene products
  • Battery radios
  • Flashlights
  • Kitty litter for cleaning vomit and other spills

Redundancy

In addition to health-related safeguards, you should have procedures put in place regarding the continued operation of your business and access to critical systems in the event of such an outbreak. One crucial component of this is redundancy. There should be an emphasis on cross-training of staff and IT personnel. Make sure more than one person knows how to complete tasks, access accounts, and manage operations so the business stays up and running.

If one of your employees becomes sick and tests positive for coronavirus, the entire staff should be tested, and the office sanitized. Have clear policies in place regarding how long infected employees may take off work and if sick leave is paid. Note: offering paid sick leave is one of the most effective measures you can take to ensure that employees who aren’t feeling well stay home. This prevents the spread of the COVID-19 virus.

If an employee is sick or hospitalized, you should have a plan for how to access their account. You must also have multiple IT staff who know how to reset accounts, have emails forwarded to other employees, and administer other necessary protocols if such an event occurs.

COVID-19 Quarantine & Remote Access

On March 25, the Centers for Disease Control and Prevention (CDC) called for the cancellation of in-person events involving 50 or more people for the next eight weeks. Businesses should also be engaging in social distancing. It is recommended that organizations vacate the workplace and have staff work from home during the pandemic.²

This change in work environment will significantly affect how employees access and transmit protected health information (PHI), and should not be taken lightly. The risks associated with remote access include:

  • Theft of unencrypted personal devices
  • Identity theft
  • Poor security practices when working from home (ex: family or others viewing confidential information on a device that has been left unattended)
  • Unauthorized downloading of ePHI (electronic PHI)
  • Inadequate malware protection
  • Data corruption
  • System hacking³

Every organization that handles PHI should have Privacy and Security Policies and Procedures in place that establish rules for secure off-site work. These will mitigate risks, keep confidential information safe, and maintain the safety and integrity of critical systems. These privacy and security rules include:

  • Use the company’s virtual private network (VPN)
  • Document which employees have remote access and designate different access levels according to their roles
  • Keep logs of remote access activity and review them periodically
  • Do not allow family, friends, or others to use devices containing PHI
  • Disconnect from the company network when work is completed
  • Do not copy PHI to external media or devices not approved by the organization
  • Encrypt home wireless router traffic
  • Encrypted and password-protected all devices 
  • Arm devices with firewalls and anti-malware software
  • Have IT configure all devices before they access the company’s network remotely³

Cybersecurity Measures

Hackers are taking advantage of the hysteria surrounding the crisis to target companies with phishing emails and other forms of malware. There has been an uptick in malicious emails mentioning the outbreak that appear to be from business partners or public institutions.⁴

Your staff should be trained on how to recognize social engineering, like phishing scams. You should also have anti-malware software, firewalls, and a Disaster Recovery Plan in place that calls for multiple backups of data, in multiple locations. When in doubt, delete the email, or forward it to your IT department for review.⁵

Backup & Recovery

The most important safeguard for the long-term wellbeing of your business is having a comprehensive Disaster Recovery Plan. Shifting from being in the office to remote access can leave lots of room for error.

Have a reliable system in place, and ensure multiple people are trained on how to perform a recovery. You must ensure the confidentiality, availability, and integrity of PHI during this crisis.⁶

If you’re interested in creating a disaster recovery plan for your business, contact us today at info@totalhipaa.com. If you are a HIPAA Prime subscriber, your compliance documents include a disaster recovery plan. We understand COVID-19 impacts everything we do, especially our work, and we are here to help!

Please see the latest CDC guidelines here.

  1. WHO Director-General’s opening remarks at the media briefing on COVID-19 – 11 March 2020
  2. CDC recommends no events of more than 50 people for next eight weeks
  3. Safeguards for Remote Access
  4. Hackers Target Companies With Coronavirus Scams
  5. Ransomware Attacks Directed at Businesses Grow
  6. Preparing For Every Disaster

Sharing is caring!