Jason Karn, Total HIPAA’s Chief Compliance Officer, recently talked with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss HIPAA regulation during the COVID-19 pandemic. They spoke about how COVID-19 has affected HIPAA enforcement and how you can keep your data and business safe in a remote work environment. You can listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read the summary below.
PHI and Breaches
In the last decade, the Department of Health and Human Services (HHS) has revised and expanded the definitions of (Protected Health Information) PHI and a HIPAA breach. The Omnibus Ruling of 2013 removed the Harm Standard from the HIPAA law. Previously, if an entity had an unauthorized release of PHI, it did not have to go through the breach notification process if it could prove the information was not compromised. Now, any unauthorized acquisition, access, use, or disclosure of PHI is presumed to be a breach and must be treated as such.
State laws that govern protected information have also gone into effect in the last few years. Among them are California, with its California Consumer Privacy Act (CCPA), and New York with its New York State Financial Services Department Regulation (23 NYCRR 500). These laws do not only apply to companies headquartered in California or New York. If you do business in or have employees residing in any of these states, your business could be subject to uphold these standards. Overseas standards like the EU’s General Data Protection Regulation (GDPR) may also apply to your business if you have any clients in the EU.
In 2020, HHS recorded record numbers of breaches and financial penalties issued. Many of these breaches took place over email or a network server. This was likely a direct result of the COVID-19 pandemic. Companies that previously had employees working in an office setting had to transition to remote work in disparate home offices. With little time to accomplish this, vulnerabilities went unaddressed and the security of company data was compromised.
Vulnerabilities of Remote Work
The COVID-19 pandemic has led to a dramatic shift in the way businesses and workers operate. As a result, remote work has the potential to become much more standard across industries. In the last year, many companies have been forced to develop new cybersecurity infrastructure for a remote work environment. As always, protecting company or client data is a priority, and security practices should be developed with this in mind.
In order to avoid breaches and other HIPAA violations, companies should modify their security programs to fill gaps that arise when staff members are working remotely. Standard practices and procedures should be reevaluated, including access levels and controls (who has access to what data and why) and network security safeguards, like firewalls and VPNs. While this may take some work, it will pay off in the long run. Your security program should reflect the realities of your business and what it will take to keep it and your data safe.
HIPAA requires entities to protect data at rest, in transit, and in storage. Data breaches can be avoided through good cybersecurity practices like using an email encryption vendor. Many of these services will automatically encrypt messages containing PHI, or will notify employees if they are about to send an unencrypted email outside their organization and ask if they’d still like to proceed. This is just one of many ways you can keep your company’s information secure.
Risk Management Strategies
Another key risk management practice that employers should implement is having employees sign a Bring Your Own Device (BYOD) Agreement and a Work From Home Policy. These policies should define what is considered acceptable use of a company-owned or personal device. As a rule, devices should not be shared with family members or left unattended and firewalls should be installed on home networks.
A VPN can provide end-to-end encryption for every device in your company’s network. Make sure your company has a current Business Associate Agreement (BAA) or Business Associate Subcontractor Agreement (BASA) with your VPN provider and any other vendors that are processing or storing company information. You may have to make configuration changes in order for certain services or programs to be fully secure and HIPAA compliant. Large corporations like Google, Microsoft, or Zoom will not sign a BAA, but they usually have one on their website which you can download and sign or keep for your records.
Having good security practices also means being vigilant, performing periodic testing, and continually reassessing your policies and security programs. Put forced updates on every device or update applications regularly, install patches, and back up your data in multiple locations.
The best way to address risks and vulnerabilities is to complete a Risk Assessment. This, along with maintaining current copies of required documents and training staff are required by HIPAA and should be undergone periodically. Our HIPAA Prime program does all this and more, ensuring compliance for your business.
To learn more, email firstname.lastname@example.org today. Or, get started here.