COVID-19 has changed the HIPAA landscape in the short term, and some of these changes will undoubtedly echo long after the pandemic has ended. We’ve summarized the latest changes and how you can maintain the security goals for your organization and stay in compliance.
HIPAA Changes Timeline (So Far)...
In February, OCR released a bulletin on COVID-19 and how patient info can be shared without HIPAA authorization for treatment, public health safety, and patient care. In the bulletin, there are also cautions against disclosure to the media, and perhaps most important to your IT security, reminders about limiting protected health information (PHI) and minimum necessary standards and safeguards. This principle is commonly referred to as “rule-based access.” We’ll discuss that in detail below.
In March, OCR created its Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, and corresponding FAQ with the following takeaways:
- OCR will not impose HIPAA penalties against covered health care providers for noncompliance in connection with the good faith provision of telehealth using remote communication technologies (e.g. Skype, Zoom, etc.)
- Applies to telehealth for any reason (not only COVID-19 diagnosis and treatment)
- Non-public facing apps (e.g. FaceTime or Skype) may be used, but public-facing apps (e.g. Twitch, Facebook Live, etc.) should not be used. In fact using public-facing apps will move covered entities outside of the good faith provision of telehealth.
In April, OCR released telehealth guidance for business associates making disclosures for the purposes of public health. Previously, disclosures to public health agencies (e.g. CDC) and health oversight agencies (e.g. CMS) were only allowed if the contract between the associate and covered entity expressly permitted those disclosures. Since those contracts could act as a barrier for data and disclosures for the good of public health, OCR removed the enforcement of violations in those specific cases (i.e. NOT to all of HIPAA).
During the same month, OCR released guidance on community-based testing sites (CBTSs) with the following takeaways related to HIPAA:
- Implementing the “minimum necessary” rule (limiting unnecessary or inappropriate access to and disclosure of protected health information) - e.g. not disposing of PHI in a dumpster or unsecured location and using buffer zones, canopies, curtains for testing
- Using secure technologies to transmit PHI
- Posting a notice of privacy practices
Most recently in May, OCR issued guidance on restrictions on media access for COVID-19, requiring patient consent and HIPAA authorization before media access to PHI is given, and even goes so far to specify that “masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient.”
In Mississippi specifically, the Mississippi Division of Medicaid is allowing its beneficiaries access to telehealth services from home, encouraging personal devices to seek and receive medical care and waiving the limitation of the use of audio-only conversations until May 31, 2020. The Mississippi State Board of Medical Licensure has updated its licensure guidance to waive state licensure restrictions, allowing out-of-state physicians “whose specialty services are determined to be necessary by the Mississippi State Department of Health” to treat patients in Mississippi. Additionally, a Medicaid State Plan Amendment Telehealth Emergency Waiver has been submitted to allow for telehealth service flexibilities during a state of emergency.
Be sure to check the Center for Connected Health Policy (CCHP) for state-specific COVID-19 related telehealth-related laws, regulations and Medicaid program updates.
IT Security Impacts and Recommendations
Let’s dive into how these HIPAA changes affect your IT function, particularly around the “minimum necessary” rule.
If you are a covered entity, you should notify your patients that third-party applications (such as Zoom or Skype) potentially introduce privacy risks, and your IT function should enable all available encryption and privacy modes when using such applications. If you desire additional security OCR suggests evaluating products that showcase HIPAA compliance, such as Zoom for Healthcare or Amazon Chime. However, OCR does not endorse any products, so use your discretion and do research before signing on with a solution.
From an audit perspective, you should require any contractors or physicians working in that capacity and especially employees to sign an Acceptable Use Policy or similar document agreeing to abide by the IT security policies of your organization. You might also consider a reminder email or re-acknowledgement for your current employees, especially if your IT policies have changed as a result of COVID-19. This can help reduce liability to your organization in the event a breach occurs from a point-of-entry your IT configuration may not control.
Disaster Recovery and Business Continuity
If COVID-19 taught us anything, it’s that we should be prepared for the worst. Thankfully, you can test your business continuity and disaster recovery plan as part of HIPAA requirements without going overboard. Your BCDR team may have insight into applications and repositories identified as priorities for recovery operations, which may have changed due to your operations with COVID-19. Consider other business units or operations separated geographically due to the pandemic, including specialized business units or acquisitions. These groups may have new unique IT systems that could be in-scope for HIPAA risk analysis requirements.
In the current landscape, social engineering attacks for healthcare and essential services are increasing exponentially, as outlined in a recent CISA alert. Now that your IT department has hopefully settled its users in for remote work, strengthening that shell through consistent training and reminders will help users become more familiar with the types of attack vectors in the new COVID-19 landscape, particularly around the topics of small business or federal aid offers, and help them to combat those techniques.
So, I’m off the hook?
Not exactly. These HIPAA changes are designed to offer relief to covered entities responding to the COVID-19 crisis, but they are definitely not a free pass when it comes to compliance. Entities will still need to ensure compliance with other applicable state privacy laws to the extent they are still in effect. State breach notification laws continue to remain in effect, so even if an entity is not required to follow HIPAA breach notification requirements, it may still be required to provide breach notification by state law.
When the public health emergency ends, providers will be expected to comply with the applicable HIPAA regulations as before. However, we expect telehealth services will only continue to grow given its success in the COVID-19 landscape, so it is reasonable to expect additional regulation and guidance around the use of those technologies and processes in the future. HORNE will be there to monitor those changes.
If you are a covered entity or provider, HORNE can help you prepare now with our maturity-based HIPAA Security and Privacy assessment. Reach out to us today and let us know how we can help you.
- Blog: Going Beyond HIPAA Compliance to Elevate Your Security Posture
- Blog: How HIPAA Compliance Efforts May Impact Your Overall Security Posture