HIPAA Compliance and COVID-19
As the COVID-19 pandemic spreads throughout the world, more and more companies are asking their employees to work from home in light of new government-issued regulations and for their own well-being. This unprecedented health crisis has meant that many sectors have had to adapt to the new conditions and embrace remote work despite past misgivings.
Reluctance to adopt remote work policies is often related to the sensitivity of the information an organization processes. Industries such as health and finance that have stricter data protection requirements in place have long opposed remote work. However, due to recent developments, many have found themselves having to rethink their previous stance and allow their employees to work from home.
Health information is considered highly sensitive data in most countries today. In the US, it falls under the scope of the Health Insurance Portability and Accountability Act (HIPAA) which governs the privacy and security of protected health information (PHI) and is enforced by the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS).
HIPAA requirements relaxed for virtual healthcare
In response to the ongoing COVID-19 pandemic, the HHS recognized the need for healthcare providers to communicate and provide health services to patients virtually through remote communication technologies. This was not previously fully compliant with HIPAA Rules, but the HHS has announced that they are now permitted in response to current circumstances.
The OCR will also exercise its enforcement discretion and not impose penalties for HIPAA noncompliance in connection to virtual healthcare during the COVID-19 public health emergency. It also offered a list of recommended applications that allow for video chats, which included Skype, FaceTime, and Zoom.
HIPAA requirements are still mandatory
While some rules have been relaxed due to the current emergency, it’s worth noting that HIPAA requirements have not been waived. This means that although healthcare organizations may have greater leeway in the tools, they use to continue conducting their business, the sensitive health data they collect, store, and process, must still be protected.
The HHS states that in an emergency situation, organizations falling under the scope of HIPAA must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. They must also apply the administrative, physical, and technical safeguards detailed in the HIPAA Security Rule.
Protecting health data while working remotely
Once healthcare providers decide to implement remote work plans, it is essential for them to ensure that health data will be protected even when it is taken outside the security of company networks. This starts from the devices employees will be using remotely: they must be encrypted, password-protected, and have updated firewalls and antivirus software installed.
Virtual Private Networks (VPNs) should be used to access the company network remotely. Employees should be required to disconnect at the end of each workday to ensure their computers don’t stay connected longer than necessary to the company network.
Companies should use solutions like Data Loss Prevention (DLP) tools to ensure that health data cannot be copied to any external devices not approved by the organization. In this way, potential malicious devices cannot be connected to a computer, and data at rest cannot be stolen or stored in a way that is not HIPAA compliant.
Physical protection of files
Working from home may also mean that employees can print information or receive health information through the mail. It is essential, therefore, that they store it in a secure place, whether it’s in a locked cabinet or a home office that no one other than themselves has access to. When they are no longer needed for the original purpose they were collected for, physical files should be shredded or otherwise destroyed.
It is also important that employees work in a private space where no one can see or hear the information they are transmitting or working on. No other individuals, except the employees themselves, should be allowed to access computers on which protected health information is stored.
Monitoring and logging health information
Lastly, health data should be monitored at all times to ensure compliance and to help companies spot any risky practices their employees might be tempted to use while working from home. Logging the movements of health information is also a way for organizations to prove compliance in case the OCR requires it.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.