The COVID-19 pandemic has compelled most healthcare organizations to adjust their operating procedures and workflows to ensure critical business continuity. Among those efforts is a massive shift to remote work and care.
The move, however, has made HIPAA compliance much more difficult.
Consider a recent notice issued from the Department of Health and Human Services’ Office for Civil Rights, which has temporarily suspended penalties for noncompliance of HIPAA rules surrounding telehealth communications:
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
The notice is helpful for providers administering care to at-risk patients, but it’s still a temporary solution — and it shouldn’t be viewed as a free pass. Healthcare providers are an increasingly attractive target for hackers during the public health emergency, according to the Department of Homeland Security.
And HIPAA rules will still apply to healthcare workers once the federal provisions have lifted, no matter where or how their work is performed.
Here’s a look at ways for healthcare staff to remain HIPAA compliant in remote settings and minimize the risk of protected health information becoming disclosed without authorization.
Set Up Remote Workspaces for HIPAA Compliance
While it’s impossible to avoid every security risk, strong technological and policy-related solutions can create a more compliant alternate workspace. A certain degree of control can be attained with reliable safeguards followed by every employee.
What does that involve? The Cybersecurity and Infrastructure Security Agency encourages organizations to consider the following suggestions:
- Establish and update VPNs — along with any and all devices being used in a remote work environment — with the latest software patches and security configurations.
- Confirm that IT security teams monitor and test VPN limits to prepare for an increase in the number of users. Team members should also prepare to implement any modifications for users with higher bandwidth needs.
- Make certain security teams are also ready to address an increase in the need for security-related tasks — log review, attack detection and incident response and recovery — tied to the sudden ramping up of remote work.
- Implement multifactor authentication on all VPN connections (if MFA isn’t possible, ensure that remote staff are using strong passwords).
- Notify all staff that phishing attempts are likely to increase while working remotely.
Tom Kellermann, head of cybersecurity strategy for VMware Carbon Black, also highlights some top measures healthcare staff should take to better protect themselves at home:
- Address home network concerns. Ensure that you’re the only system administrator for your home network and all devices that connect to it. Next, change your router’s password to a sentence or phrase rather than a single word. Lastly, home routers typically have two networks; put your work laptop on one and all other devices on the other.
- Mitigate software-associated risks. Deploy the appropriate security software on all your devices; update your software, including applications, on Tuesday nights; and use Firefox as your browser.
- Be vigilant when videoconferencing. Set a password for every Zoom meeting. If sensitive material must be discussed in a meeting, ensure that the meeting name doesn’t suggest that it’s top-secret, thus making it a more attractive target for potential eavesdroppers. Finally, restrict the sharing of sensitive files to the approved file-sharing technologies, not as a part of the meeting itself.
Each solution is part of a greater defense. It’s important for organizations and staff to work together to adopt a combination of these measures to avoid a data breach.
Extra Security Measures to Consider with Telehealth
Already increasing in popularity before the pandemic, telehealth services have seen a sudden surge in use and availability.
Some providers hoping to provide remote care have adopted existing business conferencing tools to facilitate care — but many of the platforms weren’t designed with healthcare data security in mind.
“The average video platform lacks the security and encryption necessary to protect patient privacy and ensure HIPAA compliance,” Alexi Alizadeh, CEO of Adviise, said in a recent company press release. “This represents the type of security breaches that healthcare providers just cannot afford to risk.”
A HIPAA-compliant medical service platform, Adviise recently introduced secure telemedicine software into its existing suite of healthcare solutions. End-to-end encrypted software empowers care providers to virtually interact with patients without compromising security or privacy.
As remote work and care become even more common, tools such as these will become ever more critical to maintaining HIPAA compliance.
Organizations must continue defining and communicating remote employee guidelines and laying the right infrastructure for staff to safely perform their duties at home. These efforts, applied consistently, will ensure everyone remains HIPAA compliant, no matter the location.