Why HIPAA, Protected Health Information Cybersecurity Best Practices Are Critical in COVID-19 Era

© PopTika / shutterstock.com

When the first COVID-19 case was recorded, it was difficult to appreciate the extent to which cybersecurity concerns, particularly in connection with the protection of patient healthcare data, would enter into mainstream consciousness. Although many practices and healthcare organizations have recently adopted additional measures to safeguard patients’ protected health information (PHI) through expanded cybersecurity monitoring, remote working conditions and the use of electronic communications pose a security risk and can create access points for cyber criminals that could result in a breach.

Further, with more employees than ever working remotely, it’s critical to ensure that physical spaces like offices, warehouses, and other sites and facilities are properly secured to prevent unauthorized access, use, or disclosure of PHI or other sensitive information.

To protect against these heightened risks, implementing the Health Insurance Portability and Accountability Act (HIPAA) and PHI cybersecurity best practices related to technical and physical security is critical.

Infrastructure and Corporate Policies/Procedures

Federal law provides a technical safeguard framework for covered entities and business associates to implement in connection with access to PHI. Relevant guidance includes the following key elements of significant importance in the COVID-19 era.

• Access control. Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4) of HIPAA.
• Unique user identification (required). Assign a unique name and/or number for identifying and tracking user identity.
• Emergency access procedure (required). Establish (and implement as needed) procedures for obtaining necessary electronic PHI during an emergency.
• Automatic logoff (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Encryption and decryption (addressable). Implement a mechanism to encrypt and decrypt electronic PHI.

Organizations have flexibility, particularly with the addressable requirements, in how they implement these security protocols. These addressable concerns are particularly important in the COVID-19 era given the rise in the use of telehealth.

With patient screenings being conducted through the use of online portals and virtual meeting rooms, patient data are being both stored and disseminated through online network channels, email, and other telecommunications modes. As a result, access control, encryption, and automatic logoff are particularly important.

Although these considerations have always been significant, these safeguard elements are connected to scenarios that were less frequently contemplated prior to the rise of telehealth. Consider the following: