Maintain HIPAA Compliance During and After COVID-19

Maintain HIPAA Compliance During and After COVID-19

Let’s face the truth – COVID-19 has changed everything as we know it. The world has been in lockdown for months, the majority of people are working remotely, and yet, cases of the coronavirus just keep rising. While some countries are preparing to ease lockdowns, others have done so already, and the latter ones are already experiencing a resurgence in COVID-19 cases. While all that keeps on happening, one thing is certain – organizations dealing with PHI (protected health information) have to ensure HIPAA compliance.

Some rules have been relaxed, others still apply

During normal times, HIPAA mandates that both covered entities and business associates are complying with the rules to ensure the security of PHI at all times. However, COVID-19 is such an unprecedented scenario that some rules have been relaxed to ensure better and faster care for the patients. Even after the relaxations, there are several other rules which are still in place and need to be followed by organizations that deal with PHI – even their remote employees need to adhere to those rules.

Why did many healthcare professionals go remote?

This was done intentionally – as HIPAA rules were relaxed around telehealth and other areas, it was recommended that regular patients should go for telehealth instead of inpatient visits. This achieved two things – it reduced the pressure on the hospitals, which are still flooded with COVID-19 cases, and it also prevented regular patients from being victims of infection control issues. Thus, to ensure that healthcare services are being provided in a safe environment, many healthcare personnel switched to remote work and used telehealth to do that. Telehealth, as a result, saw a huge increase in usage. 

However, not only doctors but much of the healthcare staff members were instructed to move to remote work to reduce the spread of the virus. This also prompted their employers to enforce and ensure privacy rules that need to be followed. These employees also include the ones who need to deal with, transmit, and maintain PHI securely. Thus, all of the ones who deal with PHI need to ensure HIPAA compliance, even if they are working remotely.

Telehealth and HIPAA

We’ve already covered why telehealth’s usage exploded. The fact that patients can get treatment from their house without even stepping into a doctor’s office coupled with the lockdown boosted its popularity immensely. On top of that, the HIPAA rules that HHS (Department of Health and Human Services) relaxed will waive HIPAA penalties for healthcare providers using video/audio communications technology to treat patients. This made the usage of telehealth skyrocket and reach uncharted territories. However, healthcare providers have strongly been advised to ensure that there are enough security measures in place. For instance, an encrypted means of video or audio communication can be used to do just that. 

HIPAA during and after COVID-19

Thanks to the remote working culture that has been adopted by many organizations, they are experiencing an unforeseen opportunity – it reduces costs significantly while having minimal effect on the employee’s performance. Some organizations have declared that they will allow their employees to work from home till the end of 2020. Others will continue to work from home until the pandemic ends, showing that remote work is staying for a while. Taking all their employees into consideration, organizations need to take a proactive approach and ensure that they are ensuring HIPAA compliance, during and after COVID-19. 

Any organization dealing with PHI should keep all compliance-related information documented as to how they are achieving it even while employees are working from home. They should provide some basic guidelines to their employees as to how they can ensure compliance from home.

Suggested guidelines regarding devices

  1. Organizations should provide authorized devices to employees via which PHI will be accessed and it must be explicitly stated that any other party cannot use said devices.
  2. Employees need to ensure that the internet connections and routers used are secure – notify them to use complex passwords and encrypt the network. Employees should use a VPN, if possible.
  3. Any devices having access to PHI should be behind the firewall and have antivirus software installed. 
  4. Personal equipment used for work must require authorization from superiors and have a clear set of rules as to what can and cannot be done with it.
  5. Hard copies of PHI should be kept locked when not in use and out from the reach of others. After usage, a shredder must be used to discard the papers.

Suggested guidelines regarding device access

  1. Keep log entries of any access to the devices
  2. Ensure that the systems log you out automatically after a period of inactivity
  3. Unless authorized by superiors, employees should strongly refrain from copying PHI to unsecured media such as flash drives, external hard drives, etc. 

Published by Riyan N. Alam

Reply heres...

Login / Sign up for adding comments.

Similar Articles