HIPAA and PHI Cybersecurity Best Practices in the COVID-19 Era

one photo / shutterstock.com

When the first SARS-CoV-2 case was recorded, it was difficult to appreciate the extent to which cybersecurity concerns, particularly in connection to the protection of patient healthcare data, would enter into main­stream consciousness. Although many practices and healthcare organizations have recently adopted additional measures to safeguard patients’ protected health information (PHI) through expanded cybersecurity monitoring, remote working conditions and the use of electronic communications pose a security risk and can create access points for cyber criminals that could result in a breach.

Further, with more employees than ever working remotely, it is critical to ensure that physical spaces (e.g., offices, ware­houses, and other sites and facilities) be properly secured to prevent unauthorized access, use or disclosure of PHI or other sensitive information.

To protect against these heightened risks, implementing HIPAA and PHI cyber­security best practices related to technical and physical security is critical.

1) Adequate Technical Infrastructure, Updated Corporate Policies & Procedures

Federal law provides a technical safeguard framework for covered entities and business associates to implement in connection with access to PHI. Relevant guidance includes the following key elements of significant importance in the COVID-19 era:

• Access control. Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
• Unique user identification (required). Assign a unique name and/or number for identifying and tracking user identity.
• Emergency access procedure (required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
• Automatic logoff (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Encryption and decryption (addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Organizations have flexibility, particularly with the “addressable” requirements, in how they implement these security protocols. These addressable concerns are particularly important in the COVID-19 era given the rise in the use of telehealth.

With patient screenings being conducted through the use of online portals and virtual meeting rooms, patient data are being both stored and disseminated through online network channels, email and other telecommunications modes. As a result, access control, encryption and automatic logoff are particularly important.

Although these considerations have always been significant, these safeguard elements are connected to scenarios that were less frequently contemplated prior to the rise of telehealth. Consider the following: