COVID's Effect on HIPAA Compliance
Before 2020 brought us the COVID-19 pandemic, organizations that fall under HIPAA's jurisdiction could be seen furiously scrambling to complete their HIPAA Checklists. HIPAA compliance, by that point, it was already a priority for most covered entities (CE) and business associates (BA). Still a priority, HIPAA compliance has seen an evolution since the onset of the pandemic.
But not everywhere. For example, increasing COVID-19 vaccine mandates and having to show proof of vaccination to enter some businesses, makes many wonder where the HIPAA draws the line. Is requesting a vaccine card a "HIPAA violation?"
In fact, the Health Insurance Portability and Access Act of 1996 does not address a business asking to see vaccination evidence.
In another example, by the conclusion of 2020, a proposal to revamp the HIPAA Privacy Rule came down from the Department of Health and Human Services (HHS). By the end of 2021, the proposed revamp of the Privacy Rule is still a proposal with changes yet to be implemented.
It’s an understatement that HIPAA changes haven't been smooth sailing. Today, it’s overall HIPAA compliance, systematic uncertainty, and a lurking executive order that’s contributing to the existing anxiety businesses have surrounding HIPAA.
Businesses, HIPAA, Mandates and Working Remote
With new mask mandates and COVID-19 restrictions all around us, even here locally, many organizations continue operating from remote work environments, including working from home.
Working outside the office offers greater productivity and reduces costs while companies navigate pandemic restrictions. But working remotely creates some obstacles for HIPAA compliance. With the number of remote work environments continuing to grow, increased scrutiny over employer safeguards can leave companies worried, confused, and unsure where to turn for help.
Without appropriate privacy and security measures established, HIPAA Privacy Rule and Security Rule violations may (and probably will) occur.
It doesn't matter whether business operations take place at the office, home, or through telehealth into a patient's home, HIPAA rules apply. But this is increasingly difficult when a patient's protected health information (PHI) is at risk. That's why establishing HIPAA guidelines for staff is so critical.
HIPAA 2022 Forecasts: Why you need to pay attention
In January of 2021, HR 7898, AKA the "HIPAA Cybersecurity Recognized Best Practices Bill," became law. The bill amends the HITECH Act to require the HHS to consider whether an organization has met established security standards practices when deciding whether to:
- bring an enforcement action
- select an entity for an audit
- issue a monetary penalty
If a covered entity or business associate has adequately demonstrated that it has recognized security practices in place, then HHS can reduce a fine and/or an audit's disruption.
HIPAA's Recognized cybersecurity frameworks include:
- National Institute of Standards and Technology Act (NIST Act).
- The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
- Programs recognized by or set forth in federal laws other than HIPAA, such as CMMC.
(courtesy Compliancy Group)
For organizations in progress to HIPAA compliance but not yet achieving HIPAA compliance through one of these methods, don't worry.
If you can demonstrate that you're actively working towards compliance and doing your due diligence, then you likely won't get cited. It's the organizations not paying attention, ignoring the responsibility, and taking this new update as a time to let your guard down that will pay.
What can Covered Entities and Business Associates do to remain prepared?
According to Compliancy Group, CEs and BAs can:
- Develop policies and procedures prohibiting employees from allowing friends and family to use devices containing PHI.
- Have employees sign a Confidentiality Agreement before they begin work.
- Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
- Provide lockable file cabinets or safes for employees who store hard copy (paper) PHI in their home offices.
- Provide HIPAA-compliant shredders for remote workers so these workers can destroy paper PHI at their work location once the PHI is no longer needed.
- Develop and require adherence (through a sanctions policy) to a media sanitization policy.
- Ensure employees disconnect from the company network when their work is complete. Employers can do this by applying measures such as IT configuring timeouts.
- Maintain and periodically review logs of remote access activity.
COVID's effect on Compliance Regulations
Have you thought about if mandates will now require your business to be HIPAA compliant?
Take a moment to review our discussion on COVID's effect on Compliance Regulations with Compliancy Group's VP of Partner Engagement & Cybersecurity, Paul Redding.