Data Sharing - How to Maintain ePHI Privacy and Security

July 28, 2020 by Duran Thomas

By Kimberley Whyte.

Security Analyst.

The global spread of COVID-19 has generated countless privacy, data protection, security, and compliance questions for companies working hard to provide care in our new reality of “socially distant” interactions. For all organizations that depend on direct customer engagement, adopting new technologies to enable and support remote audio and video communications is the only path toward remaining in business. Healthcare providers are particularly affected by this paradigm shift. Many smaller providers that only offered in-person services have been forced to quickly adopt new technologies and platforms as a means to offer care to patients. Protecting the security and privacy of patient health-related information is challenging at the best of times, and it is now made even more difficult during the current crisis.

Regulatory Requirements and Changes Due to COVID-19

The Health Insurance Portability and Accountability Act (HIPAA) requires all entities with access to Electronic Protected Health Information (ePHI) to protect the security and privacy of that information. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued waivers and notices of enforcement discretion for several issues related to HIPAA compliance during the pandemic. The following paragraph summarizes the key actions that OCR has taken to modify HIPAA in response to the COVID-19 pandemic:

“OCR’s enforcement discretion for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the privacy rule. The waiver allows covered providers to potentially use any non-public facing remote, audio, or video communication platforms available to provide telehealth and communicate with patients during the pandemic. OCR will not penalize those providers for using potentially non-HIPAA-compliant tools, regardless of whether or not the service is used to diagnose or treat COVID-19-related conditions.”

Learn more about how to get started with HIPPA Compliance with Posture

Recommendations and Best Practices for Security Data During Pandemic

Employees should be trained on potential security risks and the secure use of remote tools.
For employees working remotely, Virtual Private Network (VPN) connections should be made mandatory.
Employers must provide guidelines and policies on restricting the use of private devices and supplying adequate password protection.
Employee security awareness training should be promoted by educating employees about the rising level of coronavirus-related cyberthreats, including potential responses and incident handling.
IT departments must be provided with the resources needed to support employees working securely from home by expanding their network and videoconferencing capacity with vendor-supplied services.