HIPAA was a high priority for most healthcare providers before the pandemic.
COVID-19 stretched resources and lengthened to-do lists, and has made it harder to keep up with HIPAA compliance.
Which is tricky, because HIPAA risk has only increased during the pandemic, for two reasons.
First, hackers are opportunists.
They know the pandemic strains healthcare facilities, and a cyberattack might be more successful on a provider facing a COVID-19 surge. In March 2020, U.S. authorities warned that hackers were focusing their efforts on the three states hit the hardest by coronavirus: California, New York, and Washington – and hackers were targeting employees working from home.
Second, the pandemic has brought new ways to violate HIPAA.
Providers and vendors have scrambled to implement testing sites and vaccine clinics, ways to manage the data flowing in and out of testing sites and vaccine clinics, and software programs to sign up for testing and vaccines – to name a few. Many of these methods had to be put together hastily, as they were urgently needed. Was HIPAA the first consideration? Probably not. This inevitably led to breaches.
- Denton County, Texas announced a breach involving a third-party application used by the County for COVID-19 vaccination clinics. This application had a configuration error that exposed information about individuals who received vaccinations.
- An agency employee at Atacadero State Hospital in California improperly accessed patient and employee information, including COVID-19 test results. The records involved 1,735 employees and former employees, and 1,217 job applicants. The improper access was discovered during an “annual review of employee access to data folders, and the employee is believed to have been improperly accessing the information for about 10 months….”
- The Lake County Health Department and Community Health Center in Illinois announced that 24,000 patient names were on a spreadsheet sent attached to an unencrypted email to an employee’s personal email address.
- Indiana’s COVID-19 online contact tracing survey was breached, compromising the data of hundreds of thousands of Indiana residents. The breach was caused by a software misconfiguration that left the information visible to the public.
I know resources are stretched thin, and people are exhausted. But it is still important to ask: Have you upped your HIPAA game during the pandemic? Has your organization addressed evolving threats that COVID-19 has brought the healthcare industry?
Here are some more questions to ask:
When is the last time you updated your HIPAA Security Risk Analysis? Has it been updated for new uses of technology involving the pandemic? Examples include a remote work security and privacy analysis, and HIPAA training for remote work.
Have you increased public relations and/or social media use during the pandemic? If so, have the individuals managing those areas been trained on HIPAA?
Do you have business associate agreements with new vendors that handle PHI?
Do you train volunteers (for example, volunteers providing additional support during the pandemic) on HIPAA?
What precautions have been taken to protect COVID-19 testing and vaccine information – which some consider “sensitive” PHI?
What measures are in place to identify and stop cyberattacks such as ransomware? If the organization gets hit with ransomware, how quickly can we recover our data?
Answering these questions sooner rather than later can reduce the risk of a HIPAA breach. In pandemic times, a HIPAA problem – particularly one that cuts off access to records or services – is particularly unwelcome.