As the Coronavirus pandemic disrupts business operations, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) temporarily eased certain HIPAA restrictions on the disclosure of patient’s protected health information (PHI) by healthcare providers as well as their business associates to improve data sharing for patient care.1
Following OCR’s most recent announcement in early April, business associates can share PHI in good faith as long as they inform the covered entity to which the PHI belongs within ten days. However, the waiver does not extend to HIPAA’s other restrictions on the protection of PHI – business associates remain liable for complying with the HIPAA’s requirements to safeguard the confidentiality and integrity of PHI.2
However, as hospitals rush to seek telehealth solutions to help cope with the pandemic-driven demands, it can be easy to overlook security controls over user access, data transmissions and ePHI storage. For hospitals contracting vendors to provide PHI-involved services, it is critical to understand the security postures of these third parties which have often proven to be a weak link in health data security by past research and studies.3
Hackers have been quick to exploit the pandemic and have already attacked multiple healthcare entities amid the crisis.4 Apart from scrutinizing internal data security risks, we suggest healthcare providers also take actions against third-party risks.
Understand Limitation on HIPAA Waivers and Ensure Compliance:
▪ During the current national emergency, OCR allowed healthcare providers to provide telehealth services through communications vendors that may not fully comply with HIPAA requirements.5 However, those seeking additional privacy protections should consider contracting with vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) to provide communication products.6
▪ For vendors not included in OCR’s enforcement discretion above, a BAA must be signed before access to a healthcare organization’s PHI is granted. Make sure the vendors have conducted a HIPAA Risk Assessment; implemented the most updated Privacy and Security policies; and demonstrated evidence of ongoing training and reviews to ensure policies and procedures are implemented and followed.7
▪ As HIPAA risk assessments are not a one-time requirement, request evidence of your vendor’s continued compliance.
Perform Deep and Dark Web Searches and Monitoring:
Do you know what hacker groups are discussing about your vendors online? Medical records are one of the most expensive personal data sets sold on the deep and dark web, making vendors with access to PHI a target for cybercriminals. However, research shows that only one third of vendors reported that they would immediately notify healthcare providers they serve after confirming a data breach that involved their PHI.8 Healthcare providers can take proactive measures to help identify and monitor cyber threats affecting those who process and control access to their PHI in order to take preventive, detective and corrective controls to help guard against third-party data breaches.
Identification of potential threats and their potential impact are integral pieces in effective risk management. With a changing threat landscape, new risks and increased vulnerabilities to ePHI alter required security measures, which should be enhanced to help ensure confidentiality, integrity and availability in this new “current state.”
Conduct Pre-Engagement Due Diligence:
Has the vendor been involved in data breaches or incidents involving PHI previously? What is their track record on consumer reviews? Conducting background checks on each vendor before a Business Associate Agreement is signed can help to reduce non-compliance and reputational risk. This process should look at the components not covered by HIPAA screening, such as company record and reputation, financial integrity and health, litigation and adverse records, allegations of corruption or wrongdoing, commercial disputes, connections to sanctioned entities, concealed exposure to bad actors and politically exposed individuals.