Monthly Healthcare News Roundup: Changes to HIPAA Telehealth Enforcements, Privacy Rules During the COVID-19 Crisis, and More
Every month, we compile the most compelling healthcare privacy and security related news stories. Below, you’ll learn about changes to HIPAA telehealth enforcements, privacy rules during the COVID-19 crisis, and more.
OCR announces notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency
On March 17th, the Office for Civil Rights (OCR) announced that, effective immediately, it will waive HIPAA violation penalties against healthcare providers that use everyday technology for telehealth.
“This exercise of discretion applies to widely available communications apps, such as FaceTime or Skype, when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.” – The U.S. Department of Health and Human Services (HHS) Office for Civil Rights
What does this mean for healthcare privacy and security? Because telehealth allows both the provider and patient to stay at home and limit contact with other people during the COVID-19 crisis, this allows clinicians to use private means of communication – from landline phones to one-on-one video chat apps – to provide healthcare for patients, but does not apply to public-facing communication apps such as Facebook Live, Twitch, and TikTok. A vital piece of information to keep in mind is that HIPAA still applies as a broad law despite relaxing enforcement on telehealth. For more information on recent changes to HIPAA, read the full OCR press release.
As the impact of COVID-19 grows and more people become affected by the crisis, global leaders have been turning to the technology sector for help. Governments and private entities have begun to track their users’ personal information, including location data, health information, and other personal details, such as whether someone has disclosed that they’ve been diagnosed with COVID-19 on social media.
Although limiting social contact is vital to protect public health at large, this broad effort to monitor activity has raised privacy and civil liberty concerns. “Unprecedented levels of surveillance, data exploitation, and misinformation are being tested across the world,” said civil rights campaign group Privacy International.
This TechCrunch article offers a comprehensive guide to privacy rules applying to organizations throughout the United States, the U.K., and Europe, explaining measures that both companies and health systems can and cannot legally take to track consumer and patient data in the interest of public health.
The HHS has reported suspicious activity connected to its coronavirus response. Although the department was not hacked, the activity was likely caused by a distributed denial of service (DDoS) attack – an important distinction to make because it is likely that the HHS’ system wasn’t breached. The goal of a DDoS is to use automated users called bots to overload the system, decreasing its functionality.
Although the attacker’s identity is unknown, the United States intelligence community fears its origins may be related to terrorism or organizations seeking to take advantage of the COVID-19 crisis to incite chaos amongst the American public.
“Early on while preparing and responding to COVID-19, HHS put extra protections in place. We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.” – Caitlin Oakley, HHS spokesperson
In support of efforts to improve healthcare interoperability, the HHS has finalized two revolutionary rules that grant patients safe and secure access to their health data. The goal of the HHS’ effort to increase interoperability – the ability for organizations to smoothly transfer data among one another – is to empower patients with control over their own healthcare by giving them visibility into their data along with the ability to manage their care.
Both rules implement interoperability and patient access provisions in the 21st Century Cures Act – a law designed to accelerate innovation in medicine and healthcare technology – while supporting the president’s MyHealthEData Initiative.
“Together, these final rules mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure, a top priority for the Administration.” – The U.S. Department of Health and Human Services
New research from Ponemon Institute has revealed that more than half of healthcare organizations have suffered a breach to patient data – and that each breach exposes 10,000 records while costing $2.75 million each on average.
According to the study, a key factor that contributes to the high volume and expense of breaches is the failure to fully leverage risk assessments to accurately measure and manage risk from third parties. A whopping 41% of those surveyed in the healthcare industry said that providers do not require any action to be taken if their vendors’ privacy and security policies revealed gaps and 42% do not require proof that vendors they adopt comply with federal data protection regulations.
Read the full article to learn more about what drives the costs of healthcare data breaches.
In an effort to keep as many beds available for COVID-19 patients as possible, healthcare providers are turning to remote health monitoring technology to keep track of patients from their homes. Using smartphone software to monitor vital signs including blood pressure, temperature, lung function, and the heart, along with telehealth visits that include one-on-one communication via phone and video chats, hospitals are expanding these telehealth tools to care for patients without requiring them to step through their doors.
“Traditional healthcare delivery is inadequate in dealing with this pandemic. We have to use a healthcare strategy that deploys resources throughout an entire community, and that’s where remote monitoring comes in.” – Raj Khandwalla, Director of Digital therapeutics for the Smidt Heart Institute at Cedars-Sinai Medical Center
But this poses a challenge for healthcare providers as they rapidly accelerate switching to telehealth to provide care. To learn more about the benefits and complications, read the full STAT article.