By Mary Butler
For compliance-minded health information management (HIM) professionals, the COVID-19 pandemic has presented curve ball after curve ball thanks to the flood of waivers from the federal government temporarily loosening certain HIPAA and telehealth regulations. In addition to these temporary measures, the government also included regulatory changes in legislation. The sweeping emergency relief package passed by Congress, called the Coronavirus Aid, Relief, and Economic Security (CARES) Act, included a provision that has substantial implications for the handling of substance abuse and mental health records.
In addition to complying with the myriad new regulations, providers have had to figure out on the fly how to secure PHI while transitioning their workforce to telecommuting, which raises cybersecurity concerns as hackers seek to exploit the healthcare crisis. What’s more, the COVID-19 pandemic struck just as the industry got a good look at all the changes resulting from the information blocking final rule from the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC). Gerry Blass, president and CEO of Comply Assistant, and Helen Oscislawski, JD, an attorney specializing in healthcare law who consults with Comply Assistant, spoke with the Journal of AHIMA about the short-term and long-term impact of the pandemic on the privacy and security of health information.
The Telehealth Genie is Out of the Bottle
For many providers the recent guidance loosening reimbursement restrictions around telehealth came not a moment too soon. While it’s been challenging for HIM professionals to figure out the documentation and coding aspects of telehealth, many physicians have welcomed the opportunity to expand their use of telehealth platforms.
Oscislawski says her husband, an emergency room physician, is disappointed that the loosening of restrictions comes with an expiration date—meaning the end of the pandemic.
“It will be interesting to see if there’s a massive benefit to this that people can see,” said Oscislawski, referring to telehealth adoption. “It will be interesting to see what the data shows in terms of quality and accessibility to patients. And who knows, there may be an unintended consequence, too. And if there’s a positive outcome from these kinds of telehealth visits, maybe that will then spur legislation to remove those barriers which have limited the use of telehealth in the past.”
In the early days of the pandemic, so far, the benefits of using telehealth to monitor patients in quarantine—and to keep healthier patients out of doctors’ offices and urgent care clinics—have outweighed the risks, she notes. Until now, she says, it’s been payers that have been limiting the scope of their coverage.
“But from a HIPAA perspective the barriers to telehealth have really been about security, which is all over the place,” explains Oscislawski.
For example, the New York attorney general recently launched an investigation into the privacy and security practices of Zoom, the videoconferencing app that has seen a huge uptick in users since the pandemic began, including hospitals, businesses, and schools. Hackers have reportedly exploited vulnerabilities in the screensharing feature and webcams.
Blass, who provides HIPAA training and security auditing services to providers, says he’s adding telehealth systems to his audits.
“When we’re working with clients, we’re always looking to make sure that we put together an inventory of where their ePHI can exist. So we make a list of categories—typically email, copiers, Wi-Fi, networks, and mobile devices. So now telehealth would be potentially added to that list,” Blass said.
Managing Cybersecurity During a Pandemic
According to Blass, the shelter-in-place and stay-at-home orders caught many organizations by surprise and meant that healthcare workers with PHI on their devices suddenly needed to be set up with a VPN and other safeguards. Any time this is done with a high volume of people, vulnerabilities are introduced.
The HIPAA Security Rule has disaster preparedness requirements for exactly this type of situation, according to Oscislawski.
“Many, including some of my clients, until Katrina happened, kind of pooh-poohed that provision of the Security Rule. Because they’re like, ‘Oh, disaster-shmaster,’ or, ‘How many times in a lifetime does a disaster come around?’ But this highlights that you may need to revisit that section of your HIPAA security compliance program,” Oscislawski said.
“Every provider, health plan, and clearinghouse is supposed to have a disaster plan in place that can be put into action when something like this happens. Obviously, many didn’t spend enough time on that. They took a gamble that it wouldn’t happen and here we are,” Oscislawski said. “It increases the potential for breaches because you can be assured that there are employees now who are pulling things onto their desktops because maybe servers don’t have enough bandwidth. Everything’s slow, every document’s opening slower because there’s now thousands of people instead of a couple. And so they get frustrated and start pulling files to their desktop. So now you’ve got PHI on your desktop and now you’ve become completely vulnerable if you don’t have any firewalls at home.”
Blass adds that when this crisis is over, his company’s audits will take a look at providers’ telecommuting policies.
“Most disaster recovery plans in the past were about business continuity. It wasn’t assuming that everyone’s working from home. It was assuming that everyone’s still at work,” Blass said. “Even during Hurricane Sandy, I know a hospital that was out for about two weeks as a result. So the disaster recovery plan was more localized. And, certainly, there’s been a lot of migration of data centers locally to a cloud host because it’s off-premise and it’s being run by companies that are expert in running data centers. That has helped a lot of organizations with their disaster recovery plan because it puts the responsibility somewhere else.”
Disaster Planning and Recovery Toolkit
AHIMA’s recently updated Disaster Planning and Recovery Toolkit is available to the public and could be useful for healthcare organizations and communities as they plan for COVID-19 surges and refresh their business continuity plans (often called disaster planning). The toolkit emphasizes the capture of documentation of patient care rendered during a disaster, proper communication, relaying of diagnostics, treatments and care planning among caregivers and patients, data backup plan availability, and the integrity of healthcare information. Please note this toolkit was updated prior to the HHS’ Notification of Enforcement Discretion that includes relaxed HIPAA language. Click here to download the toolkit.