Back to Basics: HIPAA Compliance in the Age of COVID-19

A Statement of the Obvious

The healthcare industry’s collective response to the pandemic meant that huge amounts of time, money, and attention were devoted to the fundamental task of enabling healthcare services to be delivered at all.  Unfortunately, COVID did not hit a magical pause button on all of the ordinary operational issues that are required for the delivery of efficient, safe, and cost-effective care, particularly HIPAA compliance.

Pre-COVID, presently, and post-COVID (hopefully), covered entities (healthcare providers, healthcare insurers, and healthcare clearinghouses that process health information) and business associates (entities that provide specific services to covered entities that require or involve health information) have had and will continue to have various HIPAA compliance obligations to ensure the privacy and security of “protected health information” (PHI).¹  Unfortunately, it is not a stretch to say that HIPAA compliance before the pandemic was far less than ideal.²  For example, a simple review of the U.S. Department of Health and Human Services’ Office for Civil Rights’ (OCR) website reveals myriad gaps in HIPAA compliance.³  In light of the above, it could be said that HIPAA compliance was already poor and that COVID-19 did not change the overall status of compliance very much.  The reality, however, is that the pandemic triggered an array of operational changes and other issues, which likely means that many more entities are now even more out of HIPAA compliance than before.  Therefore, regardless of how well an entity was complying with HIPAA before the pandemic, if its compliance activities have not kept pace with its recent operational changes, it is almost certainly out of compliance from a legal perspective.  More importantly, from a patient and business perspective, it means that the privacy and security of large amounts of health information are at real risk.

Per the spoiler alert, however, none of what is discussed below is actually new.  We live in a digital age, which means that our various privacy and security concerns are evolving all the time.  Although many aspects of life and healthcare operations may have felt like they were put on pause by the pandemic, privacy and security concerns have never been on hold and never will be.  To be sure, all of the issues addressed here were advancing in their size, scope, and complexity in the ordinary course of technological evolution well before the arrival of COVID-19.  But, of course, the pandemic fundamentally changed the course of that evolution, primarily by accelerating the range of telehealth applications while simultaneously limiting the ability to engage in pre-deployment analysis and testing.  And, although HIPAA is ultimately agnostic about the specific types and uses of any particular health information technology, HIPAA compliance demands an appropriate response to the evolution of technology.  

Telehealth--The Future of Healthcare, Today

Of all of the changes in healthcare delivery that resulted from COVID, one of the swiftest and most extensive involved the use of telehealth.  Although it was widely recognized that telehealth was already on a significant growth trajectory, COVID triggered exponential growth.  In fact, it is not an exaggeration to say that the state of telehealth services advanced as much in a matter of weeks as likely would have occurred over months, if not years, but for COVID.⁴ 

The demand for telehealth services greatly exceeded the supply of “HIPAA-compliant” platforms.  Not surprisingly, in the early days of the pandemic, many providers elected to prioritize patient care over HIPAA concerns, and immediately pivoted to using common video-conferencing platforms such as Zoom, Skype, and Teams.  In an act of both grace and pragmatism, OCR announced in March 2020 its plan to exercise “enforcement discretion” with respect to ordinary security features to satisfy the HIPAA Security Rule as they relate to commonly available platforms.⁵  Such discretion applies only to platforms that are “non-public facing” and are for use only by specifically-intended parties. As a result of OCR’s exercise of discretion, providers may currently use popular video conferencing technologies and applications for telehealth encounters without a risk of a HIPAA violation, but the underlying HIPAA regulations have not changed.  Indeed, COVID did not result in a HIPAA exception or other regulatory change for telehealth.

Thanks to OCR’s enforcement discretion, telehealth use almost certainly exploded further.  However, the deployment of systems that will not otherwise be considered HIPAA-compliant has also introduced a new risk in the form of complacency and habit.  In particular, the more that providers use non-HIPAA-compliant platforms, the more dependent they become on them.  Unfortunately, the explosion in the context of enforcement discretion has meant that many providers have integrated these common non-HIPAA compliant platforms into their practices and patients expect ease of use. Yet  OCR could rescind its enforcement discretion at any time, without warning.  As a result, all providers should be prepared to switch telehealth platforms in the future, or at least be ready to deploy enhanced security features to satisfy the HIPAA Security Rule and any applicable guidance from OCR.  In the meantime, however, all telehealth platforms should be incorporated into applicable Security Rule risk assessments, as discussed further below.  Additionally, entities should consider whether any particular video-conferencing platform provider is actually a business associate for which a business associate agreement (BAA) (i.e., a specialized contract that delineates the respective HIPAA obligations of the parties) is needed.

Security Rule Risk Assessments--Periodic? Environmental or Operational Changes?

The HIPAA Security Rule requires that all covered entities and business associates have a risk assessment that addresses an array of security considerations.  HIPAA’s specific Security Rule risk assessment requirement is actually quite elegant: “Risk analysis (Required). [covered entities and business associates must c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”⁶

For better or worse, there is no specific timing requirement for updating an entity’s risk assessment.   The HIPAA Security Rule’s standard for updating Security Rule risk assessments is as simple as it is unambiguous:  “Updates (Required). [covered entities and business associates must r]eview documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”⁷ 

Given that almost every healthcare provider implemented numerous changes to environmental and/or operational protocols in the wake of the pandemic, it is all but certain that any risk assessment with a date before March 2020 is not “accurate and thorough.”  Furthermore, there is an unwritten best practice with respect to risk assessments that they should be repeated on an annual basis. Therefore, even if there is an entity that miraculously did not change in fundamental ways in response to the pandemic, the entity’s risk assessment is likely due for a refresh by the mere passage of a year.

Training--“Necessary and Appropriate”

Another basic pillar of HIPAA compliance is workforce training.  Similar to the frequency for Security Rule risk assessments, the HIPAA regulations are vague:  “Standard: Security awareness and training. [covered entities and business associates must i]mplement a security awareness and training program for all members of its workforce (including management).”⁸  Specifically, the HIPAA regulations put “security reminders” in the “addressable” (as opposed to “required” category) and merely call for “periodic security updates.”⁹  The HIPAA Privacy Rule distills the training requirement a bit more in holding that: “Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”¹⁰ These provisions leave a lot of room for interpretation.     

In the absence of a specific timing requirement for refresher or updated training, the operative phrase is “as necessary and appropriate.”  Among the significant triggers for re-training or supplemental training are when systems, operations, networks, platforms, or anything else major involving health information or digital security change.  In response to COVID, there are countless covered entities and business associates that have experienced or implemented changes that would trigger at least one, if not all, of these indicators.

Business Associates--More and Different

Pre-COVID, it was very common for covered entities and business associates to lack a comprehensive list of BAAs.  The pandemic has likely exacerbated this issue.  Specifically, with the expansion of remote services and platforms, many practices now have new business associates, but their lists of business associates and inventories of BAAs have not kept pace.

Any entity that is using, disclosing, processing, or storing a covered entity’s PHI is a business associate.  This includes “cloud storage providers” even if they never actually access the PHI that they store.¹¹  By contrast, when a vendor or other entity is acting as a “mere conduit” of information, without saving or altering the information in transit, it is not considered to be a business associate.  The rationale for this is that these platforms are operating in a manner that is analogous to phone companies, the U.S. Postal Service, and private package services (such as FedEx and UPS). ¹²  Therefore, ZOOM, Microsoft Teams, Skype, and other platforms that merely facilitate information exchanges would not be considered to be business associates if they merely create the mechanisms or platform for online information exchange.  If, however, these platforms are used to save telehealth encounters on the platform’s system (such as in the “cloud”), the data saving/storage activities constitute “maintenance” of PHI, which triggers the need for a BAA, along with the corresponding compliance activities required of the business associate.¹³  Given the array of players and platforms that enable and facilitate telehealth, covered entities should review the specific relationships that they have with any of the constituent parts of their telehealth arrangement(s).

As with other important maintenance activities, it is quite likely that this record-keeping task has fallen victim to COVID-driven neglect.  Therefore, as they update their BAA lists to include any new COVID-triggered vendors, all HIPAA-regulated entities should take the opportunity to be sure that their overall BAA inventories are complete.

Health Information Fraud--Nothing New, but COVID Offers Different Angles

Not surprisingly, fraudsters have not taken a gracious break to allow the world to deal with COVID.  To the contrary, COVID has offered a range of new opportunities for fraud, and criminals are taking full advantage of them.¹⁴  Since the healthcare industry is already a routine fraud target, the fact that the pandemic involves a mix of health issues, fear, uncertainty, and a rapid pace of change, it makes an array of COVID-related issues particularly ripe for fraud.  Consider, for example, the inherent challenges of workplace integrity and fraud prevention when everyone on premises is wearing a mask; in such cases, ID badges are only minimally effective.

One specific topic that is likely ripe for fraud as a result of the pandemic is the collection of various personal health information in the context of both contact tracing and vaccination administration (both enrollment and tracking).  Criminals may build fake websites and apps to gather patient information of people seeking a vaccination.¹⁵  In other cases, criminals are likely to take advantage of various security vulnerabilities on third-party websites, apps, and/or software to infiltrate systems and harvest information.¹⁶  Furthermore, in the event that any systems were rushed into deployment in response to the pandemic, there may be real risks that security by design and subsequent testing were minimized or ignored altogether.

It is widely recognized that the best deterrent for fraud is education.  Therefore, in addition to updating staff on important issues such as sanitization and patient flow protocols to reduce the transmission of the coronavirus, providers should be sure that they are reminding their staff about fraud detection basics to reduce the risks of acquiring and sharing a computer virus. 

Financial Fraud from the Flurry of New Vendors

The operational complexities that follow from using multiple different services providers, contractors, and vendors inherently increase the risk of financial fraud.  In addition to physical vulnerability issues, such as the HVAC vendor that compromised Target’s systems, providers need to pay attention to the recent trend of fake invoicing.¹⁷  Of course, these risks increase with each additional vendor.  As a result, in all of the COVID-related confusion of the day, it is likely that numerous criminals have accurately predicted that many large organizations have such vast and complicated accounts payable systems that their fraudulent invoices have gone undetected.  Smaller entities are also likely to be targets because many of them lack the infrastructure necessary to keep track of all vendors.  For this reason, providers should be sure to regularly confirm that their accounts payable systems are robust and up-to-date, especially for lab services, supply vendors, and third-party payors.

Human Error--More Things Digital Means More Opportunities for Things to Go Wrong 

Although COVID certainly did not create human error, it is quite likely that it has contributed to it.  Among other things, people have been very distracted, anxious, exhausted, and otherwise thrown from their normal routines.  These circumstances create a nearly perfect situation for triggering human error, such as failing to close devices or programs as one jumps from task to task, writing passwords on sticky notes because the person has too many to remember, saving a document in the wrong network folder, and innumerable other actions and omissions that put systems at risk.

As difficult as it may be to predict human error scenarios, entities need to pay attention to how new workflow patterns, new technology, and basic fatigue can contribute to human error.  Then entities need to implement remedial steps to prevent those foreseeable instances of human error that may compromise the privacy and security of health information.

When Autocomplete Results in a Complete Mess

Some of the key telehealth risks result from the dangerous combination of technological efficiency features and human error, particularly autocorrect and autocomplete.  While there are certainly significant advantages to being able to complete long email recipient lists quickly, it is also all-too-easy to assemble a list so swiftly that the user does not recognize that a few errant keystrokes can result in a misdirected email.  With telehealth, specifically, there is a risk of sending an invite to the wrong patient or sending multiple invites to different patients for the same appointment time.

Do You Really Know Where All of Your PHI Is?

The swift pivot in response to COVID has meant that a broader array of devices is used to access health information, the specific mechanisms for obtaining access to systems have become more diverse, and the various reasons for needing access to health information have evolved.  For example, pre-COVID, the bulk of information exchanged within any particular medical practice was likely to have been fairly predictable because nearly all work was performed on the provider’s premises.  Providers had work emails, but they were urged not to send any unencrypted PHI, and access to health information was likely limited, with electronic health records systems accessible only via dedicated portals.  Now, however, PHI is lurking in a wide range of devices (e.g., smartphones, tablets, laptops, smartwatches), many of which are not the property of the entities.

As a result, technology teams and organizational leadership need to ensure that there are well-established protocols in place for tracking the flow of PHI, purging information from personal devices, ensuring that PHI on disparate devices makes its way into the formal electronic health record, and ensuring accessibility of information in an emergency or some communication failure situation.

Hazards of Working from Home--How Are Those Physical Safeguards Doing?

The shift to working from home (WFH) has introduced new risks for almost anyone who lives with someone else, has children, and/or has a pet.  Aside from the risks that important documents may be lost/destroyed by any of these others, there is also a risk that documents may move from a private location to some place where they do not enjoy privacy or security.  All it may take to compromise some very sensitive health information from a WFH setup is an inquisitive toddler who loves to move things around or a puppy that enjoys turning documents into chew toys and leaving them in the yard.  While these risks are likely remote, they are real.  If they occur, there needs to be a mechanism for reporting back to the entity so that an appropriate breach risk assessment (under HIPAA and applicable state law) can be performed to determine if additional action is necessary.

Texting--Today’s Communication Tool That May be Missing From Yesterday’s Risk Assessment

The use of text messaging with patients offers yet another technological mixed blessing.  In many cases, particularly with younger patients, text messaging is the default means of communication.  In some cases,  if a provider does not text with a patient, communication may fail entirely, particularly in light of social distancing and other logistical issues that make in-person visits a major challenge, if not impossible.

It is quite common for entities to maintain HIPAA policies that specifically address privacy and security with respect to telephone calls (i.e., caller verification protocols), faxing (i.e., coversheet standards), and email (i.e., encryption policies).  Texting, however, may remain an afterthought.  Given its prevalence, texting needs a priority position in risk assessments and training.  Now is the time to consider issues such as the feasibility of using encrypted text messaging and whether certain elements of a text exchange would be considered to be treatment communications that should be included in the patient’s medical record.  Ultimately, texting should enjoy the same level of attention as telephone, fax, and email. 

None of This Is New, Even if it is Different

As noted above, COVID has not changed HIPAA.  The pandemic has, however, fundamentally changed a wide array of devices, third-party services, and activities that are covered by HIPAA; consequently, the pandemic should have changed the HIPAA compliance strategies of the entire healthcare industry.  At a minimum, the passage of a year should trigger updates to security risk assessments and training, but, more importantly, these core compliance efforts demand updates to ensure that they reflect the current factual situation of each unique entity.

Although this article addresses a number of specific circumstances, it does not address every privacy and security issue nor does it address the full array of provider sizes, types, and operations.  As a result, this discussion is intended to serve as a general catalyst for all HIPAA-regulated entities to take an objective look at their organization to identify any elements of ordinary HIPAA compliance that have been pushed aside or may have been given incomplete, triage-driven attention in an effort to manage the immediate concerns of the pandemic.

Regardless of how the pandemic unfolds from here, many of the technology changes that were inspired or amplified by the pandemic are here to stay.  Therefore, now is the time for entities of all sorts to engage in the fundamental blocking and tackling that is necessary to ensure privacy and security generally, and to achieve HIPAA compliance specifically.  Whatever the new normal ends up looking like, HIPAA compliance will demand that policies, procedures, and practices are appropriately aligned with it.

1. “Protected Health Information” (PHI) is the core term for the applicability of HIPAA to health information.  Not all health information is PHI, but health information is PHI when it identifies the individual, is created or maintained by a covered entity or business associate, and relates to the past, present, or future healthcare needs, services, and payment of that individual.  See “Summary of the HIPAA Privacy Rule,” https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. 
2. “OCR Issues Audit Report on Health Care Industry Compliance with the HIPAA Rules” (Dec. 17, 2020), (https://www.hhs.gov/about/news/2020/12/17/ocr-issues-audit-report-health-care-industry-compliance-hipaa-rules.html).
3. OCR Newsroom (https://www.hhs.gov/hipaa/newsroom/index.html).
4. “Trends in the Use of Telehealth During the Emergence of the COVID-19 Pandemic — United States, January–March 2020,”  Centers for Disease Control and Prevention, https://www.cdc.gov/mmwr/volumes/69/wr/mm6943a3.htm.
5.  https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html; https://www.hhs.gov/about/news/2020/03/20/ocr-issues-guidance-on-telehealth-remote-communications-following-its-notification-of-enforcement-discretion.html.
6. 45 C.F.R. § 164.308. 
7. 45 C.F.R. § 164.316.
8. 45 C.F.R. § 164.308.
9. 45 C.F.R. § 164.308.
10. 45 C.F.R. § 164.530.
11. HHS.gov HIPAA FAQs (https://www.hhs.gov/hipaa/for-professionals/faq/business-associates/index.html).
12. HHS.gov HIPAA FAQs (https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html).
13. “Guidance on HIPAA & Cloud Computing,” Office for Civil Rights, https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html.
14. “COVID-19 scam reports, by the numbers,” Federal Trade Commission Consumer Information, (https://www.consumer.ftc.gov/blog/2020/04/covid-19-scam-reports-numbers).
15. As just one example, the author recently received an email that was both flagged and marked with an exclamation point, asserting to be from “Pfizer Vaccine,” with the subject line “Re: your gift is here, confirm.”  One can only imagine what may have resulted from clicking on the link in the message itself.  It is likely that most recipients will recognize such a message as fraudulent, but fraudsters will continue to send such messages until all recipients recognize it to be fraudulent.
16. “A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack,” NPR, https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack.
17. https://www.npr.org/sections/thetwo-way/2014/02/05/272101928/u-s-hvac-firm-reportedly-linked-to-target-s-data-security-breach; https://www.consumer.ftc.gov/blog/2018/02/phishers-send-fake-invoices; https://www.npr.org/2019/03/25/706715377/man-pleads-guilty-to-phishing-scheme-that-fleeced-facebook-google-of-100-million.