PHI Compliance in the Age of COVID

One of the most important aspects of HIPAA is PHI compliance. PHI compliance refers to ensuring the confidentiality, integrity, and availability of protected health information (PHI). In the age of COVID, PHI compliance has somewhat fallen to the wayside, as more pressing issues have arisen. Although many organizations have put PHI compliance on the back burner, now it is more important than ever to ensure that PHI is safeguarded.

PHI Compliance: Rise in Healthcare Attacks

As many organizations scrambled to transition to working remotely amid the pandemic, there have been unforeseen side effects. The majority of businesses were not prepared to work remotely, and since they had to move quickly, data security was often overlooked. Hackers saw this as the perfect opportunity to target remote workers, causing a 630% rise in cyber attacks on cloud services. With this rise, healthcare was the second most targeted industry for cyber attacks. 

PHI Compliance, Telehealth, and Remote Work

It seems as though, for some organizations, telehealth and remote work are here to stay. This means that businesses need to implement sustainable data security practices. So can you accomplish advanced security measures while working from home?

The following are things to consider for data security and PHI compliance:

1. Device Ownership. If you plan to allow staff members to work from home on a permanent or semi-permanent basis, you should provide employees with company-owned equipment. Using personal devices poses an additional risk to PHI compliance as the devices are sometimes used to access unsecure websites. They may also be used by an employee’s family member. In the rush to transition to a work from home environment, many businesses have allowed staff members to use personal devices. However, this is not a sustainable long-term business practice.
2. Assessing Security Policies. To ensure that data is secure in a work from home environment, you may need to adapt your security policies. You should review your policies to make sure that they are sufficient for employees working from home. Some additional policies and procedures you may consider adding include allowing only employees to use company devices, limiting the types of data that can be stored on a local device versus cloud storage accessible by your team, and prohibiting employees from using personal storage devices or printers.
3. Training Staff. A key component of securing PHI is training employees. Employee training should include cybersecurity training, the proper use of company equipment, and the proper uses and disclosures of PHI. The most common PHI breaches occur from human error. Hackers use phishing emails to target employees by impersonating a trusted entity. This has become more common during the pandemic as hackers are taking advantage of security gaps caused by the rush to transition to a work from home environment. Employees that are trained on secure business practices are less likely to fall victim to these types of attacks.
4. Encryption. Any device that has access to PHI should be encrypted. Encryption masks sensitive data so that it cannot be accessed by individuals without a decryption key. Encryption is the most effective way to secure data; personal devices often lack encryption which is why it is important to issue company-owned devices, or provide employees with encryption for their personal devices if issuing a company device is not possible.
5. De-identification. De-identified data removes information that can link a patient to their health information. For instance, data is often de-identified for research purposes. This allows research institutions to conduct studies without requiring patient consent. However, for data to be adequately de-identified, all uniquely identifying information must be removed (names, addresses, etc).
6. PHI Disposal. PHI that is no longer required for treatment, payment, or healthcare operations must be properly disposed of. The Department of Health and Human Services (HHS) recommends that paper records are burned, shredded, or pulverized. For ePHI (PHI stored in an electronic format), proper methods of PHI disposal include degaussing or physically destroying the hard drive.