·  Legal News, Analysis, & Commentary

Health & Medicine

HIPAA Compliance Issues During and After COVID-19

— October 27, 2021

The recent problems that our civilization had to face show that humanity is not always ready to respond to such serious threats.

For 25 years of its existence, the issue of HIPAA compliance has been causing shivers in people associated with the healthcare industry. This act became famous because of how hard it was to comply with it. And although the need for such an act does not raise any questions, sometimes these requirements drove entrepreneurs into a dead corner, since you have to comply with them if your product works with any data related to PHI – Protected Health Information.

Of course, the COVID-19 pandemic and the ensuing global lockdown did not make the HIPAA compliance process any easier. The huge number of people who have gone remote and the unprecedented growth in the popularity of telemedicine and telehealth solutions have led to the fact that HIPAA compliance officers work twice as hard. The conditions of compliance must be changed and facilitated – this is the opinion of many entrepreneurs and digital healthcare professionals. Is this the only way? How much COVID-19 has influenced the industry and what the future holds for us? Let’s discuss these issues and try to find common ground.

Pandemic impact

The effect that the pandemic had on the HIPAA regulation process can hardly be overestimated. In a situation where a huge number of people began to need remote medical care, a decision should have been made to slightly simplify the regulatory rules for telehealth vendors. This is what happened, in March 2020, the American Department of Health and Human Services made the requirements for telehealth providers regarding HIPAA compliance less stringent. Nevertheless, the representatives of digital medicine shouldn’t get cocky and relax. This is as it should be because regardless of the situation, these companies still deal with personal and sensitive protected health information.

The increased demand for telemedicine due to the pandemic has also amplified the opportunities and chances of data loss and information leakage. So, it is easy to imagine a situation when a healthcare company increases access to its medical telehealth application for its customers. This zeal has only good intentions, especially since the regulatory requirements have been somewhat relaxed. Nevertheless, a huge number of users open the application and leave their data there, including health information. A big question arises: where will this data be stored, who will have access to it and who will be responsible in a situation if this data is lost or becomes available to third parties?

A black-clad figure faces away from the camera. In the background, the word HACKED is spelled out in red letters against a backdrop of black ones and zeroes.
Public domain image courtesy of CC0

On the other hand, it is also impossible to completely prohibit vendors from collecting such data, since they are needed to provide telehealth services that are so popular in a pandemic. Thus, COVID-19 has created a unique situation in which telehealth providers need to monitor the safety of their customers’ data twice as much, despite the fact that the general rules of regulation have been relaxed.

Future expectations

And although humanity seems to have learned, if not to fight, then at least to contain COVID-19, the pandemic has not yet receded. Despite the availability of a large number of vaccines, new waves and new strains of the disease do not allow us to calm down. Therefore, you should not expect to get rid of the problem quickly.

As for the near future, one should not expect any major changes in the HIPAA policy. Nevertheless, we have identified several main trends that we can observe in the 2021-2022 period.

Regulatory measures won’t be tightened, but don’t relax

Despite the wave nature of the pandemic and the fact that many patients are beginning to get used to visiting their doctor offline again, telemedicine services are still at a stage of unprecedented growth. Given that the wave of relief is bound to be followed by a wave of new morbidity records, the American Department of Health and Human Services leaves the HIPAA policy unchanged and does not intend to return to 2019 values. So, the institution is not going to punish telehealth vendors who provide their services to patients through applications such as Zoom or Skype, despite the fact that the latter does not comply with HIPAA rules.

Despite this slight relaxation in the rules, the telehealth industry representatives should not relax. Patients undoubtedly demand the maximum protection of their medical data from telehealth vendors, and this condition is so obvious that it is not even discussed out loud. Therefore, Telehealth representatives need to continue to ensure the same data protection that a doctor provides when communicating offline.

Cybersecurity is more important than ever

We live in a time when it seems that not a week has passed without some new scandal related to cybersecurity, cyber threats, and data leaks. Cybersecurity is discussed at the highest levels. It was not for nothing that this was one of the main topics at the recent meeting of the United States and Russia presidents.

The healthcare industry has always been one of the most attractive destinations for cyber attacks, as this segment contains a huge amount of sensitive personal data. According to a recent HIPAA report, only a small proportion (about 17%) of business representatives fully meet all cybersecurity standards and are constantly conducting risk assessment and mitigation campaigns. Most, in one way or another, have problems with the implementation of all the necessary security measures.

In April 2021, HHS released a new security risk assessment tool, which is now mandatory for all HIPAA-compliant agents. There is no doubt that the upward trend in safety requirements will prevail in 2022.

Rise of HIEs

Health Information Exchanges (HIE) exist to provide convenient and secure access to patient medical data for fair providers. These days, this data is stored on dozens or even hundreds of platforms, applications, and personal accounts. Often, such data cannot be accessed by those who have the right to share it. On the other side, scammers have more opportunities to steal this data. That is why HIEs will only increase their influence in this industry. This will help improve not only safety but also the speed and quality of patient care in general.

During the pandemic frenzy, the HIE and HIPAA compliant CRMs played a crucial role in bringing all information and data together in a single place for the further provision for healthcare officers. This helped to better organize control over the situation and distribute the load among healthcare institutions. Covid has not gone anywhere, so it is worth preparing for the fact that the role of HIEs will only increase in 2022.

Bottom Line

There is not a single person on Earth who could accurately predict further events. The recent problems that our civilization had to face show that humanity is not always ready to respond to such serious threats. But we learn, losing tens and hundreds of thousands of lives, we adapt and continue to believe in our principles. One of the main principles is that medical data must be untouchable. This is why it is so important, even in the midst of global frenzy and pandemics, to give due respect to HIPAA compliance and cybersecurity issues.

Join the conversation!