As the impact of COVID-19 grows, protecting patient privacy is paramount for healthcare organizations hard at work treating those affected by the pandemic. Although many organizations are nurturing a culture of privacy by flagging COVID-19 patient records for privacy departments, that may not be enough to protect their sensitive data from snooping and other risky behaviors. Where can privacy, compliance, and security teams begin when they’re inundated with surging volumes of patients to look after? This article will share steps you can take immediately to alleviate data privacy concerns throughout the crisis.
Top concerns from healthcare organizations
In a recent survey, FairWarning asked privacy, security, and compliance professionals about their biggest challenges due to COVID-19. According to the poll, the practitioners’ #1 concern is protecting the privacy of COVID-19 patients.
Other top challenges included preparing for the onslaught of patients, insufficient staff and supplies to account for increased volume, and understanding the “right” way to care for COVID-19 patients while also protecting staff and patients who enter the hospital for other reasons.
Although the OCR has waived HIPAA violation penalties for telehealth services that help reduce the risk of infection for both patients and clinicians, HIPAA itself still applies to healthcare organizations. On top of that, hackers are exploiting system vulnerabilities caused by the crisis – cyberattacks have increased by 150% in the past two months alone. Maintaining the privacy and security of patient records is vital to prevent malicious activity that could lead to the loss of patient trust during this challenging time. Here are three ways to curb privacy concerns throughout the COVID-19 crisis:
1) Maintain a list of COVID-19 patients
The first step to safeguarding the privacy of patients affected by the pandemic is to securely keep a running list of patients that tested positive for COVID-19 and ensure that it’s being maintained by privacy teams. With all patient IDs listed in a single place, privacy officers are empowered with a single point of reference for monitoring access to COVID-19 patient records, saving time and effort. Organizations that have a patient privacy monitoring program in place can import affected patients from their lists into their monitoring application to keep a close eye on access to patients who were tested positive.
“The good news is that we’re hearing that patient lists are being shared with privacy teams. While I’m sure that’s not universal, it seems to be happening in at least a number of cases and therefore probably beginning to permeate throughout other organizations” – Ed Holmes, CEO of FairWarning
2) Implement a proactive monitoring program
Ensuring the safety and well-being of COVID-19 patients is crucial, but ensuring their privacy mustn’t be neglected during this time. According to the 2019 Cost of a Data Breach Report, it takes an average of 236 days to identify a breach – and another 93 to contain it. If a breach occurs during the heat of the crisis, it could take nearly a year to remediate. And health information that is exposed in public or on the news cannot be “taken back” into confidentiality again.
By adopting a patient privacy monitoring program, organizations can proactively detect, investigate, and remediate privacy incidents by detecting unauthorized behavior and sending alerts when activities don’t align with treatment, billing, or operational processes. By detecting HIPAA or policy violations such as patient and coworker snooping along with insider threats like identity theft, organizations can root out bad behavior and custom-tailor training sessions to educate staff and reduce the likelihood that incidents will happen again. As COVID-19 permeates society at large, it’s especially important for organizations to prevent the types of violations to patient privacy that affect organizational reputation, community trust, and even patient safety.
3) Prevent inappropriate access to COVID-19 patients
Going hand-in-hand with patient privacy monitoring, one particular behavior that’s especially important to monitor during the COVID-19 crisis is impermissible access of affected patient records. Because the virus has been an all-encompassing subject for healthcare organizations and news outlets, EHR users may be more tempted than ever to read records they have no business accessing.
“We are also seeing inappropriate access occurring. As more and more patients enter hospitals and people working in different parts of the hospital are asked to perform other duties to keep up with all the COVID-19 patients, it will be even harder to identify some of the bad behavior.” – Ed Holmes, CEO of FairWarning
Because questions concerning public health have been raised in regard to what information can and cannot be disclosed, the Office of Civil Rights (OCR) has released three permissible bases for disclosing the information of COVID-19 patients:
- When the disclosure is needed to provide treatment. allows a covered nursing facility to disclose patient information to emergency medical personnel
- When such notification is required by law. HIPAA permits a covered entity to disclose the health information of a COVID-19 positive patient when a local or state law requires the reporting of those individuals.
- To notify a public health authority in order to prevent or control spread of disease. A covered entity is permitted by HIPAA to disclose PHI to a public health authority.
By tracking COVID-19 patients, proactively monitoring EHR user activity, and preventing unauthorized access, you can help alleviate patient privacy concerns during this challenging time.
Knowing the major impact COVID-19 will have on our customers and other healthcare providers, FairWarning has been working closely with customers to identify ways we can help them effectively manage through this crisis.
If you are committed to protecting patient privacy, even during the chaos of a pandemic, FairWaning can help. Thanks to the fast action of our innovative development teams and close relationships with our customers, we were able to deliver a solution to help health systems quickly respond to the increased demands on their privacy departments. For more information about how your organization can leverage these new features, click the button below to request a demo.