As the impact of COVID-19 grows, protecting patient privacy is paramount for healthcare organizations hard at work treating those affected by the pandemic. Although many organizations are nurturing a culture of privacy by flagging COVID-19 patient records for privacy departments, that may not be enough to protect their sensitive data from snooping and other risky behaviors. Where can privacy, compliance, and security teams begin when they’re inundated with surging volumes of patients to look after? This article will share steps you can take immediately to alleviate data privacy concerns throughout the crisis.
Top concerns from healthcare organizations
In a recent survey, FairWarning asked customers about their biggest challenges or concerns due to COVID-19. According to the poll, the practitioners’ #1 concern is protecting the privacy of COVID-19 patients.
Other top challenges included preparing for the onslaught of patients, insufficient staff and supplies to account for increased volume, and understanding the “right” way to care for COVID-19 patients while also protecting staff and patients who enter the hospital for other reasons.
Although the OCR has waived HIPAA violation penalties for telehealth services that help both patients and clinicians reduce the risk of infection, HIPAA itself is still being enforced. On top of that, hackers are exploiting system vulnerabilities caused by the crisis – cyberattacks have increased by 150% in the past two months alone. Maintaining the privacy and security of patient records is vital to prevent a loss of patient trust during this challenging time. Here are three ways to alleviate privacy concerns throughout the COVID-19 crisis:
1) Maintain a list of COVID-19 patients
The first step to safeguarding the privacy of patients affected by the pandemic is to keep a running list of patients that tested positive for COVID-19 and ensure that it’s being maintained by privacy teams. With all patient IDs listed in a single place, privacy officers are empowered with a single point of reference for monitoring access to COVID-19 patient records, saving time and effort. Organizations that have a patient privacy monitoring program in place can import affected patients from their lists into their monitoring application to keep a close eye on access to patients who were tested positive.
“The good news is that we’re hearing that patient lists are being shared with privacy teams. While I’m sure that’s not universal, it seems to be happening in at least a number of cases and therefore probably beginning to permeate throughout other organizations” – Ed Holmes, CEO of FairWarning
2) Implement a proactive monitoring program
Ensuring the safety and well-being of COVID-19 patients is crucial, but ensuring their privacy mustn’t be neglected during this time. According to the 2019 Cost of a Data Breach Report, it takes an average of 236 days to identify a breach – and another 93 to contain it. If a breach occurs during the heat of the crisis, it could take nearly a year to remediate.
By adopting a patient privacy monitoring program, organizations can proactively detect, investigate, and remediate privacy incidents by detecting unauthorized behavior and sending alerts when activities don’t align with clinical, billing, or operations processes. By detecting HIPAA or policy violations such as patient and coworker snooping along with insider threats like identity theft, organizations can root out bad behavior and custom-tailor training sessions to educate staff and reduce the likelihood that incidents will happen again. As COVID-19 permeates society at large, it’s especially important for organizations to prevent the types of violations to patient privacy that affect organizational reputation, community trust, and even patient safety.
3) Prevent COVID-19 patient snooping
Going hand-in-hand with patient privacy monitoring, one particular behavior that’s especially important to monitor during the COVID-19 crisis is snooping of affected patients. Because the virus has been an all-encompassing subject for healthcare organizations and news outlets, EHR users may be more tempted than ever to read records they have no business accessing.
“We are also seeing inappropriate access occurring. As more and more patients enter hospitals and people working in different parts of the hospital are asked to perform other duties to keep up with all the COVID-19 patients, it will be even harder to identify some of the bad behavior.” – Ed Holmes, CEO of FairWarning
To track and detect unauthorized activity, prioritize monitoring activity that indicates snooping, including:
- Users conducting COVID-19-related searches in your EHR
- COVID-19 patients accessed by a high number of users
- Users who access a high volume of patients who tested positive, especially outside of their normal workflow
By tracking COVID-19 patients, proactively monitoring EHR user activity, and preventing snooping, you can help alleviate patient privacy concerns during this challenging time.
Knowing the major impact COVID-19 will have on our customers and other healthcare providers, FairWarning has been working closely with customers to identify ways we can help them effectively manage through this crisis.
Moving to monthly release cycles has enabled us to offer new features for our customers, including a Protection List, which acts as a central hub for monitoring patients who have tested positive, and reports that enable healthcare professionals to monitor for snooping, high-volume of access to COVID-19 patients, and other risky behaviors. For more information about how your organization can leverage these new features, click the button below to request a demo.