HIPAA at home: keeping ePHI safe while working remotely

by Egress
Published on 27th May 2020

In recent weeks, the Office for Civil Rights (OCR) has announced that it will exercise discretion when it comes to enforcing the Health Insurance Portability and Accountability Act (HIPAA) during the COVID-19 pandemic. Penalties will not be imposed on businesses for 'good faith uses and disclosures of PHI by business associates for public health and health oversight activities'.

Although offering welcome respite for healthcare companies and their associates as they focus on saving lives, the respite is actually short-lived and shouldn’t be seen as a potential free pass. Critically, the discretion does not extend the length and breadth of the Privacy Rule, meaning there’s no let up on the need for businesses to safeguard data confidentiality and the secure transmission of electronic Protected Health Information (ePHI).

In a recent study, 70% of CISOs in healthcare contended that employees are regularly putting sensitive email data at risk, which feels almost as good as putting out a welcome mat for HIPAA enforcers! With many employees still working remotely around the clock and on mobile devices, and with no sign of regulatory pressures easing up, the risk of an accidental violation, and the subsequent financial and reputational damage, remains grave. Here are three tips on what companies can do to mitigate that risk:

1. Equip employees with the tools they need

As the new security perimeter, the people within a business need support to remove risk to ePHI, and this becomes even more acute in a remote environment, where accidental impermissible disclosure becomes a greater hazard. This might require virtual training or refresher clinics to keep email security front of mind for employees while they remain away from the office, while it could also mean implementing new technological tools that work for the user. A lot of our conversations with CISOs and DPOs now revolve around using predictive analytics and machine learning that understands a user’s working patterns in order to not only detect anomalies and prevent a security breach, but also allow employees to remain productive as well. The focus is very much on making employees your biggest asset; not your biggest liability.

2. Encrypt sensitive emails – even enforce it, if need be

Encryption is not mandatory under HIPAA. However, should you choose not to pursue such protection, make sure you’ve got the results of your risk analysis to hand. Email encryption to the legislation’s required NIST standards is one of the most effective ways to appropriately secure ePHI and save your organisation the stress and cost of a violation. And with many employees still working at home, where the risk of emailing sensitive data in plaintext becomes higher, you may event want to consider putting mechanisms in place to automatically recommend – or even enforce – encryption.

3. Automate responses to patient ePHI requests

In 2011, Cignet Health received a $4.3m fine after failing to provide patients with copies of their health records. HIPAA stipulates a strict 30-day window to respond to patient requests for access to personal medical records. Almost every conversation we have highlights how lengthy and costly processes are hurting business efficiency. In fact, the Head of Risk at a logistics firm told me a few weeks ago that they had resorted to investing in full-time employees just to handle incoming patient access requests.

By automating the entire process, from finding the relevant email records and redacting non-pertinent data, though to exporting, PDF-ing and sharing reports with patients, there’s an opportunity to not only eliminate a huge amount of time from the process but also cut out a lot of unnecessary spend and resource.

Visit our HIPAA compliance page to learn more about how Egress Intelligent Email Security helps organisations secure the transmission of ePHI.