The Rheumatologist
COVID-19 NewsACR Convergence
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Gout Resource Center
      • Axial Spondyloarthritis Resource Center
      • Psoriatic Arthritis
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / HIPAA and PHI Cybersecurity Best Practices in the COVID-19 Era

HIPAA and PHI Cybersecurity Best Practices in the COVID-19 Era

September 14, 2021 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF
  • What if a healthcare professional providing telehealth services has their device stolen or compromised?
  • How will a healthcare organization respond to a data breach when its cybersecurity employees are working remotely?
  • Is there an emergency plan in place that contemplated both a remote and in-person workforce and has a functional security incident response team and security incident response plan been implemented?
  • If a healthcare professional is providing telehealth services from a location outside the office, is the wireless internet connection being used secure and is the healthcare professional in a non-public location?
  • If a healthcare professional needs to step away from their device during a telehealth visit or while working remotely, will the device log off automatically within a reasonable period of time?
  • Are healthcare professionals and support staff properly trained to identify correspondence threats, such as email phishing and ransomware?

These scenarios are meant to identify potential breach vulnerabilities, but they should not necessarily be cause for concern. In the COVID-19 era, healthcare providers should take time to reevaluate their policies, protocols and procedures to ensure they address the types of scenarios described above.

You Might Also Like
  • Up to Date with the HIPAA Privacy Rule
  • HHS Enforces Stricter Rules on HIPAA
  • HIPAA Security Standards: What Rheumatologists Need to Know
Explore This Issue
September 2021
Also By This Author
  • Medicare Access & CHIP Reauthorization Act Preparation Tips

It stands to reason that cybersecurity risks are here to stay, but organizations that have contemplated and formally established policies related to threat management will be best prepared to address and resolve breaches. The best practice is to make sure the scenarios above, as well as other scenarios that an organization’s executive team can reasonably expect to face, are addressed prior to their occurrence.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

Healthcare organizations may also choose to reevaluate their third-party vendors and internally audit their cybersecurity capabilities. In the COVID-19 era, the following outside vendors should be scrutinized for effectiveness:

  • Internet, data and cellular services;
  • Firewall and malware protection;
  • Cloud storage;
  • Password protection services;
  • Email and communications services; and
  • Document management software.

The above services may already be adequate, but the best practice is to have a refreshed and informed view of the scope of cybersecurity services being performed and how those services both independently, and as a part of an overarching security plan, fit into a company’s operations.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

Further, internal audits of policies and procedures related to the procurement and ongoing maintenance of third-party services can assist in ensuring an organization is taking adequate measures to effectively leverage third-party expertise alongside internal expertise in its cybersecurity efforts.

In January 2021, the Health Infor­mation Technology for Economic and Clinical Health (HITECH) Act was amended to require the U.S. Department of Health and Human Services (HHS) to incentivize utilization of cybersecurity best practices. Specifically, the legislation requires HHS to take into consideration a covered entity’s or business associate’s use of industry-standard security practices (i.e., recognized security practices) within the past year, when investigating allega­tions of non-compliance with HIPAA rules and undertaking enforcement actions.

When calculating fines related to a breach, HHS is required to take cybersecurity into consideration and also reduce the extent and length of an audit if the entity being investigated has met industry-standard best practices security requirements. However, HHS is not permitted to increase fines or the length of an audit when an entity is found to be out of compliance with recognized security practices.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Pages: 1 2 3 4 | Single Page

Filed Under: Legal Tagged With: HIPAA, protected health informationIssue: September 2021

You Might Also Like:
  • Up to Date with the HIPAA Privacy Rule
  • HHS Enforces Stricter Rules on HIPAA
  • HIPAA Security Standards: What Rheumatologists Need to Know
  • HIPAA Privacy Rules Bring New Enforcement Guidelines

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

ACR Convergence

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Convergence site »

American College of Rheumatology

Visit the official website for the American College of Rheumatology.

Visit the ACR »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use / Cookie Preferences

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2023 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)