Privacy, HIPAA, Security and GDPR
The introduction and spread of COVID-19 to communities across the globe has created numerous privacy and security compliance questions and challenges. Below, we address several frequently asked privacy and security questions, including those related to: (1) health care providers, health plans and health care clearinghouses in the United States (“Covered Entities”) and their services providers (“Business Associates”) that are subject to HIPAA; (2) businesses that are not subject to HIPAA, but who collect information that could be useful in reducing the spread of COVID-19; (3) cybersecurity considerations; and (4) businesses that process data concerning individuals in the European Economic Area (EEA) and are subject to the General Data Protection Regulation (GDPR).
HIPAA FAQs (For Covered Entities and Business Associates)
ARE THERE ANY INFORMATION SECURITY RISKS THAT WE SHOULD BE ADDRESSING IN OUR RESPONSE TO COVID-19?
As the number of states and localities affected by exposure to COVID-19 grows, there is increasing interest in patients and plan members who test positive for COVID-19, or who are deemed “persons under investigation.” As a result, there is an increased risk that health care provider and health plan personnel who have access to electronic health records (EHRs) and plan administration resources could inappropriately access patient records to find out who may have contracted COVID-19 within their communities. Under the HIPAA Security Rule, Covered Entities must implement reasonable and appropriate administrative and technical access controls to protect the confidentiality of protected health information (PHI).
Health care providers and health plans should consider taking steps to ensure proper access to patient records by:
- Reminding their workforce members of the difference between appropriate and inappropriate access;
- Putting in place extra protections for COVID-19 patient records (e.g., “VIP” or “break the glass” status, which automatically notifies appropriate personnel when access to the patient record occurs);
- Regularly reviewing audit logs for inappropriate access by personnel; and
- Taking appropriate action if a violation occurs.