It might be tempting for covered entities and business associates to put-off some of their regulatory or compliance obligations as other priorities evolve in the current crisis. Whether to do that or not is a risk decision like most security and privacy compliance choices. There are a number of factors to consider when thinking about this. For example, an organization might consider reducing or pausing their user access monitoring program. HHS has issued guidance on a number of areas where they will not pursue enforcement actions under the HIPAA Privacy or Security Rules at this time. Patient rights were the predominant regulatory provisions where enforcement was waived. But as part of the guidance, the Office of Civil Rights (OCR) has specifically indicated covered entities and business associates must still safeguard patient information.
Safeguarding Patient Information
In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.
HIPAA Security Rule Requirements
- Under the HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i).
- The regulations also require covered entities and business associates to “[i]mplement procedures to regularly review records of information security system activity, such as audit logs, access reports, and security incident tracking reports.” 45 CFR 164.308(a)(1)(ii)(D).
- The rule also requires the covered entity or business associate to implement hardware, software, and/or procedural processes that record and examine activity in information systems containing electronic protected health information (ePHI). 45 CFR 164.312(b).
OCR shared the following recommendations in its January 2017 Cybersecurity Newsletter:
- Any monitoring and auditing plan should be tied to the organization’s risk analysis and organizational factors such as their technical infrastructure, hardware and software security capabilities.
- Regularly review information system activity, per the HIPAA Security Rule to promote awareness of any information system activity that could suggest a security incident or breach.
- Implement audit controls that are reasonable and appropriate to record and examine activity in information security systems that access ePHI. This requires evaluating the audit control capabilities of information systems and it is important to assure the organization is complying with its own audit control policies and procedure and to assess whether changes or upgrades to its system audit capabilities are necessary.
The guidance from OCR announcing the temporary waiver of its enforcement activity does not mean covered entities and business associates can ignore their other HIPAA obligations. When thinking about user access monitoring there are some key considerations to determine the risk an organization wants to take on by stopping or pausing current activity.
- There is still an obligation that patient information be appropriately protected. In its guidance of March 16, 2020 concerning how the HIPAA Privacy and Security Rules are impacted during the coronavirus health emergency, OCR stated that covered entities are expected to implement reasonable safeguards to protect PHI and to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule. The provisions to perform user access monitoring is one the required implementation specifications of the HIPAA Security Rule.
- If an organization is currently performing user access monitoring that could be viewed as a clear indication of their knowledge that it is a reasonable process for protecting patient information.
- In the current environment there will likely be a heightened interest in patients who have or might have the coronavirus. In analyzing the risk analysis for an organization there is likely an increased risk for improper access to the information of such patients. The OCR guidance makes it imperative that covered entities and business associates look to their risk analysis to determine the appropriate level of user access monitoring. Ensuring that users are not improperly accessing the records of such patients might be considered a failure to tie the activity to the risk of the organization in the current environment.
HIPAA Breach Notification Rule
Another consideration is the HIPAA Breach Notification Rule. It states a breach is deemed discovered by a covered entity, “as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).” 45 C.F.R. §164.404(a)(2).
If a covered entity or business associate has a user access monitoring program in place and decides to suspend or stop such a program, what happens to the improper uses and disclosures of PHI that would have been discovered had the program not been suspended or stopped? Could OCR or other regulator determine that they were no longer exercising reasonable diligence? If so, could the discovery date for any breach resulting from the improper access be deemed the day it occurred or the day the entity would have known had it followed its routine user access monitoring program? If so, this could put organizations at risk for failure to timely notify.
Healthcare is in a state of crisis. However, this is not the time to put aside compliance activities without a very careful consideration of the risk to the organization.
About the AuthorFollow on Linkedin Visit Website