User Access Monitoring in the Current COVID-19 Crisis

March 26, 2020 Marti Arvin

It might be tempting for covered entities and business associates to put-off some of their regulatory or compliance obligations as other priorities evolve in the current crisis. Whether to do that or not is a risk decision like most security and privacy compliance choices. There are a number of factors to consider when thinking about this. For example, an organization might consider reducing or pausing their user access monitoring program. HHS has issued guidance on a number of areas where they will not pursue enforcement actions under the HIPAA Privacy or Security Rules at this time. Patient rights were the predominant regulatory provisions where enforcement was waived. But as part of the guidance, the Office of Civil Rights (OCR) has specifically indicated covered entities and business associates must still safeguard patient information.

Safeguarding Patient Information

In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.

HIPAA Security Rule Requirements

  • Under the HIPAA Security Rule, covered entities and business associates have an obligation to have policies and procedures in place to prevent, detect, contain and correct security violations. 45 CFR 164.308(a)(1)(i).
  • The regulations also require covered entities and business associates to “[i]mplement procedures to regularly review records of information security system activity, such as audit logs, access reports, and security incident tracking reports.” 45 CFR 164.308(a)(1)(ii)(D).
  • The rule also requires the covered entity or business associate to implement hardware, software, and/or procedural processes that record and examine activity in information systems containing electronic protected health information (ePHI). 45 CFR 164.312(b).

OCR shared the following recommendations in its January 2017 Cybersecurity Newsletter:

  • Any monitoring and auditing plan should be tied to the organization’s risk analysis and organizational factors such as their technical infrastructure, hardware and software security capabilities.
  • Regularly review information system activity, per the HIPAA Security Rule to promote awareness of any information system activity that could suggest a security incident or breach.
  • Implement audit controls that are reasonable and appropriate to record and examine activity in information security systems that access ePHI. This requires evaluating the audit control capabilities of information systems and it is important to assure the organization is complying with its own audit control policies and procedure and to assess whether changes or upgrades to its system audit capabilities are necessary.

The guidance from OCR announcing the temporary waiver of its enforcement activity does not mean covered entities and business associates can ignore their other HIPAA obligations. When thinking about user access monitoring there are some key considerations to determine the risk an organization wants to take on by stopping or pausing current activity.

  • There is still an obligation that patient information be appropriately protected. In its guidance of March 16, 2020 concerning how the HIPAA Privacy and Security Rules are impacted during the coronavirus health emergency, OCR stated that covered entities are expected to implement reasonable safeguards to protect PHI and to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule. The provisions to perform user access monitoring is one the required implementation specifications of the HIPAA Security Rule.
  • If an organization is currently performing user access monitoring that could be viewed as a clear indication of their knowledge that it is a reasonable process for protecting patient information.
  • In the current environment there will likely be a heightened interest in patients who have or might have the coronavirus. In analyzing the risk analysis for an organization there is likely an increased risk for improper access to the information of such patients. The OCR guidance makes it imperative that covered entities and business associates look to their risk analysis to determine the appropriate level of user access monitoring. Ensuring that users are not improperly accessing the records of such patients might be considered a failure to tie the activity to the risk of the organization in the current environment.

HIPAA Breach Notification Rule

Another consideration is the HIPAA Breach Notification Rule. It states a breach is deemed discovered by a covered entity, “as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).” 45 C.F.R. §164.404(a)(2).

Final Considerations

If a covered entity or business associate has a user access monitoring program in place and decides to suspend or stop such a program, what happens to the improper uses and disclosures of PHI that would have been discovered had the program not been suspended or stopped? Could OCR or other regulator determine that they were no longer exercising reasonable diligence? If so, could the discovery date for any breach resulting from the improper access be deemed the day it occurred or the day the entity would have known had it followed its routine user access monitoring program? If so, this could put organizations at risk for failure to timely notify.

Healthcare is in a state of crisis. However, this is not the time to put aside compliance activities without a very careful consideration of the risk to the organization.

 

About the Author

Marti Arvin

Marti Arvin, ExecutiveAdvisor for CynergisTek brings more than three decades of operational and executive leadership experience in the fields of compliance, research and regulatory oversight in academic medical and traditional hospital care settings to her position in CynergisTek. Arvin leads strategic business development around compliance services and utilizes her industry recognized expertise in health research to inform the development of privacy and security services to meet that communities underserved needs. She is a nationally recognized speaker and contributor to the thought leadership around healthcare compliance and research, and contributes to CynergisTek’s industry outreach and educational programs. Arvin has extensive experience in building and managing compliance and research programs. Arvin previously served as the Chief Compliance Officer for Regional Care Hospital Partners and the UCLA Health System and David Geffen School of Medicine. She has a legal background from obtaining her J.D. and holds CHC-F, CCEP-F, CHRC and the CHPC certifications. She is recognized as an expert on compliance and privacy issues from her published articles, lectures and presentations at national conferences. She was a board member to the Health Care Compliance Association between 2008 and 2011 and was on the Compliance Certification Advisory Board for over eight years. She also served on the certification committee for the CHC, CHC-F, CCEP, CCEP-F, CHRC and CHPC.

Follow on Linkedin Visit Website More Content by Marti Arvin
Previous Article
Big HIPAA Fine for Solo Doctor Practice
Big HIPAA Fine for Solo Doctor Practice

Next Article
Malware From Fake COVID-19 Website
Malware From Fake COVID-19 Website

The Health Sector Cybersecurity Coordination Center (HC3) has published a new alert. Please distribute thro...