COVID-19 Puts Disaster Preparedness Plans to the Test

Posted by Ken Reiher

Gerry Blass, President & CEO, ComplyAssistant

Helen Oscislawski, Esq., Founder & Managing Partner, Attorneys at Oscislawski LLC

ComplyAssistant’s President and CEO, Gerry Blass, and healthcare attorney Helen Oscislawski with Attorneys at Oscislawski LLC, were interviewed by the Journal of AHIMA on the short-term and long-term impact of the COVID-19 pandemic on the privacy and security of health information. The article, written by Mary Butler, was published in April 2020. The following blog post covers some of the key points.

For compliance-minded HIM professionals, the COVID-19 pandemic presented curve ball after curve ball thanks to the flood of waivers from the federal government temporarily loosening certain HIPAA and telehealth regulations. In addition, the CARES Act passed by Congress included a provision that has substantial implications for the handling of substance abuse and mental health records. If that wasn’t enough, providers have had to quickly figure out how to secure PHI while transitioning their workforce to telecommuting, which raises a variety of cybersecurity concerns as hackers exploit the pandemic.

And, the COVID-19 pandemic struck just as CMS and the ONC released the information blocking final rule. So, what are the short-term and long-term impacts of the pandemic on the privacy and security of health information? Gerry Blass, President and CEO of ComplyAssistant, and Helen Oscislawski, JD with Attorneys at Oscislawski LLC offer their insights.

On telehealth

Though HIM professionals have been challenged to figure out the documentation and coding aspects of telehealth, many physicians have welcomed the opportunity to expand their use of telehealth platforms.

Oscislawski explains “From a HIPAA perspective the barriers to telehealth have really been about security… if there’s a positive outcome from these kinds of telehealth visits, maybe that will then spur legislation to remove those barriers which have limited the use of telehealth in the past.” So far, the benefits of using telehealth to monitor patients in quarantine—and to keep healthier patients out of doctors’ offices and urgent care clinics—have outweighed the risks.

Blass, whose GRC software and services provide HIPAA training and security auditing services to providers, says providers should add telehealth to their annual security and compliance audits. He explains, “We’re always looking to make sure that we put together an inventory of where ePHI can exist. Typically, the inventory includes email, copiers, Wi-Fi, networks, and mobile devices. Now telehealth should be added to that list,” Blass said.

On cybersecurity

According to Blass, stay-at-home orders caught many organizations by surprise. Suddenly healthcare workers with PHI on their devices needed to be set up with a VPN and other safeguards to be able to securely work remotely. Any time this is done with a high volume of people in a fast-paced timeframe, vulnerabilities are introduced.

The HIPAA Security Rule has disaster preparedness requirements for exactly this type of situation, according to Oscislawski. “Many providers, until Katrina happened, questioned the need for disaster preparedness, asking, ‘How many times in a lifetime does a disaster come around?’ But COVID-19 highlights that you may need to revisit that section of your HIPAA security compliance program,” she said.

Oscislawski goes on to say that anytime a provider does not spend enough time on disaster preparedness, they take a gamble. “It increases the potential for breaches,” she says. Blass adds that ComplyAssistant’s audits will now review providers’ telecommuting policies as part of its audits.

For more on COVID-19 and disaster preparedness, read the full article in Journal of AHIMA.