Security still matters during a pandemic

HIPAA requirements might have been relaxed during the pandemic, but does that mean you should stop caring about security? 

Although HIPAA audits may be on hold for now, that doesn’t mean your ethical guidelines no longer apply. With so many clients going online for their care, securing protected health information (PHI) is still important, perhaps more than ever.

Let’s take a look at why you still want to look for HIPAA-compliant services as you set up your virtual practice. 

What is HIPAA’s purpose?

Last year we published a blog post about HIPAA titled Four reasons why patient privacy is more than checking a box. The post was a reminder of why, as a healthcare practitioner, you want to make the effort to comply with HIPAA requirements, even if you’re not a covered entity. It’s not just to check the compliance box.

Establishing greater data protection is the right thing to do

HIPAA puts standards in place to ensure that practitioners have consistent guidelines to follow while establishing safeguards to protect their clients’ data. 

Data protection isn’t just a nice feature you offer; it's a necessity in today’s world. HIPAA-compliance helps bridge the gap between what organizations aspire to and the actualities of real life. 

The reality is, personal health information is a big seller on the black market, with medical records selling for about $1000 per person. Take your mind off the pandemic for a few minutes with this AARP article about a data breach at a pediatric practice leading to the theft of a 5-year-old’s identity. The inconvenience and frustration such an incident can cause for a long time is a possibility when submitting your personal data online, even in the time of COVID-19. 

Relaxed security measures could make PHI even more vulnerable to data breaches and theft. 

• Federal Communications Commission (FCC) COVID-19 Consumer Warnings and Safety Tips
• USA Today Coronavirus pandemic generates new fraud strains: COVID-19 scams on computers, smartphones

The need to maintain ethical requirements and expectations within our healthcare practices should remain just as critical as ever during a pandemic.

Trust in healthcare yields better outcomes

As a behavioral health practitioner, you know how crucial it is to cultivate a relationship with your client that’s based on trust. 

Before COVID-19, clients put their trust in you and your staff to keep files secure, to ensure that session rooms were soundproof, and that nothing was being recorded without their permission. Nothing has changed, except now that trust must be extended to any new online systems you choose to use. 

Just as before, your clients must put their trust in you to choose systems that will protect their information and keep your sessions private and secure.  

When a patient feels safe and believes that their information is being handled responsibly, they will be more likely to divulge personal information that’s critical to receiving effective care. 

Your clients’ comfort 

What was at the top of the headlines before the pandemic? Security breaches. 

Your client might have other things on their mind at the moment, but the need for security never goes away. Reassure your clients that their data is just as protected as it ever was.

Your ethical responsibility

It’s also necessary to consider security from a professional ethical standpoint. As we’ve mentioned before on our blog, not all practitioners are considered “covered entities.” However, all practitioners are required to abide by certain professional ethical requirements. Securing your online communications with your clients when it contains information of a sensitive and personal nature is always important, even if you’re not officially held to federal standards.

Also, state laws may differ from HIPAA and may impose additional or different security and privacy obligations. These laws may or may not have been relaxed during the pandemic. 

A data breach is still a data breach

A breach will still  require significant time, effort, and resources to be spent to repair the damage. Even if the Office of Civil Rights (OCR) doesn’t impose penalties for violations during the pandemic, that doesn’t mean they won’t investigate and require violators to remedy the situation and undergo monitoring for several years after. A breach is still a mess, even in days of relaxed guidelines.  

It makes sense to set up your virtual office to meet HIPAA requirements now, so you can continue to protect your clients, knowing your practice will be compliant after the pandemic when HIPAA guidelines are enforced once again.

What do you need to set up a secure virtual practice? 

First, make sure that the services you choose offer you a signed Business Associate Agreement (BAA). If you don’t know what that is, read Do you need a Business Associate Agreement (BAA)?

Then, learn to use the services in a HIPAA-compliant manner. There’s a right and wrong way to use encrypted email, and there’s a learning curve to conducting successful telehealth sessions. 

Set the correct services in place now so you can demonstrate compliance later.