The nation’s nursing facilities, assisted-living facilities, inpatient rehabilitation facilities and home care providers — and their long-term care (LTC) workforces — are at the forefront of the COVID-19 crisis. Caring for those at highest risk of contracting COVID-19 and experiencing severe cases, LTC providers are faced with overwhelming challenges and difficult decisions. They must protect and care for their patients while keeping their workers safe and their businesses operating efficiently and in compliance with evolving federal and state rules.
In addition to navigating on-the-ground operational challenges, LTC providers must simultaneously ensure that patient health information (PHI) maintained by the LTC providers remains private and secure. Because of states’ social distancing and, in some cases, shelter-at-home mandates, the LTC workforce may be largely working from home. Working from home creates unique challenges to compliance with the Health Insurance Portability and Accountability Act (HIPAA). The Office of Civil Rights (OCR) has issued several HIPAA waivers to ease regulatory burdens on providers by exercising enforcement discretion and waiving potential penalties — for HIPAA violations and for failure to distribute notices of privacy practices — against healthcare providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency. These waivers, however, do not protect LTC workers if they do not employ reasonable safeguards in the home work environment. LTC providers should remind their workforce:
- Not to print records with PHI unless it is absolutely necessary in order for them to conduct their work from home. If paper records must be printed, the records should be maintained until they can be brought into the office to be shredded. OCR has previously advised that covered entities should not be “permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” PHI must be rendered essentially unreadable or indecipherable before being disposed of.
- Not to discuss patients within earshot of others in their home or in public.
- Not to click on suspect links contained in emails and how to identify phishing emails. A significant number of large cyber breaches are caused by staff error through clicking on email links.
With regard to electronic PHI (ePHI), LTC providers are operating in a particularly challenging environment. Cybercriminals often capitalize on changing technological environments by increasing phishing attempts or scams. For example, the World Health Organization (WHO) recently issued a warning regarding threat actors impersonating the WHO in an attempt to steal money or sensitive information. LTC providers should ensure that the daily traffic on their data lines is monitored and be able to identify and address unusual traffic patterns.
In addition, LTC providers should remind their workforce to follow these practices:
- Deploy a complex password (one that contains numbers, letters and symbols) on their wireless routers.
- When possible, access ePHI using only a VPN and company-approved technology.
- Password-protect files or documents containing confidential or sensitive information.
- Close all browsers and applications at the conclusion of each work session, and routinely delete browser history.
- Do not run social media applications in the background when using mobile devices for business purposes.
- Use encrypted methods to email PHI.
- Do not click on suspicious links or links in emails from an unknown sender.
- Do not maintain ePHI on mobile phones; if ePHI must be maintained on the phone (e.g., to record an image of a patient’s injury), then the ePHI should be uploaded to the patient’s record as soon as possible and deleted from the workforce member’s phone.
For LTC providers who are providing care via telehealth, OCR has issued some flexibilities, allowing providers to deliver services using technologies that may not be fully compliant with HIPAA. Specifically, OCR is allowing providers to use video chat applications, such as FaceTime, Google Hangouts video, Zoom and Skype, to deliver services. OCR asks providers to enable all privacy and encryption modes available. When possible, LTC providers should execute business associate agreements with these applications. Providers should notify patients that delivery of services through these applications potentially raises privacy risks. OCR stated that it will exercise “its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
In the event that a workforce member is concerned that PHI may have been accessed or disclosed improperly, he or she should immediately report any suspected or confirmed security events, including violations of company security policies, lost or stolen devices, or potential unauthorized access or disclosure of company information, to the LTC provider. LTC providers must ensure that their privacy officer remains available and responsive to these reports and promptly investigates the concern.
Randi Seigel is a partner with Manatt Health. Randi has extensive expertise advising healthcare stakeholders, including long-term and post-acute care providers across a variety of critical areas, such as HIPAA and state privacy laws and compliance with Medicare and Medicaid conditions of participation and billing, and regulatory risks..
Stephanie Anthony is a senior advisor with Manatt Health where she provides research, analysis and advisory services on health policy and health law to public and private sector clients on issuing including healthcare reform, Medicaid and Children’s Health Insurance Program (CHIP) financing, program design and waivers, post-acute care, and long-term services and supports.