In mid-March, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that they would use “enforcement discretion” in regard to HIPAA compliance with telehealth.  And, the healthcare community gave out a collective sigh of relief.  Not because the rules and regulations were unfair, but in a time of uncertainty, it meant one less thing to worry about.

That leniency meant that OCR would potentially waive penalties for healthcare providers who were serving COVID-19 patients through “everyday communications technologies” during the worldwide health emergency. This meant that with increased usage of Skype, FaceTime, Zoom, or other video conferencing platforms, the enforcement would be less strict as long as those services were “used in good faith”.

Never Assume

We want to assume that since we ourselves are acting in the patient’s best interest, everyone is.  But with so many adjustments being either forced upon us or made on our own to accommodate our needs, it is hard to know whether or not we are doing the best that we can.  Also, consider that your standards are not the same as others, and with many organizations lacking onsite monitoring by management or an IT company, you can only trust that all efforts are aligned to be the safest for patient care.

If you aren’t sure, ask.  Is this platform safe?  Should I have an additional layer of security on my hardware?  Is the software that I’ve downloaded approved?  In this time of uncertainty, asking questions is not only likely, but it is also welcome.  If you are working from home, look for a checklist to ensure you’ve enabled best practices.  Do your own security risk assessment.

Undoing Bad Habits

With regular enforcement expected to be back in place when the high alert phase has passed, it is in everyone’s best interest to remain as diligent as possible and not establish new laissez-faire habits that have to be undone later. Cybercriminals are waiting in the shadows for you to let your guard down.  Don’t wait for someone else to create a response plan; be proactive if you don’t know what your plan is when responding to a security incident or cybersecurity breach.

It’s one thing to be lazy in your exercise and eating habits right now, but your cybersecurity habits must remain as strict and diligent as ever.