HHS Loosens HIPAA Sanctions and Cyberattacks Spike During COVID-19 Pandemic

Following the declaration of a national emergency over COVID-19, the Department of Health and Human Services (HHS) issued a limited waiver of certain HIPAA Privacy Rule sanctions in order to improve both data sharing and patient care outcomes. The pandemic is increasing data sharing challenges within the healthcare industry as providers have a critical need to share information with family members, public health officials, and emergency personnel, at times without the patient’s consent. 

What is the HIPAA Privacy Rule and What Does the Limited Waiver Mean for You?

The HIPAA Privacy Rule allows healthcare organizations to disclose limited protected health information (PHI) to individuals and entities other than the patient, under certain circumstances. But, as the need for information sharing rises in response to the ongoing pandemic, certain HIPAA Privacy Rule provisions have been relaxed, including:

  • Requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • Requirement to honor a request to opt out of the facility directory.
  • Requirement to distribute a notice of privacy practices.
  • Patient’s right to request privacy restrictions.
  • Patient’s right to request confidential communications.

Designed to facilitate PHI sharing workflows in a number of specific circumstances related to the COVID-19 pandemic, healthcare providers are now able to collaborate with one another—as well as third parties—more effectively without the risk of steep noncompliance fines. 

The limited waiver proves that sharing data and sensitive information is an absolute necessity during a pandemic when resources are limited and facts are unknown. In a public health emergency that relies on the need to share data—while maintaining physical distance from one another—it only makes sense that technology is at the forefront of facilitating those workflows. However, the limited waiver does not take into account patient security and privacy. In fact, it underscores the need for secure sharing of PHI. 

An Increase in Hackers Targeting Healthcare Organizations

To further illustrate the need for privacy and security, especially during a health emergency, we look to several high-profile cybersecurity incidents. The reality of cybersecurity is such that bad actors are prevalent, sophisticated, and willing to stop at nothing. But, hackers have officially crossed the line now that they’ve tried to attack healthcare organizations on the front lines in the midst of a global pandemic. 

Attacks against the World Health Organization (WHO) have reportedly increased two-fold as the pandemic worsens, the computer network of the Czech Republic’s second-largest hospital was struck as it was testing people for the novel coronavirus, and cybercriminals are even exploiting the public’s desire for more information by posing as the Centers for Disease Control and Prevention (CDC) in a recent email phishing attempt

Due to the threat landscape and a global health emergency that changes by the minute, many organizations may find themselves at a crossroads of sharing data to help fight the pandemic and locking it down to protect their own networks, systems, and individuals. Now, cybersecurity is more important than ever before as worldwide resources are deployed and many organizations shift focus to fight this pandemic. Not only is information about cures, tests, or treatments relating to COVID-19 extremely valuable to any affected country, but patient privacy must also be protected, despite these loosened HIPAA sanctions. Fortunately, you don’t have to choose between sharing and protecting data and patients; technical safeguards are a great place to start.

Technology for the Greater Good

Virtru provides flexible, easy to use, and trusted privacy technologies that govern access to data throughout its full lifecycle—from creation through sharing, storage, analysis, and action. Virtru’s email and file sharing capabilities transparently integrate into commonly used applications such as Gmail and Google Drive, allowing you to share PHI and other sensitive data—such as vaccine, treatment, or testing information—with confidence throughout the course of care. By protecting data at the object-level, healthcare organizations can collaborate securely knowing that the data is protected and always under your control. What’s more, you can remain in full compliance with HIPAA encryption requirements and protect your patient’s privacy.

Technology providers around the world are banding together to support organizations hit hardest by the pandemic. At Virtru, we are proud to stand amongst companies offering free services, volunteer hours, and cybersecurity expertise to healthcare providers—and organizations across all industries impacted by the pandemic—by offering free licenses of our data protection solution. Read more about our commitment to you during the COVID-19 pandemic.

Subscribe to Our Newsletter

Connect With Us