Security Risk Assessment (SRA) and COVID 19

The Office for Civil Rights (OCR) at the HHS announced that it will not impose penalties for noncompliance with HIPAA Privacy, Security, and Breach Notification Rules regarding the good faith provision of telehealth during the COVID-19 pandemic.

The announcement looks like a “get out of jail free” opportunity but the reality is far from that interpretation. The key we need to focus is on the “good faith provision” wording which can be interpreted in multiple ways.

To keep it simple, the intent of this announcement was to allow some freedom to facilitate contact with patients through telecommunications platforms. It is particularly important to remember that the announcement does not mean that HIPAA requirements no longer apply. Also, implementing telecommunications technology opens the door to new risks as it regards protecting patient information.

Our basic recommendation is to complete your annual SRA as normal with an emphasis in overlooking the technologies you are using for telecommunications. If using telecommunications in your business, make sure to obtain a signed business associate agreement (BAA) from your telecommunications Provider. Make sure that in addition to the standard BAA wording your agreement covers information such as where and how (ie, encrypted format) any video conferences are stored and that all connections are encrypted.

We understand that you have a lot on your mind, but this is not the time to get caught in something this simple so schedule the SRA early and get it out of your mind.