PODCAST: COVID-19’s HIPAA Impact, Increased Risk From Remote Work
HIPAA Critical by Paubox: Episode 10 | COVID-19’s HIPAA Impact, Increased Risk From Remote Work, Interview with Carrie Nixon
“We uncover the latest news headlines and how COVID-19 is impacting HIPAA sanctions, the risks of working from home, and FDA warning about a medical bluetooth security flaw, ransomware attacks again in Arkansas, a stolen hard-drive compromises thousands of patients and we chat with the Managing Partner at Nixon Law Group about the evolving world of healthcare and how technology could have a impact on monitoring and diagnosing COVID-19.”
Click here to find out how a healthcare attorney can help your organization navigate the pandemic safely
Here’s the full transcript of this episode.
Olena Heu: Welcome to another edition of the HIPAA Critical Podcast. I’m Olena Heu and joining me is Chief Marketing Officer, Rick Kuwahara.
[THEME MUSIC]
Rick Kuwahara: Hey, Olena. Great to be here again.
Olena: Rick, you are bringing us the very latest when it comes to HIPAA and we’ve got a lot of updates in terms of COVID-19.
Rick: Yeah, of course, it’s definitely a big deal right now. A lot of news and updates going on about it everyday.
But the latest that we have regarding HIPAA was the Department of Health and Human Services actually issued a limited waiver of HIPAA sanctions and penalties because of COVID-19.
So the waiver became effective this past Sunday on the 15th and it was basically in response to the President’s declaration of a nationwide emergency. And the waiver, what it does is give some relief for covered entities in hospitals mainly from some provisions of the HIPAA privacy rules.
So, the waiver gives covered hospitals some relief if it doesn’t comply with a few provisions of the HIPAA Privacy Rule, the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care, the requirement to honor a request to opt out of the facility directory, the requirement to distribute notice of privacy practices and the patient’s right to request privacy restrictions and the patient’s right to request confidential communications.
So this all sounds very concerning, but is very limited in scope of when these waivers occur.
And the basic reason for it is to make sure that at times of emergency, the privacy rule doesn’t prohibit the sharing of PHI during disasters to assist patients in making sure that they get the care they require.
So even those waiver of liability sound like, “Oh, that could hurt someone’s privacy,” it’s really to make sure that patients get the care they need, and it happens a lot of times when there are similar emergency situations like the Puerto Rico earthquakes last year, and also the tropical storm Barry.
So that went into effect on Monday and hospitals will be able to utilize that waiver when they are in an emergency situation.
Olena: Excellent. Yeah, thank you for clarifying that because initially it sounds a little concerning, but then when you explain it, then it’s more comforting. Like, “Oh, okay, it makes sense.”
Rick: Well, one of the trends that has been happening is a lot of businesses forcing remote work as we do the social distancing.
But one of the results of that is remote work actually increases security risks.
So when organizations are sending employees or even students to work from home to learn and do online learning, actually opens the door for more attacks because… And you know there’s bad actors who are gonna be trying to take advantage of the situation.
And it’s because although working from home is not new, having to rush a big workforce to go online could mean that organizations just aren’t prepared for that scale or volume because there are certain things you need do to secure a remote work environment from VPNs, virtual private networks, to the routers to even devices.
And already actors have been leveraging… We’ve talked about it before in the past, coronavirus-themed cyber attacks, malware attacks, so they are definitely trying to take advantage of these things, of the situation right now.
So there’s a few things that organizations and employees can do to make sure that they’re safe when they are working from home.
The first thing and the biggest thing is that companies make sure that all the technical things are there and in place. So that means virtual private networks.
If employees need to log on to remote systems, make sure that if they are taking home a company laptop or device that is encrypted, the hard drive’s encrypted and it’s secure, and make sure that any critical systems that are accessed remotely are secure, that that connection is secure, whether that’s a VPN or some other means.
And then employees, what they can do is make sure that if they are connected to WiFi, that that WiFi is secure, that they’ve changed a password and it’s not just a default one. A lot of people don’t change their wireless routers, so that’s gotta be done.
And then of course make sure that they know how to use the VPNs and that they’re utilizing that, and training is gonna be huge for everybody to make sure that they reinforce the awareness of malicious links.
One key way to do that is to make sure that you’re not using company devices for personal use because it’s very easy when you’re working from home to get distracted because you’re mixing your personal email and browsing with work-related stuff.
And you can accidentally click on a malicious link in your personal email that affects your device and you may not have actually clicked… You might have been caught if you are utilizing your work email.
So, those are just a few tips to make sure that during this time when a lot of people are transitioning and working from home that everybody’s as safe and secure as they can be.
So unrelated to COVID-19 but still of concern and kinda getting lost in the news cycle is the FDA issued a warning about medical device Bluetooth security flaws.
This was a recent alert that they sent out last week and it was about a set of security flaws known as SweynTooth, and it takes advantage basically of the Bluetooth of a lot of medical devices, and what it does is it allows hackers to remotely crash a device or access its data and of course if it’s a medical device, that can have huge implications.
Especially if it’s something that has insulin pumps or pacemakers, things that can cause death, if they’re crashed.
So right now there hasn’t been a breach from this flaw and the reason for that is because, thankfully, the attack can’t be done remotely over the internet. The hacker has to be in close vicinity to the device, in radio range to take advantage of the Bluetooth access.
But the bad news is that there is no patch for it yet. So the FDA recommends that healthcare organizations do a risk analysis of any Bluetooth-enabled medical devices that they have to make sure that they get patched or that they work with the manufacturer to make sure that there is some sort of patch that’s gonna happen.
Olena: Well, thank you for that update and of course, keeping us abreast of the latest updates and news headlines. And so now we’re gonna focus on winners and failures this week as we usually do. Rick, can you tell us who’s winning right now?
Rick: We always wanna highlight our customers and the great things that they’re doing. And this week, taking a look at Portland Mental Health & Wellness and how they’re proactively updating their patients and stakeholders about the COVID-19.
One of the best things that a lot of providers are doing is actually keeping their patients updated, of course. There’s a lot of information out there about COVID-19, a lot of misinformation, a lot of over-exaggeration.
So a lot of times, the providers, because they have such a good relationship with their patients and stakeholders, they can be that voice of reason.
And that’s what Portland Mental Health & Wellness is doing. They are sending out email updates, making sure that patients know the best ways that they can stay safe in this crisis, and as well as sharing resources that they can look to for additional information, just really being that leader, that calming voice for their patients.
And Brad Larsen Sanchez, the owner of Portland Mental Health & Wellness, he’s utilizing Paubox to do that, to make sure that the communication is all safe, secure and HIPAA-compliant.
When we were talking to him, we asked him, “Do you think that this would have been possible without Paubox?” And he said, “Probably not.”
It wouldn’t have been that easy because the other systems he was looking at, like Virtru, they require logins for users and people wouldn’t read emails.
So, he’s glad that he can use something like Paubox, which is seamless, and get the updates secure and compliant to his patients and they can view it straight in their inbox without having to log in to anything.
Olena: Excellent, yes. And we’re seeing a lot of this, those that are utilizing Paubox to keep people informed and utilizing their email to also get the message out. And you’ll find a lot of these testimonies and success stories on our website, that’s paubox.com.
Well, thank you for that, Rick. And so since we just focused on a winner, of course, we’re gonna highlight a failure and who you got this week?
Rick: So what we have first up is a Arkansas-based provider that unfortunately had to notify over 15,000 patients of a ransomware attack.
Ozark Orthopaedics noticed that there was some unusual activity in their email system, and after investigating it, they found that four employees had fallen victim to phishing attacks.
And as you know, phishing attacks are the number one ways that hackers get into your email and emails are the number one threat vector for healthcare and most industries.
So patient data, unfortunately, may have been exposed, that includes names, treatment information, social security numbers, Medicare and Medicaid, identification numbers.
And right now, Ozark Orthopaedics said there’s no evidence that patient data has been misused, but they’re trying to keep tabs on it because once this stuff is compromised, more and more hackers who utilize ransomware are not just locking down and holding the data for ransom, they’re taking it as well.
Unfortunately, the next failure we have is about a Colorado dental practice that had almost 2,800 patients’ information exposed and that happened after a hard drive was stolen.
So they discovered that a backup hard drive was stolen earlier this year, in January, and that contained patient information.
The good news is that even though the information includes things like consent forms, dates of birth, healthcare information, some social security numbers, the good news is that the hard drive was password-protected and it requires a proprietary program, a piece of software for it to be read.
So even though the hard drive was stolen, that was bad, there is a good silver lining that at least they had encrypted that drive to make sure that if it’s stolen, it’s very likely that none of that data could be compromised.
It shows the importance of encrypting drives and making sure that those physical devices are secure beyond just a simple login, but that the hard drive itself is encrypted.
And that’s in sharp contrast to what we saw last month from our HIPAA breach report where a stolen laptop from Health Share of Oregon affected over 650,000 people, and that the drive was not encrypted.
So it goes from a situation where one laptop affected so many people, and this drive, even though both are stolen, on one case, there’s a lot of compromise, and in the other case, we can be relatively sure that the likelihood of compromise is very low.
Olena: For sure. ‘Cause it’s so easy to take also ’cause it’s smaller than a computer and just grab it and go. And so it was a failure but something that, like you said, had a little bit of a silver lining.
Well, this week, Rick, was able to sit down with Carrie Nixon, Managing Partner of Nixon Law Group, which focuses exclusively on serving healthcare providers and healthcare technology companies.
They discuss the evolving world of digital health, privacy and an exciting technology that could have a positive impact on helping diagnose and monitor COVID-19, while limiting exposure. Take a listen.
Rick: So Carrie, to say the least, privacy seems to be a huge focus lately in the news, and especially on Capitol Hill with inquiries into the Ascension Google partnership to the Data Privacy Act. What’s your take on how we’re handling privacy and security, especially with the adoption of more mobile health technology?
Carrie Nixon: Well, it’s a really important issue, obviously. Consumers are becoming more and more attuned to how their data is potentially being used, as well they should be.
They need to know why their data is being used, how it’s being used, and they need to have the right to have some control over that.
So I think the attention on the issue is certainly well deserved, but having said that, the Ascension Google partnership is a really interesting issue.
It’s surfaced these privacy implications for folks in the media and made it a big deal. But to be honest, it is standard industry practice for digital health companies to work with healthcare providers and to work with healthcare payers in partnership, sharing data with the goal of improving the outcomes and reducing the cost of care.
Now, there should be, and I think there is, a public pressure to be responsible, but the media portrayed the Ascension and Google partnership like it was something out of the ordinary and like something was done incorrectly. And to be honest, that’s just not necessarily the case.
And in fact, I have read exactly how they structured some of their agreements and their data sharing and it really is typical practice.
So if we get to the point where the public pressure is pushing too hard in the direction of not allowing for the sharing of healthcare data, there is a trade-off there.
We absolutely are hampering our ability to identify new diseases, cure diseases, intervene early with diseases, if we put the kibosh on that data sharing among parties that should be looking at and sharing data.
I don’t think there’s anyone who doesn’t want to find the cure to a particular disease. That is in everyone’s interest, right?
Now, it may be that it would be very helpful for companies like Google and Ascension to make it crystal clear to the patients with the patient data that they are interacting with, make it clear to those patients that their data is being used in a way that is not implicating them specifically and is being used to help find a cure to X disease or identify this particular issue relating to healthcare. I think that’s something that everyone wants.
Rick: Right. And I think that that’s a good point, helping make consumers and people feel comfortable because a lot of it is even de-identified, and what does that mean to individuals? People are hearing that companies are sharing data, but they don’t quite always… They’re thinking of data like Facebook and data mining versus de-identified data that can help, like you said, push forward health.
Carrie: Yeah, that’s exactly right. There’s a real lack of understanding of how data can be very successfully de-identified and how that de-identified data has significant, significant value. I think if people understood that, they would be a little more comfortable.
Rick: And speaking of innovation, we’re so hit in the news today with coronavirus and the response to it and everything, but I think one thing that gets overlooked is how digital health technology and innovation can help impact that in a positive way. Is there any trends or technology that you’ve seen that could really help make an impact, especially in response to the coronavirus?
Carrie: Oh, most definitely. One thing that really comes to mind are remote patient-monitoring technologies.
This has been an area that has just exploded in the healthcare industry over the last two to three years, in large part because Medicare has finally decided to provide reimbursement for remote patient monitoring.
So that means that a patient can wear some sort of peripheral device, that may measure their vital signs or may measure their glucose levels, and that device will remotely transmit to their medical providers that information.
So say a patient has high blood pressure and they use a Bluetooth-enabled blood pressure cuff, that blood pressure cuff can remotely transmit the patient’s blood pressure readings on a consistent and regular basis to that patient’s healthcare provider who is, in fact, monitoring their hypertension.
And when the healthcare provider notices that there’s some sort of abnormality with the data that they’re seeing, for some reason, there’s been a spike in blood pressure that has lasted for a while, they can note that and they can call that patient up, and say, “Hey, what’s going on with your blood pressure? Tell me a little bit about what’s happening. Are you out of your medication? Do you need a refill?”
And there’s a real value in that, to identifying a potential problem early rather than having the patient end up in the ER because their blood pressure has been so high for so long. And in the long term, really reducing cost.
So I’m really enthusiastic to see all of the remote patient monitoring companies that have entered the market. And I’m really enthusiastic about Medicare’s decision to start reimbursing for those technologies because it means we’re going to see some really innovative devices and metrics that are now available out there, that are gonna move the needle in healthcare.
Now, this technology, remote patient monitoring, really has implications that I can see for both diagnosing and monitoring folks that may have the coronavirus.
So for example, we know that there is enormous concern right now about overwhelming healthcare facilities, hospitals, ERs, medical clinics with people who are concerned that they may have coronavirus.
And this remote patient monitoring technology allows those people to really be diagnosed and treated from home.
So a patient can call their physician or interact with their family physician and say, “Hey, I’m a little bit worried. I traveled overseas, I was just told that I was interacting with someone who is now infected. I may need to be monitored for coronavirus or what should I do and how do I know to tell you?”
One thing that can be done for them very readily is their temperature can be monitored at home with that data being remotely transmitted to their healthcare provider.
Their pulse ox levels can also be remotely monitored and transmitted via a Bluetooth pulse ox monitor to their physician. So at such time when a patient is experiencing a spike in fever and maybe their pulse ox levels are going down, maybe their physician then calls them and says, “Hey, it’s time to come in to test. We’re seeing symptoms and your fever is high, and it’s been that way consistently for a period of time. Come on in, and we need to do a test.”
If that person tests positive, they can, again, rather than having to go immediately into a healthcare facility, they can remain at home and be monitored remotely, where they are not interacting with others, out in the public.
And at the point at which if and when their respiratory rate or their pulse ox levels get outside of a particular range, then their physician is gonna be aware of that, and can call them immediately and say, “Hey, at this point I think you’ve reached the point where you need to come into the hospital.”
So, I think it is a really amazing opportunity for diagnosing, and for managing this coronavirus pandemic that we’re dealing with. I’m concerned that not enough healthcare providers are fully aware of these new remote patient monitoring technologies and in fact the reimbursement that’s associated with them.
And therefore don’t know that they are a great way to monitor and to diagnose coronavirus. I’m hopeful that the administration will bring to their attention the opportunity that remote patient monitoring technologies provide in this time of crisis.
Rick: Overall, it does seem like sometimes policymakers are playing catch up with the speed of innovation in healthcare. Do you see that always being the case?
Carrie: You’re right, it is absolutely the case right now.
Technology is evolving in the healthcare sector at a rate where policymakers simply are not able to keep up. And I sure hope that that won’t always be the case but realistically, I think it’s likely to continue.
It is simply a fact that when a new technology or a new intervention comes out, it’s going to take our policymakers and regulators a little bit of time to figure out the parameters that they should be putting around that technology.
And oftentimes, we see cases where a technology hasn’t even entered the minds of policymakers or regulators. It is so new that it’s not something that has even been remotely considered in the past, before. And so they’re constantly having to evolve new frameworks for thinking about these things.
It’s a sticky situation because we don’t wanna be in a position where we see innovation superseding patient safety considerations, that’s the big thing. But by the same token, we don’t, again, want to constrain innovation.
So it’s a fine balance to strike when regulators are having to consider entirely new frameworks that have entirely yet unconsidered ramifications for patient safety.
Rick: Great point. Thanks so much for your time, Carrie.
Olena: Now, if you like what you heard, be sure to subscribe and tune in next week. For more information, log onto paubox.com.