[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” publish_date=”” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” video_preview_image=”” border_size=”” border_color=”” border_style=”solid” margin_top=”” margin_bottom=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” admin_label=”Main”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_size=”0″ border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”no”][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]

It might be tempting for covered entities and business associates to put-off some of their regulatory or compliance obligations as other priorities evolve in the current crisis. Whether to do that or not is a risk decision like most security and privacy compliance choices. There are a number of factors to consider when thinking about this. For example, an organization might consider reducing or pausing their user access monitoring program. HHS has issued guidance on a number of areas where they will not pursue enforcement actions under the HIPAA Privacy or Security Rules at this time. Patient rights were the predominant regulatory provisions where enforcement was waived. But as part of the guidance, the Office of Civil Rights (OCR) has specifically indicated covered entities and business associates must still safeguard patient information.

Safeguarding Patient Information

In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.

HIPAA Security Rule Requirements

OCR shared the following recommendations in its January 2017 Cybersecurity Newsletter:

The guidance from OCR announcing the temporary waiver of its enforcement activity does not mean covered entities and business associates can ignore their other HIPAA obligations. When thinking about user access monitoring there are some key considerations to determine the risk an organization wants to take on by stopping or pausing current activity.

HIPAA Breach Notification Rule

Another consideration is the HIPAA Breach Notification Rule. It states a breach is deemed discovered by a covered entity, “as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency).” 45 C.F.R. §164.404(a)(2).

Final Considerations

If a covered entity or business associate has a user access monitoring program in place and decides to suspend or stop such a program, what happens to the improper uses and disclosures of PHI that would have been discovered had the program not been suspended or stopped? Could OCR or other regulator determine that they were no longer exercising reasonable diligence? If so, could the discovery date for any breach resulting from the improper access be deemed the day it occurred or the day the entity would have known had it followed its routine user access monitoring program? If so, this could put organizations at risk for failure to timely notify.

Healthcare is in a state of crisis. However, this is not the time to put aside compliance activities without a very careful consideration of the risk to the organization.