Among the several standards contained within the HIPAA Security Rule, the Contingency Plan standard is of interest during the world-wide response to the COVID-19 virus. The Security rule also applies to the business associates of covered entities through the Business Associate Agreements that have presumably been executed between the parties.

Located at 45 C.F.R. 164.308(7), the requirement for Contingency planning states: “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” (emphasis added).

Although the COVID-19 epidemic and associated business disruption may not directly damage systems, several considerations are warranted. 

First, the reliance on third-party IT service providers and solutions to operate your health information systems, or store, process, or transmit electronic health information on your behalf. Service providers may be subject to cascading impacts from their own service providers or may experience diminished labor capacity from their own workforces.

Second, the HIPAA contingency plan requirement further specifies the adoption of an “Emergency mode operation plan.” Essentially a Business Continuity Plan, the Emergency mode operation plan under HIPAA is focused on the procedures needed to continue critical business processes for the protection of the security of the ePHI. It is important to not undermine security controls when enabling remote access to accommodate remote workers and vendors.

There are many ways to enable remote access to sensitive data for remote workers. Here are several guidelines for providing remote access to internal, privately hosted systems (i.e. system run on internal or collocated servers by your IT staff):

  • Whenever enabling remote access, make sure you require two-factor authentication.
  • Do not expose a remote login interface on the public Internet. Instead, provide employees and contractors a VPN client to safely authenticate to the company network, using two-factor authentication. Provide critical system and data access to the remote users from there.
  • If possible, use MAC address filtering on remote workstation VPN access so that only company-managed workstations can authenticate. This can be considered one of the two factors.
  • Make sure that all employees have access to, install, and are running an endpoint detection and response product, more than the traditional anti-virus software. Such tools include: Carbon Black, Sophos Intercept X, Cisco AMP, Crowd Strike, and Sentinel One. The choice of tool may be related to the type of firewall you currently use.
  • Actively review remote connection logs for indicators of foreign IP addresses.