As businesses re-open and take cautionary measures to prevent spread of COVID-19, many organizations have incorporated thermal scanner policies onsite.
Since fever is a major symptom of coronavirus, these scanners check people for elevated temperatures which could result in self-quarantine or further testing. It is a proactive approach to protect the greater population, but how does this impact the company’s security and the privacy concerns of those tested?
HIPAA applies only to covered entities and business associates, but that scope should identify what information is collected and how it is used.
Regarding HIPAA, if a covered entity or business associate uses a device that gathers specific personal information related to health, then the regulation applies. For example, if a covered entity (CE) or a business associate (BA) scans a person’s temperature and records or communicates that person’s temperature with identifying information about them (name, employee ID, photo, video, fingerprint, etc.), then this is likely HIPAA-relevant data.
If personal information is never captured then HIPAA would not apply. For example, if a company used a thermal scanner to scan people as they came in the door and told people – without gathering any information about them – whether they are allowed in or not, then the scans are likely not in scope for HIPAA.
For any new technologies, review how it is applied to personally identifiable information (PII) and protected health information (PHI) to determine whether it is relevant to known regulations.
Additional Resources
HIPAA & Penetration Testing & Incident Response Plans
Frequently Asked Questions
What is HIPAA compliance?
This refers to the process for following the procedures required by the Health Insurance Portability and Accountability Act. HIPAA is the law that established the current standards for protecting patients’ sensitive health-related data. The goal is to ensure healthcare companies do everything possible to secure and protect this information to prevent data breaches.
What is a HIPAA-covered entity?
Entities that are required to adhere to the HIPAA standards include healthcare providers, health plan providers, and healthcare clearinghouses. All of these entities are entrusted with patients’ personal information including Social Security numbers (SSNs), bank account details, and medical histories. Any enterprise that falls into these categories can benefit from HIPAA compliance solutions.
What are HIPAA violations?
There are a number of ways in which a HIPAA-covered entity can fail to comply with regulations. These can include transmitting patient data without sufficient encryption, disclosing patient information to unauthorized entities or falling victim to cyberattacks that expose the data. The scope of potential violations and the severity of the penalties involved makes it all the more important that businesses enlist the help of HALOCK as their HIPAA consultant.
Are there any new HIPAA requirements we should be aware of?
If your organization is responsible for HIPAA compliance, you may have another incentive to begin regular pen testing. That is because on December 24, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify HIPAA. Learn more details in this HIPAA article.
Where can I find a guide to HIPAA Acronyms?
Read a glossary of HIPAA and healthcare acronyms.
What are the top threats facing the healthcare industry?
Top Cyber Threats in Healthcare
Review Your Risk and Security Profile.
