A joint Alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) warns of new cyber attacks targeting COVID-19-related information.

Notably, these attacks succeed when system users have weak or common passwords.  NCSC published frequently found passwords here, many of which are used by cyber criminals to gain access networks that contain sensitive research and health care information.  The Alert warns that cyber criminals have been using “password spraying”, a style of attack in which the attacker tries a common password across many user accounts one time, before moving on to another common password.  By switching among common passwords, the attacker avoids account lockouts.

The HIPAA Security Rules require covered entities and business associates to “protect against any reasonably anticipated threats or hazards to the security” of protected health information and to implement “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” needed to protect against threats.   While workforce training on password management is “addressable”, rather than “required” under the Security Rules, covered entities, business associates and any other entities that maintain COVID-19-related information would be smart to remind users to pick strong passwords.  How about “SkunkSprayStinksStealsSensitiveData2!?”

Fox Rothschild LLP partner Beth Larkin listened to the HHS Office for Civil Rights 4/24/20 webinar (which should be posted on its website at some point) regarding HIPAA and COVID-19 and took notes. Here’s my summary of key points, based on Beth’s notes:

Overview: OCR stresses that the HIPAA Rules are supposed to be balanced and flexible.  The HIPAA Rules do not prohibit sharing PHI, they just require covered entities and business associates to take appropriate steps to safeguard PHI in accordance with the HIPAA Rules.

OCR has issued HIPAA non-enforcement notices related to some of the topics covered in the webinar (on telehealth, community-based testing sites (CBTS) and business associate disclosure of PHI for public health purposes) and guidance (such as FAQs) related to other topics covered (on first responders and disclosures to family and friends involved in care and for notification purposes).   The non-enforcement notices apply to all HIPAA Rules, not just the Privacy Rule.  OCR’s HIPAA non-enforcement is based on a covered entity’s and business associate’s good faith efforts to comply with the non-enforcement notice. . OCR non-enforcement notices will not apply once the public health emergency is over, but OCR can still use its enforcement discretion. OCR tends to try to resolve complaints and investigations with technical assistance. Penalties are generally issued with respect to systemic non-compliance and egregious violations.

OCR will continue to issue COVID-19 guidance as needed. OCR puts all of its COVID-19 HIPAA information, including the non-enforcement notices and guidance discussed here (collectively “OCR guidance” for purposes of this blog), in a new HIPAA and COVID-19 section on its website.  Questions can be submitted to ocrmail@hhs.gov or by calling OCR number of 1-800-368-1019.  OCR reads through all of the emails/questions received and issues guidance based on emails/questions.

Remember that state laws may be more stringent and will also apply for HIPAA Covered Entity providers (“CE providers”) and Business Associates.

Key Points:

  • Public Health Requests and Minimum Necessary: If CDC or another public health authority makes a request for COVID-19 information from a CE provider for public health reasons, the CE provider can rely on the fact that the request meets the “minimum necessary” requirement, and can continue to provide the PHI over a period of time in response to the initial request (e.g., reporting may be required weekly- a new agency request not needed each time)
  • Public Health Activities and Business Associates: OCR will exercise enforcement discretion so that a business associate may use or disclose PHI for public health activities or health oversight activities, even if its business associate agreement does not expressly permit that use or disclosure
  • Media Disclosures: OCR stressed that disclosures to the media still generally require patient authorization.  CE providers still need to be careful and take appropriate precautions against media disclosures (e.g., be careful when news crews are filming COVID-19 stories).  OCR watches and reads the news too.
  • Telehealth:  OCR’s non-enforcement applies to all media that OCR considers “telehealth,” including online video, telephone, texts and emails.  It also applies to all health care rendered via telehealth, not just COVID-19 care.  A CE provider must use non-public facing methods of communication, enable privacy and security protections, and notify patients that there is a privacy/security risk.  While no business associate agreement (BAA) with the communications service provider is required, a number of service providers have stated that they operate in compliance with HIPAA and will provide BAAs.  CE providers should take reasonable precautions for patient privacy (e.g., close office door, lower voice).  While the OCR guidance does not apply to Part 2 Rules, OCR noted that SAMSHA has issued some guidance on telehealth under Part 2 Rules.
  • First Responders:  OCR’s guidance addresses exceptions that already apply, such that patient authorization is not required (e.g., disclosures for treatment, public health purposes, where required by law, and where there’s a serious imminent threat to the health and safety of a person or the public, ).   OCR allows CE providers like hospitals to release lists of COVID-19 positive individuals to EMS dispatch for purposes of notifying first responders on a case-by-case basis if there is a risk of infection (EMS can tell first responders being dispatched to a patient that the patient is COVID-19 positive but can’t post the list or distribute the list to first responders).  EMS can also ask 911 callers about COVID-19 symptoms and notify first responders. (EMS may not be a CE provider.)
  • COVID-19 Community-Based Testing Sites:   OCR’s non-enforcement only applies to the CBTS, not other services or activities of the CE providers or its business associates (including storage of testing results in an electronic records system). OCR recognizes that it’s hard to comply with HIPAA Rules when testing is being done in a parking lot or on a drive-thru basis. Reasonable safeguards (e.g., buffer zones, tarps or barriers used to add privacy, and secure technology) are still encouraged for CBTS.

 

 

Cyber security

The New York Attorney General has issued a warning to healthcare providers, hospitals, and other organizations within the health supply chain that cyber criminals are using targeted COVID-19 phishing emails and texts to gain access to sensitive information.  Multiple reports indicate that scammers are sending emails and texts to get a recipient to click on a link purporting to share COVID-19 information that in reality installs malware or permits access to steal passwords and other sensitive information.

Details in this post by Caroline Morgan on Fox Rothschild’s Privacy Compliance & Data Security blog.

Patient health records folder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning that it has received reports that someone has been impersonating an OCR inspector in an effort to access HIPAA Protected Health Information (PHI).

According to the agency: “The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.”

HIPAA Covered Entity and Business Associate clients interested in receiving security and privacy updates directly from OCR can sign up here.

On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance.

“OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.”

Here are several “Dos” and “Don’ts” for covered health care providers from the Guidance and FAQs:

DOs:

1.  Exercising professional judgment, use a video chat application that connects to the provider’s or patient’s phone or desktop computer to assess or treat a patient in connection with potential COVID-19 infection.

2.  Exercising professional judgment, use the video chat application to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle or other ailment and for dental consultations, psychological evaluations and other assessments.

3.  Use  popular applications that allow for video chats, including Apple’s FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

4.  If seeking additional privacy protection for telehealth while using video communication products, engage vendors that will enter into HIPAA business associate agreements (BAAs) in connection with the provision of the product, including the following vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet

DON’Ts:

1.   Use public-facing video communication applications, such as  Facebook Live, Twitch, TikTok, and similar video communication applications.

2.  Rely on the OCR’s discretion regarding HIPAA enforcement if you are a substance use disorder program subject to Part 2 (see here for Guidance related to Part 2).

3.  Expect HIPAA enforcement discretion if you are a covered entity health plan (see FAQ #2).

4.  Expect Medicare or Medicaid reimbursement for all telehealth services (see FAQ #1 and CMS Guidance).

5.  Expect HIPAA enforcement discretion for activities unrelated to telehealth. The Security Rule, Privacy Rule, and Breach Notification Rule continue to apply in all other contexts.

By Margaret J. Davino, Salvatore J. Russo and Nawa A. Lodin

In the Medicare Telemedicine Healthcare Provider Fact Sheet published March 17, 2020, the Centers for Medicare & Medicaid Services (CMS) broadened access to Medicare telehealth services to allow Medicare patients to receive more services from their doctors without travel to a health care facility. This benefit is available on a temporary and emergency basis under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act, to provide telemedicine services during the national emergency declared regarding COVID-19.

Before this new waiver, Medicare only paid for telehealth when the patient was in a designated rural area and left the home and went to a clinic, hospital or certain other types of medical facilities for the service.  Now, Medicare can pay for office, hospital and other visits furnished via telehealth across the country including in patient’s places of residence, retroactive to March 6, 2020. A range of providers, such as doctors, nurse practitioners, clinical psychologists and licensed clinical social workers, will be able to offer telehealth to their patients. Additionally, the HHS Office of Inspector General (OIG) is providing flexibility for health care providers to reduce or waive cost-sharing for telehealth visits paid by federal health care programs.

Also, effective immediately, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.  See Emergency Situations: Preparedness, Planning, and Response, from HHS.

 Medicare Telehealth Visits 

Starting March 6, 2020 and for the duration of the COVID-19 public health emergency, Medicare will pay for professional services to beneficiaries in all areas of the country in all settings (instead of the limited originating sites listed before March 6). For this Medicare telehealth visit, the provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. Although Medicare normally requires that the patient have a prior established relationship with a particular practitioner, HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency. These visits are considered the same as in-person visits and are paid at the same rate as regular in-person visits.

The Medicare coinsurance and deductible would generally apply to these services. However, the HHS Office of Inspector General (OIG) is providing flexibility for health care providers to reduce or waive cost-sharing for telehealth visits paid by federal health care programs.

Other Medicare Telehealth Visits

The CMS Fact Sheet reminds providers that there are two previously existing types of telehealth services:  virtual check-ins and e-visits.

Virtual check-ins: In 2019, Medicare started paying in all areas (not just rural), for established Medicare patients in their homes to have a brief communication service (virtual check-in) with practitioners via a number of communication technology modalities including synchronous discussion over a telephone or through video or image (unlike Medicare telehealth visits, which require audio and visual capabilities for real-time communication). The practitioner may respond to the patient’s concern by telephone, audio/video, secure text messaging, email or use of a patient portal. The communication may not be related to a medical visit within the previous seven days and cannot lead to a medical visit within the next 24 hours (or soonest appointment available). The patient must verbally consent to receive virtual check-in services. The Medicare coinsurance and deductible applies to these services. In addition, separate from these virtual check-in services, captured video or images can be sent to a physician (HCPCS code G2010).

 E-visits:  In all types of locations including the patient’s home, and in all areas (not just rural), established Medicare patients may have non-face-to-face patient-initiated communications with their doctors without going to the doctor’s office by using online patient portals. The patient must generate the initial inquiry and communications can occur over a seven-day period. The services may be billed using CPT codes 99421-99423 and HCPCS codes G2061-G2063, as applicable. The patient must verbally consent to receive virtual check-in services. The Medicare coinsurance and deductible would apply to these services.

State Law

This CMS Fact Sheet involves only federal law, and does not change state laws, e.g., state licensing laws that require that a physician be licensed in the state in which the patient resides, or state Medicaid requirements.  The New York State Department of Financial Services just published this notice yesterday relaxing reimbursement provisions for telehealth services:  https://www.dfs.ny.gov/system/files/documents/2020/03/re62_58_amend_text.pdf.  Please note also the NJ Telemedicine Act, N.J.S.A. 45:1-62 et al, which requires the physician to provide the patient with certain information, including his or her professional credentials, before engaging in telemedicine (requiring a proper consent form) and requires the physician to establish a provider-patient relationship before prescribing medication to the patient based solely on answers to an online questionnaire, along with how to establish that relationship.

Effective March 15, 2020, certain hospitals that fail to comply with specific HIPAA Privacy Rule requirements will not be subject to HIPAA sanctions and penalties, according to a “COVID-19 & HIPAA Bulletin” issued by U.S. Health and Human Services Secretary Alex M. Azar. The waiver was implemented as a response to President Trump’s recent declaration of a nationwide emergency concerning COVID-19 and Secretary Azar’s declaration of a public health emergency on January 31, 2020.

Note that this HIPAA waiver is limited. It only applies to (1) hospitals located in an emergency area identified in a public health emergency declaration; (2) hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the hospital institutes its disaster protocol . When President Trump’s or Secretary Azar’s emergency declaration ends, the HIPAA waiver will end.

In addition, the HIPAA waiver only applies to the following specific HIPAA Privacy Rule requirements:

  • obtaining the patient’s consent to speak with family and friends involved in patient care as per 45 C.F.R. 164.510(b)
  • honoring the patient’s request to opt out of being included in the facility directory as per 45 C.F.R. 164.510(a)
  • distributing the Notice of Privacy Practices to patients as per 45 C.F.R. 164.520
  • giving individuals the right to request restrictions on the use or disclosure of their protected health information as per 45 C.F.R. 164.522(a)
  • honoring the individual’s right to restrict disclosure of protected health information to a health plan as per 45 C.F.R. 164522(b)

The Bulletin reiterates many of the points addressed in HHS’s February 3, 2020 Bulletin on HIPAA and COVID-19, discussed here in a prior post. The bottom line?  HIPAA remains in place during emergencies, except for a limited set of covered entities and with respect to limited provisions of the HIPAA Privacy Rule as described above.

 

 

 

If your company is a covered entity or a business associate, you face unique challenges when workforce members ask or are required to work from home. Hopefully, your company’s HIPAA Security Policies and Procedures address the use of portable devices, whether they are owned by the employer or by the employee, and your HIPAA security risk assessment should take into account any location in which electronic protected health information (PHI) might be created, received, maintained or transmitted.  Still, it’s important to remind employees of their obligations with respect to HIPAA compliance and to make sure PHI is protected when used or disclosed outside of the office, particularly when Coronavirus concerns result in changes to the way in which information is typically accessed or communicated.

Here are a few HIPAA privacy and security basics to keep in mind if employees will be handling PHI while working from home.

A is for Access: Check that home devices have access controls, such as automatic logoff.  Implement technical policies and procedures that grant access rights to specified workforce members, and that limit access to only those systems and software programs that have been approved by the company.  See HHS FAQ on this topic here.

B is for Breach: Remind employees to avoid breach scenarios that are more likely to occur when working off-site, such as preventing family members or guests from viewing or overhearing PHI, not using public or unsecured networks to access or communicate PHI, and being aware of where copies of PHI are made and stored, whether paper or electronic. Implement a policy and procedure for employees to return paper and electronic files to the employer’s office or system and destroy copies that could end up in home trashcans or on personal devices.

C is for (secure) Connection: Check that employees have access to a secure network connection. The HIPAA Security Rule requires that you document establishment of all safeguards (technical, physical, and administrative) needed to protect information exchanged in a network. Check the HIPAA Security Rule on transmission security, and document how you have addressed integrity controls and encryption. See HHS FAQs on this topic here and here.

The FAQs included in my prior post address  employer response with an eye to HIPAA compliance.  What else can an employer do or not do with employee information related to COVID-19 status?   Even covered entities and business associates concerned with HIPAA must be alert to other laws that affect their communications and action plans.   Employers should check with labor counsel for laws and requirements that may apply.  Employers should also be aware that state-specific privacy and data security laws may apply to the collection, retention, use and disclosure of health information.

See here for a recent article on workplace considerations related to Coronavirus published by Fox Rothschild LLP colleagues who practice in our Labor and Employment practice.

Fox Rothschild partner Bill Maruca’s article, “Protecting Privacy During an Infectious Disease Panic”, is (unfortunately) as relevant today as it was when it was posted here more than 5 years ago. Swap Ebola for COVID-19, and the article provides useful guidance for covered entities and business associates subject to HIPAA and to employers, family and friends who are not.

More recently, the U.S. Department of Health and Human Services published a Bulletin that emphasizes the important and HIPAA-permitted circumstances under which COVID-19 patients’ information may be disclosed.

Key take-aways from the Bill’s article and from the HHS Bulletin include: (1) only covered entities and business associates (and their subcontractors) are subject to HIPAA, and (2) HIPAA allows disclosures under certain circumstances, such as where disclosures are necessary to prevent a serious and imminent threat and are consistent with applicable law and covered entities’ standards or codes of conduct.

The following FAQs illustrate these take-aways (note that these focus on HIPAA only and not on other potentially applicable laws, such as employment-related laws and state privacy laws):

Q.1.     I work in HR at my company. An employee came to me this morning and told me that his adult son, who resides with the employee, tested positive for Coronavirus this past weekend. Will I violate HIPAA if I tell my supervisor with or without consent of the adult son or the employee? Can my supervisor alert other employees in the office?

A.1.     You will not violate HIPAA by telling your supervisor, and your supervisor will not violate HIPAA by alerting other employees. Neither you nor your supervisor is a covered entity, business associate, or subcontractor (but see next FAQ) and so HIPAA does not apply.

Q.2.     I work in HR at my company and am responsible for overseeing our self-funded group health plan. Same facts and questions as above.

A.2.    Because you have HIPAA obligations due to your role with respect to the company’s group health plan (which is a covered entity under HIPAA), you need to be cautious with respect to this information.  We recommend you consult your HIPAA Privacy Officer or HIPAA counsel regarding the disclosure by the employee to you and the circumstances of the disclosure to determine whether HIPAA applies and if it does, whether HIPAA would allow you to inform your supervisor.     

Q.3.     I work in HR at my company and am responsible for overseeing our self-funded group health plan. I reviewed a claim for services rendered by a hospital to an employee who has been out of work due to illness for the past several weeks. The claim included diagnosis codes that suggest the employee was treated for COVID-19. Can I tell my supervisor? Can my supervisor alert other employees?

A.3.     HIPAA applies to your communications regarding protected health information (PHI), so you must proceed with caution. HIPAA permits the disclosure of PHI if it is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public, and it is consistent with other applicable law. However, it does not appear that you have sufficient information to rely upon this “serious and imminent threat” exception as the basis for disclosure. You do not know that the patient had tested positive for Coronavirus or was treated for COVID-19, nor have you demonstrated how notification would prevent a serious and imminent threat (the employee has not been in the office for several weeks). This situation clearly calls for further consultation with knowledgeable medical and/or legal professionals.