The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently settled four more investigations under the HIPAA Right of Access Initiative, which totals 11 settlements thus far.  In September, the OCR released a press release detailing its settlement of five additional actions under the HIPAA Right of Access Initiative. In the latest settlements, the OCR came down harder on  providers that failed to provide timely access to a patient’s protected health information by imposing six-figure fines (in two instances) and two year Corrective Action Plans on all four occasions.  In addition, the OCR Director delivered some stern remarks regarding the provider’s obligations with respect to the HIPAA Privacy Rule.

I.         Dignity Health

On October 7th, the OCR announced the settlement of its eighth HIPAA Right of Access Initiative investigation involving Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“Dignity Health”), which is a large, acute care hospital with various clinics based in Phoenix, Arizona. The OCR received a complaint from a mother stating that she made multiple requests for her son’s medical record in acting as her son’s personal representative, to no avail. Dignity Health provided some documents, but failed to properly respond to the mother’s request.

The OCR  determined that Dignity Health failed to provide the personal representative timely access to her son’s protected health information, which ultimately led to the OCR delivering a $160,000 “Resolution Amount” (as defined in the Corrective Action Plan)  and mandating Dignity Health to enter into a two year Corrective Action Plan.  For the record, this Resolution Amount was higher than all five of the previous settlement amounts announced by the OCR combined. The Corrective Action Plan orders the implementation of additional HIPAA policies and procedures, reporting requirements, training, and the submission of annual reports to HHS.  You can find the entire OCR announcement regarding Dignity Health here.

II.        NY Spine Medicine

Shortly following the OCR’s announcement regarding its settlement with Dignity Health, the OCR released yet another announcement regarding the settlement of its ninth investigation under the HIPAA Right of Access Initiative involving NY Spine Medicine, which is a private medical practice specializing in neurology and pain management with locations in New York, NY and Miami Beach, Florida. Last year, the OCR received a complaint from a woman stating that she made a request to NY Spine Medicine for her medical records, and again, the provider failed to the deliver the requested medical records after the woman made several inquiries.

The OCR determined that NY Spine Medicine failed to provide the patient access to her protected health information in a designated record set.  In fact, as of the settlement date, NY Spine Medicine still had not provided the patient with her requested medical records. Similar to the Dignity Health settlement, the OCR handed down a $100,000 Resolution Amount to NY Spine Medicine along with a two year Corrective Action Plan, which included similar mandated provisions as the Dignity Health Corrective Action Plan.  Most notably, the OCR Director, Roger Severino, provide some colorful commentary in the press release by stating: “No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” You can find the entire OCR announcement regarding NY Spine Medicine here.

III.      Riverside Psychiatric Medical Group

The OCR announced its tenth enforcement action under the Right of Access Initiative involving Riverside Psychiatric Medical Group, which is a group practice focused in mental health and substance abuse located in Riverside, California.  Last year, the OCR received two complaints from an individual stating that Riverside Psychiatric Medical Group failed to provide her requested medical records. After the initial complaint, the OCR even provided technical assistance to Riverside Psychiatric Medical Group.  However, even after the OCR assistance, the patient still did not receive her medical records and filed a second complaint. As such, the OCR issued a $25,000 Resolution Amount and mandated a two year Corrective Action Plan similar to the mandatory Corrective Action Plans in the Dignity Health and NY Spine settlements. You can find the entire OCR announcement regarding Riverside Psychiatric Medical Group here.

IV.      Dr. Bhayani

Within the past few days, the OCR announced its eleventh enforcement action, which was also the first enforcement against a private practitioner. Dr. Rajendra Bhayani specializes in ear, nose and throat medical services with an office located in New York.  Over two years ago, a patient sent a complaint to the OCR stating that she had failed to receive access to her medical records.  Yet again, the OCR responded by providing Dr. Bhayani with technical assistance.  In the summer of last year, the OCR received a second complaint from the same patient, which stated she still had not received her medical records despite the OCR’s efforts to assist the doctor. The OCR responded by issuing $15,000 Resolution Amount and implementing a two year Corrective Action Plan, which includes a six  year document retention requirement. In other words, the OCR will have a close eye on the doctor until October 2026. You can find the entire OCR announcement regarding Dr. Bhayani here.

V.       Moving Forward

The message is loud and clear, Director Severino.  The OCR plans to continue its strict enforcement of the Privacy Rule under the HIPAA Right of Access Initiative.  Based on the latest wave of settlements, it seems that all it takes is the denial or inadequate response to a single patient or personal representative’s request to access their medical records and the provider could be on the hook for a six-figure fine. In addition to the Resolution Amounts, the provider could incur additional expenses relating to the compliance with a Corrective Action Plan, whether it is hiring additional staff, drafting new policies, or revamping its entire recordkeeping processes. Moving forward, all providers should diligently respond to all requests for patient records and ensure its policies and procedures comply with the Privacy Rule.

If you have any questions regarding the Right of Access Initiative and how it affects your practice or healthcare business, please do not hesitate to contact us.

Covered entities beware: a timing pitfall lurks within the recently adopted rules prohibiting information blocking.  We have posted about OCR’s “Right to Access Initiative” and numerous enforcement actions taken to make sure that covered entities respond to patient access requests in a timely manner.  The HIPAA Privacy Rule requires covered entities to respond to access requests within 30 days, but OCR has emphasized that this is an “outer limit and covered entities are encouraged to respond as soon as possible.”

Soon, when compliance with the rules adopted by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) is required, covered entity health care providers will have another outer limit to contend with when responding to patient access requests.  These rules implement certain provisions of the 21st Century Cures Act and are often referred to as the “Information Blocking rules”, though they also address interoperability of electronic health information and the ONC IT Certification Program.

The Information Blocking rule incorporates and cross-references many of the HIPAA Privacy Rules, including the rule giving individuals the right to access their PHI (45 C.F.R. 164.524).  The Information Blocking rule also provides specific exceptions for activities that will not be considered information blocking.  The exceptions generally align with (and cross-reference) provisions in the HIPAA Privacy Rule.  For example, the “preventing harm” exception aligns with the HIPAA access right exception that allows a covered entity to deny an access request when a licensed health care professional determines, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the individual or another person.

Only one exception, however, includes an “outer limit” for response, and the outer limit is much shorter than the 30-day limit for responding to HIPAA access requests.

The “infeasibility exception” applies when certain events or circumstances prevent the health care provider from responding to an access request.  These include “uncontrollable events” such as (among others specified in the rule) public health emergencies, internet service interruptions, and labor strikes; the inability to segment the requested information from certain types of other electronic health information, such as information that cannot be made available by law; or where specified circumstances exist that make responding to the request infeasible.  However, if a health care provider denies an individual’s access request under the infeasibility exception, the provider must respond, in writing, to the individual within ten business days of receipt of the request, explaining why providing the requested access is infeasible.

HHS recently extended the date for compliance with the Information Blocking rule from November 2, 2020 to April 5, 2021, but covered entity health care providers may want to take steps now to account for the shortened response time for access requests that may meet the “infeasibility exception”.  Reviewing and amending business associate agreements and HIPAA policies and procedures to incorporate faster turn-around times are good places to start.  Training personnel about the changes and documenting all activities undertaken by the covered entity to comply are other good ways to demonstrate serious compliance efforts.

A recent conversation with a colleague in California prompted me to write this. He said that as part of its back-to-school plan, his children’s elementary school district “highly encouraged” that all students be tested for COVID-19 before returning to class. The district provided families with an in-home saliva test and asked parents to collect their child’s saliva, place the vial in a plastic bag along with some forms containing identifying information, and drop them off at the district offices before the start of school. He was surprised to see that the drop-off box was an open-lidded container on a table outside the entrance to the school district offices. The forms completed by other parents (listing children’s names, insurance information, addresses, etc.) were visible, folded in half inside clear plastic bags along with the samples, but no staff member was stationed at the table to prevent people from peering into the container, removing or reading through the forms. I said that HIPAA most likely does not apply to this health information, but FERPA might (even though the health information on the forms had apparently not yet been recorded into the students’ school records).  Nevertheless, the conversation reminded me that efforts to keep students healthy and safe must account for privacy.

When Ebola was in the public health spotlight, I posted here about a New Jersey elementary school that posted an announcement about two new students arriving from Rwanda.  The post said that the students would be kept at home for 21 days to allay concerns about infecting other students.  The students were not identified by name, and the school admitted that the kids were symptom-free and not from a part of Africa affected by the Ebola outbreak, but the report raised concerns with how schools protect student privacy as well as the health of other students and staff.

Here in my home state of New Jersey, many elementary and secondary schools are open and doing their best to prevent COVID-19 from spreading in the classroom and the community.  The New Jersey Department of Health issued recommendations to local health departments in early September that involve screening of students and staff and collection and reporting of COVID-19 symptoms and test results. As schools around the country grapple with whether and how to get students back into the classroom, it is easy to overlook data privacy requirements, especially when the privacy law that applies to most individually identifiable health information (HIPAA) and the privacy law that applies to most student records (FERPA) differ.

I noted one key difference in the Ebola posting:  HIPAA allows disclosure of protected health information for public health activities, such as to a public health authority that is authorized by law to collect the information to prevent or control disease, but FERPA creates a slightly higher bar to disclosure of identifiable health information contained in a student’s record.  Under FERPA, parents must provide written consent for disclosures of this information, unless an exception applies.  The FERPA “health or safety emergency” exception allows disclosure without parental consent to a public health agency, for example, if the school determines that the public health agency needs the information to protect the health or safety of the students or other individuals.  The school must determine that there is “an articulable and significant threat to the health or safety of students or other individuals” and, within a reasonable period of time after the disclosure, document in the student’s record the threat that formed the basis for the disclosure.  In other words, while reporting the number of students testing positive for COVID-19 might satisfy the FERPA “health or safety emergency” exception, reporting the students’ names or other information might not.

The U.S. Department of Education published FAQs in March 2020 on FERPA and COVID-19, describing the “health or safety emergency” exception that allows reporting to public health departments, as well as when health information can be disclosed to other parties such as parents of other students.  Interestingly, FAQ 7 states that schools can disclose information about a COVID-19 positive teacher or staff member to parents and students, as FERPA only protects information contained in student records, but points out that state privacy laws may apply.  However, it’s worth noting that if the school has a self-funded health plan and receives the information in that capacity, HIPAA would prevent such a disclosure without the individual’s authorization.

Mental Health/substance abuse providers and providers treating HIV/AIDS patients are held to a higher standard when it comes to protecting medical records, requiring additional levels of consent and analysis prior to productions. However, recent settlements published by the Office of Civil Rights of the Department of Health and Human Services (OCR) on September 15, 2020 remind all providers that patients and their authorized representatives have a right to access their records.

Right to Access Initiative:

In 2019 OCR launched the Right to Access Initiative based on concerns that had arisen that health care providers were not responding to request for records in a timely manner. In 2019, OCR’s Right to Access Initiative resulted in financial penalties and corrective action plans for two providers who had failed to provide patients with timely access to their records as required under HIPAA. Bayfront Health St. Petersburg, a Florida hospital, paid $85,000 and adopted a corrective action plan requiring one year of monitoring after a patient’s complaint to OCR led to the release of records nine months after the initial request. Korunda Medical, LLC., a primary care and pain management provider, also in Florida, paid the same amount and agreed to a similar one-year compliance monitoring arrangement as a result of its delays in forwarding records to a third party, failure to provide records in an electronic format, and overcharging for the records.

The Right to Access Initiative suffered a setback on January 23, 2020 when a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.” Additionally, the court ruled that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party. Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020). OCR has posted a notice that its previous third party directive guidance is restricted by the Ciox order but also reaffirmed that the right of individuals to access their own records and the fee limitations that apply when exercising this right has not changed.

Five New Settlements:

On September 15, 2020, OCR issued a press release announcing five additional settlements pursuant to its HIPAA Right to Access Initiative. All the settlements involved failure to produce records to just one individual. Three of the five settlements involved providers of mental health/psychiatric services, one provider treated HIV/AIDS patients and one provider helped with pain management. Additionally, three of the five settlement involved continued complaints from the same individual after “technical assistance” had been provided by OCR to the providers. The penalties ranged from $3,500 to $80,000. All providers also agreed to sign corrective action plans requiring government oversight for either one or two years.

These five additional settlements demonstrate that OCR continues to take the issue of right to access seriously, and that a complaint from one individual is enough to trigger monetary penalties and a correction action plan with government monitoring. Providers, including those who provide mental health and substance abuse services, should review their HIPAA policies and procedures and ensure that they are being followed and requested documents are being provided in a timely manner.

A tricky issue for mobile health app developers since the Office for Civil Rights (OCR) released its first “Health App Use Scenarios & HIPAA” guidance back in 2016 has been deciphering whether the developer is a business associate if it offers its app on a consumer-facing basis as well as through covered entities (or their business associates).  I wrote about this at the time, highlighting the “maybe”:  whether a health app is acting as a business associate and subject to HIPAA depends on how an individual accesses the app. If the app is offered by or through a covered entity health plan or health care provider, the health data created, received, maintained or transmitted via the app is subject to HIPAA.  If the same app is accessed as a “direct-to-consumer” product, it is not.

This past week, OCR announced a new resource page for mobile health app developers.   The “maybe” is still there — the resource page includes the same “Health App Use Scenarios & HIPAA” guidance from 2016.  However, the OCR has added  a page on “Access Right, Apps, and APIs” that includes new guidance on the relationship between health apps and HIPAA.   As described in my August 17, 2020 post, the 21st Century Cures Act and implementing regulations adopted this past May generally require health care providers, plans, and many types of health information technology vendors to allow individuals to access electronic health information by way of a mobile health app.   Consumer use of health apps, whether provided by a health care provider, health plan, electronic health records company, or other entity subject to HIPAA, or whether purchased or accessed directly by the consumer without involvement of these persons or entities, is likely to steadily increase.

The “Access Right, Apps, and APIs” guidance includes its own tricky “maybe” when it comes to apps developed by or on behalf of an electronic health records system:

Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?

A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.

If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Understanding whether HIPAA applies to the information accessed (or created, stored, or sent) in this manner is critical for covered entities, business associates, and individuals alike.  And even though a health app developer that markets directly to consumers may not be providing services on behalf of a covered entity or business associate and not be subject to HIPAA, the developer should make sure the individual using the health app understands how their individually identifiable health information is (and is not) protected.

The Office for Civil Rights within the Department of Health and Human Services (OCR) provided guidance in June that reassured covered entity health care providers and that it is generally OK to use or disclose protected health information (PHI) to contact individuals who have recovered from COVID-19 for case management and care coordination.

The OCR has now updated the guidance (“Guidance”) to clarify that health plans may also use or disclose PHI  for purposes of contacting individuals who have recovered from COVID-19 about donating plasma containing antibodies .  The Guidance also emphasizes neither health care providers nor health plans can receive any payment from or on behalf of a blood or plasma donation center in exchange for making  these communications without first getting each individual’s written authorization.   Accordingly, both types of covered entities must carefully navigate when such outreach is considered “marketing” and requires prior authorization.

The HIPAA regulations define “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,” unless an exception applies.  Exceptions include situations involving communications for treatment and specified  purposes involving the covered entity’s “health care operations” (as that term is defined in the regulations), as long as the covered entity does not receive “financial remuneration” in exchange for making the communication. The regulations define “financial remuneration” as “any direct or indirect payment from or on behalf of a third party whose product or service is being described,” but does not include “any payment for treatment of an individual.”  45 C.F.R. 164.501.

Interestingly, the Guidance does not precisely track the marketing definition and its exceptions, but interprets the “health care operations” exception for “case management or care coordination … and related functions”  as permitting the use of PHI for this type of outreach, as long as no financial remuneration is involved.

This means that there are certain situations in which a health plan or health care provider that is a covered entity may use and/or disclose PHI of recovered COVID-19 patients to encourage them to donate plasma, and others in which it may not (without first getting the patients’ written HIPAA authorizations):

Allowed:  a covered entity may use member or patient information to contact the covered entity’s own members or patients to encourage them to donate plasma, if: (i) it is to facilitatd the supply of donated plasma would be expected to improve case management for infected individuals; and (ii) the covered entity does not receive financial remuneration from or on behalf of any blood or plasma donation center

 Allowed:  a covered entity may disclose member or patient information to a blood or plasma donation center that is acting as its business associate in order to improve the covered entity’s ability to conduct case management [while not expressly mentioned in the Guidance, if the center pays the covered entity, the existence of a business associate agreement may not protect the center from allegations that it is really an improper marketing arrangement]

X    Not Allowed:  a  covered entity MAY NOT disclose member or patient information to a blood or plasma donation center so that the donation center can reach out to recovered individuals for its own purposes, even if the plan or provider does not receive financial remuneration in exchange for the PHI

X    Not Allowed:  a covered entity MAY NOT use member or patient information to contact those recovered from COVID-19 to encourage them to donate plasma, if the covered entity received financial remuneration from or on behalf of the blood or plasma to make the communication

In all cases, a covered entity that intends to rely upon the Guidance should carefully document all aspects of the planning and execution of the uses and disclosures of member or patient PHI, including the determination as to whether a HIPAA authorization is required, prior to the use or disclosure of PHI related to potential plasma donation.

 

A patient asks her doctor to send her test results to an app the patient has downloaded on her phone.   The doctor worries that the app is not secure and that the patient might not understand the security risks.  What should the doctor do?

Covered entity health care providers and their business associates likely need to update their HIPAA Access Rights Policies and Procedures to address this scenario.  Rules recently adopted by Office of the National Coordinator (ONC) to implement certain provisions of the 21st Century Cures Act prioritize patient choice when it comes to requests for electronic health information (EHI).

According to ONC, the information blocking rule:

[S]trongly encourages providing individuals with information that will assist them in making the best choice for themselves in selecting a third-party application. We believe that allowing actors to provide additional information to individuals about apps will assist individuals as they choose apps to receive their EHI … . Individuals concerned about information privacy and security can gain a better understanding about how the third-party apps are using and storing their EHI, how individuals will be able to exercise any consent options, and more about what individuals are consenting to before they allow the app to receive their EHI.  Practices that purport to educate patients about the privacy and security practices of applications and parties to whom a patient chooses to receive their EHI may be reviewed by OIG or ONC, as applicable, if there was a claim of information blocking. However, we believe it is unlikely these practices would interfere with the access, exchange, and use of EHI if they meet certain criteria.

ONC warns that information provided to the patient about the privacy or security of the app must:

  1. Focus on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
  2. Be factually accurate, unbiased, objective, and not unfair or deceptive; and
  3. Be provided in a non-discriminatory manner. For example, all third-party apps must be treated the same way in terms of whether or not information is provided to individuals about the privacy and security practices employed.

Ultimately, it is the individual’s decision as to whether to use the app to access health information:

To be clear, an actor [such as a provider or its business associate] may not prevent an individual from deciding to provide its EHI to a technology developer or app despite any risks noted regarding the app itself or the third party developer.

The following post is adapted from an article written by Fox Rothschild attorneys Wayne Pinksone and Lucy Li, available here.

OSHA recently published guidance for “nonessential businesses” that are intending to reopen and allow their employees to return to work. This guidance is intended to supplement the U.S. Department of Labor and U.S. Department of Health and Human Services’ existing Guidance on Preparing Workplaces for COVID-19 and the White House’s Guidelines for Opening up America Again. Additionally, employers should continue to monitor state and local guidelines for best practices for worker protection. We discuss some key highlights from OSHA’s recent guidance below.

A Three-Phase Reopening Plan

Generally, OSHA has suggested a three-phase reopening plan:

Phase 1: Employers should keep telework available for employees when feasible and appropriate. Maintaining strict social distancing practices for employees returning to the office is imperative and may require limiting the number of returning employees. Employers should remain flexible in making accommodations for those who are high-risk, elderly individuals and those with underlying health conditions. Nonessential business travel should be limited.

Phase 2: The most notable difference from “Phase 1” is that nonessential business travel may resume. Employers should continue to allow telework if feasible and should maintain social distancing practices.

Phase 3: The final phase is a removal of all restrictions and the recommencement of normal business operations.

Transitioning from one phase to the next is based on geographical prevalence of COVID-19. But in general, employers should follow all applicable guidance from local, state and federal authorities when determining when to reopen and/or transition to subsequent phases.

Testing or Screening for COVID-19 Symptoms

Per OSHA’s guidance, employers are permitted to conduct worksite SARS-CoV-2 testing, temperature checks and other health screens. Employers who conduct testing must do so in a transparent, non-retaliatory, non-discriminatory manner. Testing can be implemented in various ways including temperature screening, questionnaires, self-checks or self-questionnaires. Employers who implement such screening measures need to maintain confidentiality of employee medical information consistent with the requirements of the Americans with Disabilities Act.

Employers do not need to make a record of temperatures or other health information when they screen workers. However, if employers record this information, it may qualify as a medical record under the Access to Employee Exposure and Medical Records standard (29 CFR 1910.1020). If records are made or maintained by a physician, nurse or other health care personnel they will qualify as “medical records” under the Access to Employee Exposure and Medical Records standard. In such circumstances, medical records must be maintained for the duration of each employee’s employment plus 30 years thereafter, and employers must follow confidentiality requirements when maintaining such records.  With respect to the provider, those records, however, are generally not subject to HIPAA, if the provider is creating the record on behalf of the employer and the records will be stored by the employer.  However, as an extra precaution, it is a best practice for providers to obtain HIPAA authorizations from the workers that allow for disclosure to the employer or other individuals, or authorities, as appropriate.

Employers must also adequately protect workers who are screening and testing other workers from exposure to COVID-19. Additional information on how to do so is available here.

From Fox Rothschild’s Privacy Compliance & Data Security blog

The Federal Trade Commission (FTC) has offered tips for data protection during the COVID-19 crisis.

  • Consider privacy and security as you’re developing your products and services, and not after launch. Although we will be flexible and reasonable when it comes to bringing enforcement actions against companies engaged in good faith, thoughtful efforts to address the effects of the pandemic, it doesn’t pay to be in the news for privacy and security problems.
  • Use privacy protective technologies, eg decentralized protocols that allow users to voluntarily share encrypted data directly with epidemiologists.
  • Consider using anonymous, aggregate data. For example, if a consumer has granted you permission to use their location data, you may disclose a heat map of average distances traveled for public health purposes without needing consent.
  • Delete data when the crisis is over. If you tell consumers you’re collecting, analyzing, using, or sharing information for emergency public health purposes, only use it for those purposes, and delete the data when the need is over.

Details from the FTC.

A joint Alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) warns of new cyber attacks targeting COVID-19-related information.

Notably, these attacks succeed when system users have weak or common passwords.  NCSC published frequently found passwords here, many of which are used by cyber criminals to gain access networks that contain sensitive research and health care information.  The Alert warns that cyber criminals have been using “password spraying”, a style of attack in which the attacker tries a common password across many user accounts one time, before moving on to another common password.  By switching among common passwords, the attacker avoids account lockouts.

The HIPAA Security Rules require covered entities and business associates to “protect against any reasonably anticipated threats or hazards to the security” of protected health information and to implement “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” needed to protect against threats.   While workforce training on password management is “addressable”, rather than “required” under the Security Rules, covered entities, business associates and any other entities that maintain COVID-19-related information would be smart to remind users to pick strong passwords.  How about “SkunkSprayStinksStealsSensitiveData2!?”