A recent conversation with a colleague in California prompted me to write this. He said that as part of its back-to-school plan, his children’s elementary school district “highly encouraged” that all students be tested for COVID-19 before returning to class. The district provided families with an in-home saliva test and asked parents to collect their child’s saliva, place the vial in a plastic bag along with some forms containing identifying information, and drop them off at the district offices before the start of school. He was surprised to see that the drop-off box was an open-lidded container on a table outside the entrance to the school district offices. The forms completed by other parents (listing children’s names, insurance information, addresses, etc.) were visible, folded in half inside clear plastic bags along with the samples, but no staff member was stationed at the table to prevent people from peering into the container, removing or reading through the forms. I said that HIPAA most likely does not apply to this health information, but FERPA might (even though the health information on the forms had apparently not yet been recorded into the students’ school records).  Nevertheless, the conversation reminded me that efforts to keep students healthy and safe must account for privacy.

When Ebola was in the public health spotlight, I posted here about a New Jersey elementary school that posted an announcement about two new students arriving from Rwanda.  The post said that the students would be kept at home for 21 days to allay concerns about infecting other students.  The students were not identified by name, and the school admitted that the kids were symptom-free and not from a part of Africa affected by the Ebola outbreak, but the report raised concerns with how schools protect student privacy as well as the health of other students and staff.

Here in my home state of New Jersey, many elementary and secondary schools are open and doing their best to prevent COVID-19 from spreading in the classroom and the community.  The New Jersey Department of Health issued recommendations to local health departments in early September that involve screening of students and staff and collection and reporting of COVID-19 symptoms and test results. As schools around the country grapple with whether and how to get students back into the classroom, it is easy to overlook data privacy requirements, especially when the privacy law that applies to most individually identifiable health information (HIPAA) and the privacy law that applies to most student records (FERPA) differ.

I noted one key difference in the Ebola posting:  HIPAA allows disclosure of protected health information for public health activities, such as to a public health authority that is authorized by law to collect the information to prevent or control disease, but FERPA creates a slightly higher bar to disclosure of identifiable health information contained in a student’s record.  Under FERPA, parents must provide written consent for disclosures of this information, unless an exception applies.  The FERPA “health or safety emergency” exception allows disclosure without parental consent to a public health agency, for example, if the school determines that the public health agency needs the information to protect the health or safety of the students or other individuals.  The school must determine that there is “an articulable and significant threat to the health or safety of students or other individuals” and, within a reasonable period of time after the disclosure, document in the student’s record the threat that formed the basis for the disclosure.  In other words, while reporting the number of students testing positive for COVID-19 might satisfy the FERPA “health or safety emergency” exception, reporting the students’ names or other information might not.

The U.S. Department of Education published FAQs in March 2020 on FERPA and COVID-19, describing the “health or safety emergency” exception that allows reporting to public health departments, as well as when health information can be disclosed to other parties such as parents of other students.  Interestingly, FAQ 7 states that schools can disclose information about a COVID-19 positive teacher or staff member to parents and students, as FERPA only protects information contained in student records, but points out that state privacy laws may apply.  However, it’s worth noting that if the school has a self-funded health plan and receives the information in that capacity, HIPAA would prevent such a disclosure without the individual’s authorization.

Mental Health/substance abuse providers and providers treating HIV/AIDS patients are held to a higher standard when it comes to protecting medical records, requiring additional levels of consent and analysis prior to productions. However, recent settlements published by the Office of Civil Rights of the Department of Health and Human Services (OCR) on September 15, 2020 remind all providers that patients and their authorized representatives have a right to access their records.

Right to Access Initiative:

In 2019 OCR launched the Right to Access Initiative based on concerns that had arisen that health care providers were not responding to request for records in a timely manner. In 2019, OCR’s Right to Access Initiative resulted in financial penalties and corrective action plans for two providers who had failed to provide patients with timely access to their records as required under HIPAA. Bayfront Health St. Petersburg, a Florida hospital, paid $85,000 and adopted a corrective action plan requiring one year of monitoring after a patient’s complaint to OCR led to the release of records nine months after the initial request. Korunda Medical, LLC., a primary care and pain management provider, also in Florida, paid the same amount and agreed to a similar one-year compliance monitoring arrangement as a result of its delays in forwarding records to a third party, failure to provide records in an electronic format, and overcharging for the records.

The Right to Access Initiative suffered a setback on January 23, 2020 when a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.” Additionally, the court ruled that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party. Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020). OCR has posted a notice that its previous third party directive guidance is restricted by the Ciox order but also reaffirmed that the right of individuals to access their own records and the fee limitations that apply when exercising this right has not changed.

Five New Settlements:

On September 15, 2020, OCR issued a press release announcing five additional settlements pursuant to its HIPAA Right to Access Initiative. All the settlements involved failure to produce records to just one individual. Three of the five settlements involved providers of mental health/psychiatric services, one provider treated HIV/AIDS patients and one provider helped with pain management. Additionally, three of the five settlement involved continued complaints from the same individual after “technical assistance” had been provided by OCR to the providers. The penalties ranged from $3,500 to $80,000. All providers also agreed to sign corrective action plans requiring government oversight for either one or two years.

These five additional settlements demonstrate that OCR continues to take the issue of right to access seriously, and that a complaint from one individual is enough to trigger monetary penalties and a correction action plan with government monitoring. Providers, including those who provide mental health and substance abuse services, should review their HIPAA policies and procedures and ensure that they are being followed and requested documents are being provided in a timely manner.

A tricky issue for mobile health app developers since the Office for Civil Rights (OCR) released its first “Health App Use Scenarios & HIPAA” guidance back in 2016 has been deciphering whether the developer is a business associate if it offers its app on a consumer-facing basis as well as through covered entities (or their business associates).  I wrote about this at the time, highlighting the “maybe”:  whether a health app is acting as a business associate and subject to HIPAA depends on how an individual accesses the app. If the app is offered by or through a covered entity health plan or health care provider, the health data created, received, maintained or transmitted via the app is subject to HIPAA.  If the same app is accessed as a “direct-to-consumer” product, it is not.

This past week, OCR announced a new resource page for mobile health app developers.   The “maybe” is still there — the resource page includes the same “Health App Use Scenarios & HIPAA” guidance from 2016.  However, the OCR has added  a page on “Access Right, Apps, and APIs” that includes new guidance on the relationship between health apps and HIPAA.   As described in my August 17, 2020 post, the 21st Century Cures Act and implementing regulations adopted this past May generally require health care providers, plans, and many types of health information technology vendors to allow individuals to access electronic health information by way of a mobile health app.   Consumer use of health apps, whether provided by a health care provider, health plan, electronic health records company, or other entity subject to HIPAA, or whether purchased or accessed directly by the consumer without involvement of these persons or entities, is likely to steadily increase.

The “Access Right, Apps, and APIs” guidance includes its own tricky “maybe” when it comes to apps developed by or on behalf of an electronic health records system:

Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?

A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.

If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Understanding whether HIPAA applies to the information accessed (or created, stored, or sent) in this manner is critical for covered entities, business associates, and individuals alike.  And even though a health app developer that markets directly to consumers may not be providing services on behalf of a covered entity or business associate and not be subject to HIPAA, the developer should make sure the individual using the health app understands how their individually identifiable health information is (and is not) protected.

The Office for Civil Rights within the Department of Health and Human Services (OCR) provided guidance in June that reassured covered entity health care providers and that it is generally OK to use or disclose protected health information (PHI) to contact individuals who have recovered from COVID-19 for case management and care coordination.

The OCR has now updated the guidance (“Guidance”) to clarify that health plans may also use or disclose PHI  for purposes of contacting individuals who have recovered from COVID-19 about donating plasma containing antibodies .  The Guidance also emphasizes neither health care providers nor health plans can receive any payment from or on behalf of a blood or plasma donation center in exchange for making  these communications without first getting each individual’s written authorization.   Accordingly, both types of covered entities must carefully navigate when such outreach is considered “marketing” and requires prior authorization.

The HIPAA regulations define “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,” unless an exception applies.  Exceptions include situations involving communications for treatment and specified  purposes involving the covered entity’s “health care operations” (as that term is defined in the regulations), as long as the covered entity does not receive “financial remuneration” in exchange for making the communication. The regulations define “financial remuneration” as “any direct or indirect payment from or on behalf of a third party whose product or service is being described,” but does not include “any payment for treatment of an individual.”  45 C.F.R. 164.501.

Interestingly, the Guidance does not precisely track the marketing definition and its exceptions, but interprets the “health care operations” exception for “case management or care coordination … and related functions”  as permitting the use of PHI for this type of outreach, as long as no financial remuneration is involved.

This means that there are certain situations in which a health plan or health care provider that is a covered entity may use and/or disclose PHI of recovered COVID-19 patients to encourage them to donate plasma, and others in which it may not (without first getting the patients’ written HIPAA authorizations):

Allowed:  a covered entity may use member or patient information to contact the covered entity’s own members or patients to encourage them to donate plasma, if: (i) it is to facilitatd the supply of donated plasma would be expected to improve case management for infected individuals; and (ii) the covered entity does not receive financial remuneration from or on behalf of any blood or plasma donation center

 Allowed:  a covered entity may disclose member or patient information to a blood or plasma donation center that is acting as its business associate in order to improve the covered entity’s ability to conduct case management [while not expressly mentioned in the Guidance, if the center pays the covered entity, the existence of a business associate agreement may not protect the center from allegations that it is really an improper marketing arrangement]

X    Not Allowed:  a  covered entity MAY NOT disclose member or patient information to a blood or plasma donation center so that the donation center can reach out to recovered individuals for its own purposes, even if the plan or provider does not receive financial remuneration in exchange for the PHI

X    Not Allowed:  a covered entity MAY NOT use member or patient information to contact those recovered from COVID-19 to encourage them to donate plasma, if the covered entity received financial remuneration from or on behalf of the blood or plasma to make the communication

In all cases, a covered entity that intends to rely upon the Guidance should carefully document all aspects of the planning and execution of the uses and disclosures of member or patient PHI, including the determination as to whether a HIPAA authorization is required, prior to the use or disclosure of PHI related to potential plasma donation.

 

A patient asks her doctor to send her test results to an app the patient has downloaded on her phone.   The doctor worries that the app is not secure and that the patient might not understand the security risks.  What should the doctor do?

Covered entity health care providers and their business associates likely need to update their HIPAA Access Rights Policies and Procedures to address this scenario.  Rules recently adopted by Office of the National Coordinator (ONC) to implement certain provisions of the 21st Century Cures Act prioritize patient choice when it comes to requests for electronic health information (EHI).

According to ONC, the information blocking rule:

[S]trongly encourages providing individuals with information that will assist them in making the best choice for themselves in selecting a third-party application. We believe that allowing actors to provide additional information to individuals about apps will assist individuals as they choose apps to receive their EHI … . Individuals concerned about information privacy and security can gain a better understanding about how the third-party apps are using and storing their EHI, how individuals will be able to exercise any consent options, and more about what individuals are consenting to before they allow the app to receive their EHI.  Practices that purport to educate patients about the privacy and security practices of applications and parties to whom a patient chooses to receive their EHI may be reviewed by OIG or ONC, as applicable, if there was a claim of information blocking. However, we believe it is unlikely these practices would interfere with the access, exchange, and use of EHI if they meet certain criteria.

ONC warns that information provided to the patient about the privacy or security of the app must:

  1. Focus on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
  2. Be factually accurate, unbiased, objective, and not unfair or deceptive; and
  3. Be provided in a non-discriminatory manner. For example, all third-party apps must be treated the same way in terms of whether or not information is provided to individuals about the privacy and security practices employed.

Ultimately, it is the individual’s decision as to whether to use the app to access health information:

To be clear, an actor [such as a provider or its business associate] may not prevent an individual from deciding to provide its EHI to a technology developer or app despite any risks noted regarding the app itself or the third party developer.

The following post is adapted from an article written by Fox Rothschild attorneys Wayne Pinksone and Lucy Li, available here.

OSHA recently published guidance for “nonessential businesses” that are intending to reopen and allow their employees to return to work. This guidance is intended to supplement the U.S. Department of Labor and U.S. Department of Health and Human Services’ existing Guidance on Preparing Workplaces for COVID-19 and the White House’s Guidelines for Opening up America Again. Additionally, employers should continue to monitor state and local guidelines for best practices for worker protection. We discuss some key highlights from OSHA’s recent guidance below.

A Three-Phase Reopening Plan

Generally, OSHA has suggested a three-phase reopening plan:

Phase 1: Employers should keep telework available for employees when feasible and appropriate. Maintaining strict social distancing practices for employees returning to the office is imperative and may require limiting the number of returning employees. Employers should remain flexible in making accommodations for those who are high-risk, elderly individuals and those with underlying health conditions. Nonessential business travel should be limited.

Phase 2: The most notable difference from “Phase 1” is that nonessential business travel may resume. Employers should continue to allow telework if feasible and should maintain social distancing practices.

Phase 3: The final phase is a removal of all restrictions and the recommencement of normal business operations.

Transitioning from one phase to the next is based on geographical prevalence of COVID-19. But in general, employers should follow all applicable guidance from local, state and federal authorities when determining when to reopen and/or transition to subsequent phases.

Testing or Screening for COVID-19 Symptoms

Per OSHA’s guidance, employers are permitted to conduct worksite SARS-CoV-2 testing, temperature checks and other health screens. Employers who conduct testing must do so in a transparent, non-retaliatory, non-discriminatory manner. Testing can be implemented in various ways including temperature screening, questionnaires, self-checks or self-questionnaires. Employers who implement such screening measures need to maintain confidentiality of employee medical information consistent with the requirements of the Americans with Disabilities Act.

Employers do not need to make a record of temperatures or other health information when they screen workers. However, if employers record this information, it may qualify as a medical record under the Access to Employee Exposure and Medical Records standard (29 CFR 1910.1020). If records are made or maintained by a physician, nurse or other health care personnel they will qualify as “medical records” under the Access to Employee Exposure and Medical Records standard. In such circumstances, medical records must be maintained for the duration of each employee’s employment plus 30 years thereafter, and employers must follow confidentiality requirements when maintaining such records.  With respect to the provider, those records, however, are generally not subject to HIPAA, if the provider is creating the record on behalf of the employer and the records will be stored by the employer.  However, as an extra precaution, it is a best practice for providers to obtain HIPAA authorizations from the workers that allow for disclosure to the employer or other individuals, or authorities, as appropriate.

Employers must also adequately protect workers who are screening and testing other workers from exposure to COVID-19. Additional information on how to do so is available here.

From Fox Rothschild’s Privacy Compliance & Data Security blog

The Federal Trade Commission (FTC) has offered tips for data protection during the COVID-19 crisis.

  • Consider privacy and security as you’re developing your products and services, and not after launch. Although we will be flexible and reasonable when it comes to bringing enforcement actions against companies engaged in good faith, thoughtful efforts to address the effects of the pandemic, it doesn’t pay to be in the news for privacy and security problems.
  • Use privacy protective technologies, eg decentralized protocols that allow users to voluntarily share encrypted data directly with epidemiologists.
  • Consider using anonymous, aggregate data. For example, if a consumer has granted you permission to use their location data, you may disclose a heat map of average distances traveled for public health purposes without needing consent.
  • Delete data when the crisis is over. If you tell consumers you’re collecting, analyzing, using, or sharing information for emergency public health purposes, only use it for those purposes, and delete the data when the need is over.

Details from the FTC.

A joint Alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) warns of new cyber attacks targeting COVID-19-related information.

Notably, these attacks succeed when system users have weak or common passwords.  NCSC published frequently found passwords here, many of which are used by cyber criminals to gain access networks that contain sensitive research and health care information.  The Alert warns that cyber criminals have been using “password spraying”, a style of attack in which the attacker tries a common password across many user accounts one time, before moving on to another common password.  By switching among common passwords, the attacker avoids account lockouts.

The HIPAA Security Rules require covered entities and business associates to “protect against any reasonably anticipated threats or hazards to the security” of protected health information and to implement “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” needed to protect against threats.   While workforce training on password management is “addressable”, rather than “required” under the Security Rules, covered entities, business associates and any other entities that maintain COVID-19-related information would be smart to remind users to pick strong passwords.  How about “SkunkSprayStinksStealsSensitiveData2!?”

Fox Rothschild LLP partner Beth Larkin listened to the HHS Office for Civil Rights 4/24/20 webinar (which should be posted on its website at some point) regarding HIPAA and COVID-19 and took notes. Here’s my summary of key points, based on Beth’s notes:

Overview: OCR stresses that the HIPAA Rules are supposed to be balanced and flexible.  The HIPAA Rules do not prohibit sharing PHI, they just require covered entities and business associates to take appropriate steps to safeguard PHI in accordance with the HIPAA Rules.

OCR has issued HIPAA non-enforcement notices related to some of the topics covered in the webinar (on telehealth, community-based testing sites (CBTS) and business associate disclosure of PHI for public health purposes) and guidance (such as FAQs) related to other topics covered (on first responders and disclosures to family and friends involved in care and for notification purposes).   The non-enforcement notices apply to all HIPAA Rules, not just the Privacy Rule.  OCR’s HIPAA non-enforcement is based on a covered entity’s and business associate’s good faith efforts to comply with the non-enforcement notice. . OCR non-enforcement notices will not apply once the public health emergency is over, but OCR can still use its enforcement discretion. OCR tends to try to resolve complaints and investigations with technical assistance. Penalties are generally issued with respect to systemic non-compliance and egregious violations.

OCR will continue to issue COVID-19 guidance as needed. OCR puts all of its COVID-19 HIPAA information, including the non-enforcement notices and guidance discussed here (collectively “OCR guidance” for purposes of this blog), in a new HIPAA and COVID-19 section on its website.  Questions can be submitted to ocrmail@hhs.gov or by calling OCR number of 1-800-368-1019.  OCR reads through all of the emails/questions received and issues guidance based on emails/questions.

Remember that state laws may be more stringent and will also apply for HIPAA Covered Entity providers (“CE providers”) and Business Associates.

Key Points:

  • Public Health Requests and Minimum Necessary: If CDC or another public health authority makes a request for COVID-19 information from a CE provider for public health reasons, the CE provider can rely on the fact that the request meets the “minimum necessary” requirement, and can continue to provide the PHI over a period of time in response to the initial request (e.g., reporting may be required weekly- a new agency request not needed each time)
  • Public Health Activities and Business Associates: OCR will exercise enforcement discretion so that a business associate may use or disclose PHI for public health activities or health oversight activities, even if its business associate agreement does not expressly permit that use or disclosure
  • Media Disclosures: OCR stressed that disclosures to the media still generally require patient authorization.  CE providers still need to be careful and take appropriate precautions against media disclosures (e.g., be careful when news crews are filming COVID-19 stories).  OCR watches and reads the news too.
  • Telehealth:  OCR’s non-enforcement applies to all media that OCR considers “telehealth,” including online video, telephone, texts and emails.  It also applies to all health care rendered via telehealth, not just COVID-19 care.  A CE provider must use non-public facing methods of communication, enable privacy and security protections, and notify patients that there is a privacy/security risk.  While no business associate agreement (BAA) with the communications service provider is required, a number of service providers have stated that they operate in compliance with HIPAA and will provide BAAs.  CE providers should take reasonable precautions for patient privacy (e.g., close office door, lower voice).  While the OCR guidance does not apply to Part 2 Rules, OCR noted that SAMSHA has issued some guidance on telehealth under Part 2 Rules.
  • First Responders:  OCR’s guidance addresses exceptions that already apply, such that patient authorization is not required (e.g., disclosures for treatment, public health purposes, where required by law, and where there’s a serious imminent threat to the health and safety of a person or the public, ).   OCR allows CE providers like hospitals to release lists of COVID-19 positive individuals to EMS dispatch for purposes of notifying first responders on a case-by-case basis if there is a risk of infection (EMS can tell first responders being dispatched to a patient that the patient is COVID-19 positive but can’t post the list or distribute the list to first responders).  EMS can also ask 911 callers about COVID-19 symptoms and notify first responders. (EMS may not be a CE provider.)
  • COVID-19 Community-Based Testing Sites:   OCR’s non-enforcement only applies to the CBTS, not other services or activities of the CE providers or its business associates (including storage of testing results in an electronic records system). OCR recognizes that it’s hard to comply with HIPAA Rules when testing is being done in a parking lot or on a drive-thru basis. Reasonable safeguards (e.g., buffer zones, tarps or barriers used to add privacy, and secure technology) are still encouraged for CBTS.

 

 

Cyber security

The New York Attorney General has issued a warning to healthcare providers, hospitals, and other organizations within the health supply chain that cyber criminals are using targeted COVID-19 phishing emails and texts to gain access to sensitive information.  Multiple reports indicate that scammers are sending emails and texts to get a recipient to click on a link purporting to share COVID-19 information that in reality installs malware or permits access to steal passwords and other sensitive information.

Details in this post by Caroline Morgan on Fox Rothschild’s Privacy Compliance & Data Security blog.