The FAQs included in my prior post address  employer response with an eye to HIPAA compliance.  What else can an employer do or not do with employee information related to COVID-19 status?   Even covered entities and business associates concerned with HIPAA must be alert to other laws that affect their communications and action plans.   Employers should check with labor counsel for laws and requirements that may apply.  Employers should also be aware that state-specific privacy and data security laws may apply to the collection, retention, use and disclosure of health information.

See here for a recent article on workplace considerations related to Coronavirus published by Fox Rothschild LLP colleagues who practice in our Labor and Employment practice.

Fox Rothschild partner Bill Maruca’s article, “Protecting Privacy During an Infectious Disease Panic”, is (unfortunately) as relevant today as it was when it was posted here more than 5 years ago. Swap Ebola for COVID-19, and the article provides useful guidance for covered entities and business associates subject to HIPAA and to employers, family and friends who are not.

More recently, the U.S. Department of Health and Human Services published a Bulletin that emphasizes the important and HIPAA-permitted circumstances under which COVID-19 patients’ information may be disclosed.

Key take-aways from the Bill’s article and from the HHS Bulletin include: (1) only covered entities and business associates (and their subcontractors) are subject to HIPAA, and (2) HIPAA allows disclosures under certain circumstances, such as where disclosures are necessary to prevent a serious and imminent threat and are consistent with applicable law and covered entities’ standards or codes of conduct.

The following FAQs illustrate these take-aways (note that these focus on HIPAA only and not on other potentially applicable laws, such as employment-related laws and state privacy laws):

Q.1.     I work in HR at my company. An employee came to me this morning and told me that his adult son, who resides with the employee, tested positive for Coronavirus this past weekend. Will I violate HIPAA if I tell my supervisor with or without consent of the adult son or the employee? Can my supervisor alert other employees in the office?

A.1.     You will not violate HIPAA by telling your supervisor, and your supervisor will not violate HIPAA by alerting other employees. Neither you nor your supervisor is a covered entity, business associate, or subcontractor (but see next FAQ) and so HIPAA does not apply.

Q.2.     I work in HR at my company and am responsible for overseeing our self-funded group health plan. Same facts and questions as above.

A.2.    Because you have HIPAA obligations due to your role with respect to the company’s group health plan (which is a covered entity under HIPAA), you need to be cautious with respect to this information.  We recommend you consult your HIPAA Privacy Officer or HIPAA counsel regarding the disclosure by the employee to you and the circumstances of the disclosure to determine whether HIPAA applies and if it does, whether HIPAA would allow you to inform your supervisor.     

Q.3.     I work in HR at my company and am responsible for overseeing our self-funded group health plan. I reviewed a claim for services rendered by a hospital to an employee who has been out of work due to illness for the past several weeks. The claim included diagnosis codes that suggest the employee was treated for COVID-19. Can I tell my supervisor? Can my supervisor alert other employees?

A.3.     HIPAA applies to your communications regarding protected health information (PHI), so you must proceed with caution. HIPAA permits the disclosure of PHI if it is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public, and it is consistent with other applicable law. However, it does not appear that you have sufficient information to rely upon this “serious and imminent threat” exception as the basis for disclosure. You do not know that the patient had tested positive for Coronavirus or was treated for COVID-19, nor have you demonstrated how notification would prevent a serious and imminent threat (the employee has not been in the office for several weeks). This situation clearly calls for further consultation with knowledgeable medical and/or legal professionals.

Fellow Fox Rothschild LLP Partner (and former hospital system General Counsel) Salvatore J.  Russo generously contributed this post.

Some twenty-three years ago, the first well-publicized incident of the re-identification of de-identified personal health data was brought to the attention of the American public. It involved the then governor of Massachusetts, William Weld.   Dr. Latanya Sweeney a graduate student from MIT successfully combined de-identified data with the publicly available Cambridge voter registration list, and successfully translated de-identifiable data into identifiable data using privacy technology, and identified the Governor’s health records, including diagnosis and prescriptions.

In 2008, after Netflix publicly released movie rating records, two researchers from the University of Texas, Arvind Narayanan and Vitaly Shmatikov, matched the released data with the Internet Movie Database and successfully re-identified the users. In 2018, using publicly available Amazon review data, a group from MIT re-identified persons from the Netflix dataset.

Finally, it was reported in the December 2018 issue of the Journal of the American Medical Association that researchers from the United States and China collaborated on a project to re-identify individuals from a national de-identified physical activity data set.  Using an algorithm employed in machine learning to pair daily patterns in physical activity data with corresponding demographic data, they were fairly successful in de-anonymizing the information.

HIPAA seeks, among other things, to protect the privacy of health information by de-identification. The HIPAA gold standard for de-identification for protected health information is achieved by one of two means.   De-identification can result from the stripping of the 18 types of identifiers from protected health information.   Alternatively, it can be accomplished by expert determination that there is a very small risk of identification. This approach must be reconsidered. Moreover, HIPAA only governs “covered entities,” and not the vast array of business enterprises that possess private health information.

It is the development of big data and advances in artificial intelligence that are truly the game changers in discussion of de-identification and privacy.  These two forces create a major concern for safeguarding private health information where sophisticated companies with large repositories of big data combine with health care systems with the goal of improving medical care.

The dilemma that the regulators must confront going forward, particularly in the context of personal health data, is how to strike a balance between providing adequate privacy protections without imposing unnecessary barriers to the medical advancements that result from the workings of AI and big data?

Society must engage in a policy cost-benefit-risk type analysis to inform our conversation.  Risk tolerance is the pivotal judgment that needs to be undertaken to assess what cost does society wish to pay to protect privacy.

In view of the rapid advances in AI, and the continuing amassing of personal health data, absolute personal health privacy protection may be elusive while we seek the medical benefits obtained from the intersection of AI with big data.  Maybe certainty and absolute guarantees should not be the goal.  However, we must strive for a standard that we can live with that reasonably protects our personal health information from unconsented disclosure.




If you are a covered entity who experienced a breach of unsecured protected health information affecting fewer than 500 individuals , you must notify the Office of Human Rights of the Department of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered.  For breaches that occurred in calendar year 2019, that deadline is February 29, 2020.

To report a breach, go to the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, which is at   That link will take you to a step-by-step process which walks you through how to submit the required disclosures.  Since you cannot move past a screen on this site without entering data, you may want to download and print this OCR document which lists all the information you will need for your report:

Note that you must submit the notice electronically via the OCR portal.

Also note that a covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals.  A covered entity may report such breaches at the time they are discovered.

You may report all of your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident.

If you are a business associate who is required to report breaches on behalf of a covered entity under the terms of the applicable business associate agreement, you may also use this portal.



The answer to this question has changed yet again. I’ve blogged on this topic several times in the past (see here, here and here), and described the question as a wriggling worm. Plaintiff Ciox Health, LLC has finally managed to catch that worm and share its bounty among those looking to charge third-party requestors more than the limited “reasonable, cost-based fee” that may be charged to individuals.

On January 23, 2020, a federal court found in favor of plaintiff Ciox, a specialized medical records processing vendor, on its challenge to 2016 Guidance issued by the U.S. Department of Health and Human Services. The 2016 Guidance provided, among other things, that when either an individual request copies of his or her medical records or a third party requests copies on behalf of the individual, the amount that can be charged is limited to a “reasonable, cost-based” fee. According to Ciox’s President of Life Sciences (and as noted in the court’s decision), the effect of the 2016 Guidance was to cause law firms and other third parties to use the individual access request, with its “reasonable, cost-based fee” limitation, as the means to request patient records, rather than having individuals sign HIPAA authorizations which implicate only state law fee caps (if any). The frequency of records requests made by third parties on behalf of individuals (“third-party directives”) increased by nearly 700 percent following the issuance of the 2016 Guidance.

HHS published an “Important Notice Regarding Individuals’ Right of Access to Health Records” on January 28, 2020, noting the Ciox decision and the fact that the “reasonable, cost-based fee” limitation no longer applies to third party directives. In addition, the records are not required to be produced in electronic format in response to a third-party directive.

What does this mean for covered entities and business associates trying to figure out how to respond to a HIPAA authorization, an individual access request, or a third-party directive?

Consider who is making the records request and where the records are to be sent. If the individual who is the subject of the records wants copies transmitted electronically to the individual, treat the request as an access request. If a third party seeks the records, it is likely sufficient to provide the third party with HIPAA authorization form and treat the request as a third-party directive. However, if the individual initiates the request and wants the records sent to a third party, it may be prudent to treat the request as an access request, limiting fees and endeavoring to comply with requests to transmit records in electronic format.  Don’t dangle the Ciox worm in front of individuals seeking their own medical records.

As she has done for a number of years now, our good friend Marla Durben Hirsch highlighted Fox Rothschild (Fox) lawyers in her annual predictions articles in the January 2020 issue of Medical Practice Compliance Alert (MPCA).  In her first article entitled “Technology will propel compliance trends in 2020”, Marla included the following quotes for Fox attorneys on a number of prediction items:

In making a prediction “Ransomware will not abate”, Fox partner William Maruca stated, “Cybersecurity attacks will ramp up as hackers get even more sophisticated.” Fox partner Elizabeth Litten added, “Practices that entrust all of their data to one cloud vendor are particularly vulnerable.  The HHS Office for Civil Rights (OCR) issued yet another notice about ransomware in December 2019, which indicates that this will be high on its radar in 2020.”

In making another prediction “Ownership transfers will subject practices to scrutiny”, Maruca observed, “Private equity investments will restructure practices and create new compensation arrangements, which may lead to compliance scrutiny.” Michael Kline, another Fox partner added, “Physician retirement, mergers and closures of practices may raise issues related to ownership, responsibility for medical records and more.”

In making another prediction “The focus on interoperability of patient records will increase”,  Litten warned, “Physicians will face more pressure to transmit and receive electronic patient information seamlessly and to provide patients with easier access to their records. . . . Rules implementing the 21st Century Cures Act will impose additional requirements on data sharing and penalties for information blocking. The government wants to see interoperability.”



Marla also wrote a companion article in the January 2020 issue of MPCA entitled “MPCA‘s expert sources earn another perfect predictions score”, in which she reported on results of her  predictions article in the January 2019 issue of MPCA, which included Fox attorney predictions.

Litten’s 2019 prediction “States will step up privacy and security regulations,” has proven to be true, as California and other states are picking up the slack for inaction by Congress.   Litten warned, “It’s not enough to be HIPAA compliant. This will be an increasing headache.”  (This 2019 prediction continues to be true for 2020, as medical practices and other healthcare providers will likely find themselves confronted by multiple new, complex, confusing and often conflicting federal and state rules on privacy and security medical records.)

Kline’s 2019 prediction “Apps and other health data devices will bring more compliance issues” has proven to be true, according to Marla.  Kline was quoted, “There is increased concern regarding how health data is being used and whether it’s protected under any laws.”  (Indeed, even with the spate of new state regulations described in the immediately preceding paragraph, the pace of change and complexity respecting health data will continue to accelerate and challenge healthcare providers.)

We wish to thank Marla for the opportunity of participating in her predictions articles. It remains to be seen whether the predictions for 20/20 provide a “clear vision” of future directions in health information privacy and security.

On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out.

AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research.

Specific carve-outs:
  • De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information
  • “Business associates”
  • Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule.
  • Personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information or medical information.
Additional change:

Required disclosure, in the privacy notice, of whether information de-identified under HIPAA has been disclosed in the preceding 12 months and if so, whether it had been de-identified using the “expert method” or the “safe harbor method.”

For additional insights on the interplay between HIPAA and CCPA, check out previous posts on this blog looking at health organizations’ overall exposure to CCPA and the law’s interaction with HIPAA, as well as the California Attorney General’s comments that his office would focus early enforcement efforts on how large companies handle sensitive personal information such as PHI.

Details on the Senate Amendment are available on the California Legislative Information website.

More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and FERPA.

New joint guidance issued earlier this month (the “2019 Update”) provides updates and helpful clarifications as to when and how HIPAA and FERPA apply. The following 6 topics caught my attention:

  1. Emergency Situations.  A new section on when disclosures may be made in emergency situations under HIPAA paraphrases a 2014 HHS Bulletin and FAQ issued, respectively, following the Ebola outbreak and questions about disclosure standards in the wake of the shooting at the Pulse Nightclub in Orlando (see here for my 2016 post on this topic). It also incorporates DOE guidance and regulatory preamble statements concerning disclosure of FERPA-protected information in the event of a health or safety emergency.
  2. School-Employed Health Care Providers. The 2019 Update also includes a clarified description of when a school that employs a health care provider and conducts covered transactions electronically is subject to the FERPA privacy standards instead of the HIPAA privacy standards. The prior guidance stated that even when a school is a covered entity under HIPAA, it might not have protected health information. The 2019 Update more helpfully states that compliance with “the HIPAA Rules” is not required where the school’s only health records are considered “education records” or “treatment records” under FERPA (note that the 2019 Update would be even more helpful if it added the word “Privacy” between “HIPAA” and “Rules”, since such the school would still be subject to the HIPAA “Transactions Rule” when submitting claims electronically).
  3. University-Affiliated Hospitals and Clinics. Records maintained by a hospital affiliated with a university that is subject to FERPA are generally subject to HIPAA because the hospital provides health services to individuals regardless of whether they are students of the university. On the other hand, if the hospital runs a separate student health clinic, those clinic records are subject to FERPA as either “education records” or “treatment records”.
  4. Disclosure for Treatment, Payment and “Legitimate Educational Interests” Purposes. Under FERPA, “treatment records” (see 34 C.F.R. 99.3) must be made, maintained, and used only in connection with treatment. They can be disclosed to treating health care professionals who are not part of or acting on behalf of the school, if used solely for treatment. However, if the records are used for billing, they are “education records” and, unless another FERPA exception applies, cannot be disclosed without the prior written consent of the parent or eligible student (meaning a student who reaches the age of 18 or attends a postsecondary institution). However, schools can share information, including health and medical information, from a student’s education record without prior written consent with teachers and other school officials if they have “legitimate educational interests” in the information pursuant to FERPA regulations and the school’s annual notification of FERPA rights. On the other hand, HIPAA allows protected health information to be disclosed to a health plan for payment purposes without the individual’s prior written consent, and for other purposes as permitted under the HIPAA regulations and in accordance with the covered entity’s notice of privacy practices.
  5. Disclosure to Parents. Under FERPA, a physician at a university-operated health clinic may disclose information form the education records of an eligible student without the student’s consent: (i) if the student is claimed as a dependent for federal tax purposes; (ii) in connection with a health or safety emergency if disclosure is needed to protect the student or other persons; or (iii) if the eligible student is under the age of 21 disclosing that the student has committed a disciplinary violation related to the use or possession of alcohol or a controlled substance. FERPA also allows an educational agency or institution to disclose education records of a deceased eligible student to the parent or other third party “at its discretion or consistent with State law.” The privacy rights of a non-eligible student rest with the parent(s), but once the “parents are deceased, the records are no longer protected by FERPA.” On the other hand, HIPAA generally allows covered entities to disclose protected health information about a minor child to the child’s parent or personal representative when consistent with State law. However, if the minor is permitted to receive treatment without a parent’s consent under State law, HIPAA only permits parental disclosure in limited situations, like when the minor presents serious danger to self or others. With respect to deceased students, HIPAA defers to applicable State law to determine who can make disclosure decisions following death.
  6. Disclosure to the National Instance Criminal Background Check System (NCIS).  While HIPAA generally does not permit a school-based health care provider to report a student to NCIS (see here for Fox partner Bill Maruca’s post on this topic), FERPA generally permits the records of a law enforcement unit of an educational agency or institution to be reported to NCIS without prior written consent.

These 6 topics and the related clarifications reveal two sobering realities. First, in this age of mass shootings and public health emergencies, there’s a risk that efforts to comply with privacy laws will get in the way of effective emergency response. Second, the inconsistencies and complexity of various U.S. privacy laws are likely to mean continued confusion, despite the best efforts of HHS, DOE, and other state and federal agencies to provide clarification.

It’s that time again for year-in-review articles. On December 16, 2019,  Modern Healthcare has published an infographic that compares HIPAA breaches which occurred in 2019 to aggregate breach statistics from 2010-2018.  The 2019 data was analyzed through the end of November. A few interesting trends appear.  Let’s go to the numbers:

Breaches by Location:

In 2019, 40% of breaches involved email, compared to only 13% during 2010-2018.  This may suggest an increase in phishing and more sophisticated “spear-phishing” techniques.  Privacy officers should alert their organizations to be more vigilant about clicking links and opening emails from unverified sources, even where the emails look deceptively legitimate.

Network server breaches were up slightly, from 16% to 22%

Laptop-related breaches are down sharply, from 12% to only 3%, and desktop computer breaches are down from 6% to 3%.  This could mean more covered entities and business associates are using appropriate encryption, or may also reflect migration of data to the cloud instead of storing it on laptops and desktop computers.

Electronic medical record breaches are steady, declining slightly from 4% to 3%.

Breaches by Type:

Hacking/IT Incidents represented 57% of breaches in 2019, up sharply from 22% for the prior 8 years.  Coupled with the email breach increase, this trend would suggest infiltration or malware-related breaches that are accomplished by inattention to best practices, both in terms of recognizing and resisting phishing attempts and in failing to maintain up-to-date security measures.

Unauthorized access/disclosure remains steady, representing 30% for 2019 versus 28% for the prior 8 years.

Theft is down significantly, from 33% to only 7%.  Once again, like bank robbers go where the money is, hackers go where the data is, and that is increasingly in the cloud.

Improper disposal is a minor factor, only 1% in 2019, down from 3%.

Breaches by Month:

The report also tracked the average number of individuals affected per breach by month reported.  A significant spike occurred in July, 2019, representing the second-highest reported number of individuals affected by healthcare breaches since 2010.  This anomaly was attributed largely to a massive data breach at billing collections vendor American Medical Collection Agency that affected nearly 20 million individuals.

The wrap-up:

Statistics can be misleading, but if these trends continue, expect more issues involving email scams, malware that can infect systems via email and similar approaches, and unauthorized access, all of which focus on what is often the weakest link in any system – between the chair and the keyboard.

As Fox partner Odia Kagan posted yesterday, early enforcement of CCPA will focus on data related to kids.   In addition, according to a recent article in the San Francisco Chronicle, the California Attorney General will focus on how large companies that deal with sensitive information, including health data, comply with CCPA.

A post this past summer warned that compliance with HIPAA or California’s Confidentiality of Medical Information Act (CMIA) does not give a free pass for HIPAA-regulated covered entities, business associates, or subcontractors or CMIA-regulated providers to ignore CCPA. CCPA does not apply to protected health information governed by HIPAA or to medical information governed by CMIA. CCPA also does not apply to a covered entity subject to HIPAA or a provider of health care subject to CMIA, but there’s a caveat: the covered entity or provider must maintain “patient information in the same manner as medical information [maintained under CMIA] or protected health information [maintained under HIPAA].”

This exclusion leaves HIPAA business associates and subcontractors that are otherwise in scope for CCPA out in the cold. It also forces covered entities and CMIA providers to make sure they maintain all personal information that might also be “patient information” in the same manner as they maintain protected health information and medical information.

For example, if a consumer (who also happens to be a patient or who later becomes a patient) checks out a health care facility’s website to see if a particular type of care is offered or to get directions to the facility, it is unlikely that the data collected as a result of the consumer’s use of the website is maintained “in the same manner” as protected health information. If the facility sells this data (say, perhaps, hits on a sleep center page to a mattress or sleep aid manufacturer) and the AG views the data as sensitive health data, the fact that the facility complies with HIPAA with respect to its maintenance of protected health information is likely not going to impress the AG.

Although the California AG will not commence enforcement activities until July 2020, entities subject to HIPAA or CMIA should take note of the AG’s comments and evaluate the need for CCPA compliance now.