A patient asks her doctor to send her test results to an app the patient has downloaded on her phone.   The doctor worries that the app is not secure and that the patient might not understand the security risks.  What should the doctor do?

Covered entity health care providers and their business associates likely need to update their HIPAA Access Rights Policies and Procedures to address this scenario.  Rules recently adopted by Office of the National Coordinator (ONC) to implement certain provisions of the 21st Century Cures Act prioritize patient choice when it comes to requests for electronic health information (EHI).

According to ONC, the information blocking rule:

[S]trongly encourages providing individuals with information that will assist them in making the best choice for themselves in selecting a third-party application. We believe that allowing actors to provide additional information to individuals about apps will assist individuals as they choose apps to receive their EHI … . Individuals concerned about information privacy and security can gain a better understanding about how the third-party apps are using and storing their EHI, how individuals will be able to exercise any consent options, and more about what individuals are consenting to before they allow the app to receive their EHI.  Practices that purport to educate patients about the privacy and security practices of applications and parties to whom a patient chooses to receive their EHI may be reviewed by OIG or ONC, as applicable, if there was a claim of information blocking. However, we believe it is unlikely these practices would interfere with the access, exchange, and use of EHI if they meet certain criteria.

ONC warns that information provided to the patient about the privacy or security of the app must:

  1. Focus on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
  2. Be factually accurate, unbiased, objective, and not unfair or deceptive; and
  3. Be provided in a non-discriminatory manner. For example, all third-party apps must be treated the same way in terms of whether or not information is provided to individuals about the privacy and security practices employed.

Ultimately, it is the individual’s decision as to whether to use the app to access health information:

To be clear, an actor [such as a provider or its business associate] may not prevent an individual from deciding to provide its EHI to a technology developer or app despite any risks noted regarding the app itself or the third party developer.

The following post is adapted from an article written by Fox Rothschild attorneys Wayne Pinksone and Lucy Li, available here.

OSHA recently published guidance for “nonessential businesses” that are intending to reopen and allow their employees to return to work. This guidance is intended to supplement the U.S. Department of Labor and U.S. Department of Health and Human Services’ existing Guidance on Preparing Workplaces for COVID-19 and the White House’s Guidelines for Opening up America Again. Additionally, employers should continue to monitor state and local guidelines for best practices for worker protection. We discuss some key highlights from OSHA’s recent guidance below.

A Three-Phase Reopening Plan

Generally, OSHA has suggested a three-phase reopening plan:

Phase 1: Employers should keep telework available for employees when feasible and appropriate. Maintaining strict social distancing practices for employees returning to the office is imperative and may require limiting the number of returning employees. Employers should remain flexible in making accommodations for those who are high-risk, elderly individuals and those with underlying health conditions. Nonessential business travel should be limited.

Phase 2: The most notable difference from “Phase 1” is that nonessential business travel may resume. Employers should continue to allow telework if feasible and should maintain social distancing practices.

Phase 3: The final phase is a removal of all restrictions and the recommencement of normal business operations.

Transitioning from one phase to the next is based on geographical prevalence of COVID-19. But in general, employers should follow all applicable guidance from local, state and federal authorities when determining when to reopen and/or transition to subsequent phases.

Testing or Screening for COVID-19 Symptoms

Per OSHA’s guidance, employers are permitted to conduct worksite SARS-CoV-2 testing, temperature checks and other health screens. Employers who conduct testing must do so in a transparent, non-retaliatory, non-discriminatory manner. Testing can be implemented in various ways including temperature screening, questionnaires, self-checks or self-questionnaires. Employers who implement such screening measures need to maintain confidentiality of employee medical information consistent with the requirements of the Americans with Disabilities Act.

Employers do not need to make a record of temperatures or other health information when they screen workers. However, if employers record this information, it may qualify as a medical record under the Access to Employee Exposure and Medical Records standard (29 CFR 1910.1020). If records are made or maintained by a physician, nurse or other health care personnel they will qualify as “medical records” under the Access to Employee Exposure and Medical Records standard. In such circumstances, medical records must be maintained for the duration of each employee’s employment plus 30 years thereafter, and employers must follow confidentiality requirements when maintaining such records.  With respect to the provider, those records, however, are generally not subject to HIPAA, if the provider is creating the record on behalf of the employer and the records will be stored by the employer.  However, as an extra precaution, it is a best practice for providers to obtain HIPAA authorizations from the workers that allow for disclosure to the employer or other individuals, or authorities, as appropriate.

Employers must also adequately protect workers who are screening and testing other workers from exposure to COVID-19. Additional information on how to do so is available here.

From Fox Rothschild’s Privacy Compliance & Data Security blog

The Federal Trade Commission (FTC) has offered tips for data protection during the COVID-19 crisis.

  • Consider privacy and security as you’re developing your products and services, and not after launch. Although we will be flexible and reasonable when it comes to bringing enforcement actions against companies engaged in good faith, thoughtful efforts to address the effects of the pandemic, it doesn’t pay to be in the news for privacy and security problems.
  • Use privacy protective technologies, eg decentralized protocols that allow users to voluntarily share encrypted data directly with epidemiologists.
  • Consider using anonymous, aggregate data. For example, if a consumer has granted you permission to use their location data, you may disclose a heat map of average distances traveled for public health purposes without needing consent.
  • Delete data when the crisis is over. If you tell consumers you’re collecting, analyzing, using, or sharing information for emergency public health purposes, only use it for those purposes, and delete the data when the need is over.

Details from the FTC.

A joint Alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) warns of new cyber attacks targeting COVID-19-related information.

Notably, these attacks succeed when system users have weak or common passwords.  NCSC published frequently found passwords here, many of which are used by cyber criminals to gain access networks that contain sensitive research and health care information.  The Alert warns that cyber criminals have been using “password spraying”, a style of attack in which the attacker tries a common password across many user accounts one time, before moving on to another common password.  By switching among common passwords, the attacker avoids account lockouts.

The HIPAA Security Rules require covered entities and business associates to “protect against any reasonably anticipated threats or hazards to the security” of protected health information and to implement “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” needed to protect against threats.   While workforce training on password management is “addressable”, rather than “required” under the Security Rules, covered entities, business associates and any other entities that maintain COVID-19-related information would be smart to remind users to pick strong passwords.  How about “SkunkSprayStinksStealsSensitiveData2!?”

Fox Rothschild LLP partner Beth Larkin listened to the HHS Office for Civil Rights 4/24/20 webinar (which should be posted on its website at some point) regarding HIPAA and COVID-19 and took notes. Here’s my summary of key points, based on Beth’s notes:

Overview: OCR stresses that the HIPAA Rules are supposed to be balanced and flexible.  The HIPAA Rules do not prohibit sharing PHI, they just require covered entities and business associates to take appropriate steps to safeguard PHI in accordance with the HIPAA Rules.

OCR has issued HIPAA non-enforcement notices related to some of the topics covered in the webinar (on telehealth, community-based testing sites (CBTS) and business associate disclosure of PHI for public health purposes) and guidance (such as FAQs) related to other topics covered (on first responders and disclosures to family and friends involved in care and for notification purposes).   The non-enforcement notices apply to all HIPAA Rules, not just the Privacy Rule.  OCR’s HIPAA non-enforcement is based on a covered entity’s and business associate’s good faith efforts to comply with the non-enforcement notice. . OCR non-enforcement notices will not apply once the public health emergency is over, but OCR can still use its enforcement discretion. OCR tends to try to resolve complaints and investigations with technical assistance. Penalties are generally issued with respect to systemic non-compliance and egregious violations.

OCR will continue to issue COVID-19 guidance as needed. OCR puts all of its COVID-19 HIPAA information, including the non-enforcement notices and guidance discussed here (collectively “OCR guidance” for purposes of this blog), in a new HIPAA and COVID-19 section on its website.  Questions can be submitted to ocrmail@hhs.gov or by calling OCR number of 1-800-368-1019.  OCR reads through all of the emails/questions received and issues guidance based on emails/questions.

Remember that state laws may be more stringent and will also apply for HIPAA Covered Entity providers (“CE providers”) and Business Associates.

Key Points:

  • Public Health Requests and Minimum Necessary: If CDC or another public health authority makes a request for COVID-19 information from a CE provider for public health reasons, the CE provider can rely on the fact that the request meets the “minimum necessary” requirement, and can continue to provide the PHI over a period of time in response to the initial request (e.g., reporting may be required weekly- a new agency request not needed each time)
  • Public Health Activities and Business Associates: OCR will exercise enforcement discretion so that a business associate may use or disclose PHI for public health activities or health oversight activities, even if its business associate agreement does not expressly permit that use or disclosure
  • Media Disclosures: OCR stressed that disclosures to the media still generally require patient authorization.  CE providers still need to be careful and take appropriate precautions against media disclosures (e.g., be careful when news crews are filming COVID-19 stories).  OCR watches and reads the news too.
  • Telehealth:  OCR’s non-enforcement applies to all media that OCR considers “telehealth,” including online video, telephone, texts and emails.  It also applies to all health care rendered via telehealth, not just COVID-19 care.  A CE provider must use non-public facing methods of communication, enable privacy and security protections, and notify patients that there is a privacy/security risk.  While no business associate agreement (BAA) with the communications service provider is required, a number of service providers have stated that they operate in compliance with HIPAA and will provide BAAs.  CE providers should take reasonable precautions for patient privacy (e.g., close office door, lower voice).  While the OCR guidance does not apply to Part 2 Rules, OCR noted that SAMSHA has issued some guidance on telehealth under Part 2 Rules.
  • First Responders:  OCR’s guidance addresses exceptions that already apply, such that patient authorization is not required (e.g., disclosures for treatment, public health purposes, where required by law, and where there’s a serious imminent threat to the health and safety of a person or the public, ).   OCR allows CE providers like hospitals to release lists of COVID-19 positive individuals to EMS dispatch for purposes of notifying first responders on a case-by-case basis if there is a risk of infection (EMS can tell first responders being dispatched to a patient that the patient is COVID-19 positive but can’t post the list or distribute the list to first responders).  EMS can also ask 911 callers about COVID-19 symptoms and notify first responders. (EMS may not be a CE provider.)
  • COVID-19 Community-Based Testing Sites:   OCR’s non-enforcement only applies to the CBTS, not other services or activities of the CE providers or its business associates (including storage of testing results in an electronic records system). OCR recognizes that it’s hard to comply with HIPAA Rules when testing is being done in a parking lot or on a drive-thru basis. Reasonable safeguards (e.g., buffer zones, tarps or barriers used to add privacy, and secure technology) are still encouraged for CBTS.



The New York Attorney General has issued a warning to healthcare providers, hospitals, and other organizations within the health supply chain that cyber criminals are using targeted COVID-19 phishing emails and texts to gain access to sensitive information.  Multiple reports indicate that scammers are sending emails and texts to get a recipient to click on a link purporting to share COVID-19 information that in reality installs malware or permits access to steal passwords and other sensitive information.

Details in this post by Caroline Morgan on Fox Rothschild’s Privacy Compliance & Data Security blog.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning that it has received reports that someone has been impersonating an OCR inspector in an effort to access HIPAA Protected Health Information (PHI).

According to the agency: “The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.”

HIPAA Covered Entity and Business Associate clients interested in receiving security and privacy updates directly from OCR can sign up here.

On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance.

“OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.”

Here are several “Dos” and “Don’ts” for covered health care providers from the Guidance and FAQs:


1.  Exercising professional judgment, use a video chat application that connects to the provider’s or patient’s phone or desktop computer to assess or treat a patient in connection with potential COVID-19 infection.

2.  Exercising professional judgment, use the video chat application to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle or other ailment and for dental consultations, psychological evaluations and other assessments.

3.  Use  popular applications that allow for video chats, including Apple’s FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

4.  If seeking additional privacy protection for telehealth while using video communication products, engage vendors that will enter into HIPAA business associate agreements (BAAs) in connection with the provision of the product, including the following vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet


1.   Use public-facing video communication applications, such as  Facebook Live, Twitch, TikTok, and similar video communication applications.

2.  Rely on the OCR’s discretion regarding HIPAA enforcement if you are a substance use disorder program subject to Part 2 (see here for Guidance related to Part 2).

3.  Expect HIPAA enforcement discretion if you are a covered entity health plan (see FAQ #2).

4.  Expect Medicare or Medicaid reimbursement for all telehealth services (see FAQ #1 and CMS Guidance).

5.  Expect HIPAA enforcement discretion for activities unrelated to telehealth. The Security Rule, Privacy Rule, and Breach Notification Rule continue to apply in all other contexts.

By Margaret J. Davino, Salvatore J. Russo and Nawa A. Lodin

In the Medicare Telemedicine Healthcare Provider Fact Sheet published March 17, 2020, the Centers for Medicare & Medicaid Services (CMS) broadened access to Medicare telehealth services to allow Medicare patients to receive more services from their doctors without travel to a health care facility. This benefit is available on a temporary and emergency basis under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act, to provide telemedicine services during the national emergency declared regarding COVID-19.

Before this new waiver, Medicare only paid for telehealth when the patient was in a designated rural area and left the home and went to a clinic, hospital or certain other types of medical facilities for the service.  Now, Medicare can pay for office, hospital and other visits furnished via telehealth across the country including in patient’s places of residence, retroactive to March 6, 2020. A range of providers, such as doctors, nurse practitioners, clinical psychologists and licensed clinical social workers, will be able to offer telehealth to their patients. Additionally, the HHS Office of Inspector General (OIG) is providing flexibility for health care providers to reduce or waive cost-sharing for telehealth visits paid by federal health care programs.

Also, effective immediately, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.  See Emergency Situations: Preparedness, Planning, and Response, from HHS.

 Medicare Telehealth Visits 

Starting March 6, 2020 and for the duration of the COVID-19 public health emergency, Medicare will pay for professional services to beneficiaries in all areas of the country in all settings (instead of the limited originating sites listed before March 6). For this Medicare telehealth visit, the provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. Although Medicare normally requires that the patient have a prior established relationship with a particular practitioner, HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency. These visits are considered the same as in-person visits and are paid at the same rate as regular in-person visits.

The Medicare coinsurance and deductible would generally apply to these services. However, the HHS Office of Inspector General (OIG) is providing flexibility for health care providers to reduce or waive cost-sharing for telehealth visits paid by federal health care programs.

Other Medicare Telehealth Visits

The CMS Fact Sheet reminds providers that there are two previously existing types of telehealth services:  virtual check-ins and e-visits.

Virtual check-ins: In 2019, Medicare started paying in all areas (not just rural), for established Medicare patients in their homes to have a brief communication service (virtual check-in) with practitioners via a number of communication technology modalities including synchronous discussion over a telephone or through video or image (unlike Medicare telehealth visits, which require audio and visual capabilities for real-time communication). The practitioner may respond to the patient’s concern by telephone, audio/video, secure text messaging, email or use of a patient portal. The communication may not be related to a medical visit within the previous seven days and cannot lead to a medical visit within the next 24 hours (or soonest appointment available). The patient must verbally consent to receive virtual check-in services. The Medicare coinsurance and deductible applies to these services. In addition, separate from these virtual check-in services, captured video or images can be sent to a physician (HCPCS code G2010).

 E-visits:  In all types of locations including the patient’s home, and in all areas (not just rural), established Medicare patients may have non-face-to-face patient-initiated communications with their doctors without going to the doctor’s office by using online patient portals. The patient must generate the initial inquiry and communications can occur over a seven-day period. The services may be billed using CPT codes 99421-99423 and HCPCS codes G2061-G2063, as applicable. The patient must verbally consent to receive virtual check-in services. The Medicare coinsurance and deductible would apply to these services.

State Law

This CMS Fact Sheet involves only federal law, and does not change state laws, e.g., state licensing laws that require that a physician be licensed in the state in which the patient resides, or state Medicaid requirements.  The New York State Department of Financial Services just published this notice yesterday relaxing reimbursement provisions for telehealth services:  https://www.dfs.ny.gov/system/files/documents/2020/03/re62_58_amend_text.pdf.  Please note also the NJ Telemedicine Act, N.J.S.A. 45:1-62 et al, which requires the physician to provide the patient with certain information, including his or her professional credentials, before engaging in telemedicine (requiring a proper consent form) and requires the physician to establish a provider-patient relationship before prescribing medication to the patient based solely on answers to an online questionnaire, along with how to establish that relationship.

Effective March 15, 2020, certain hospitals that fail to comply with specific HIPAA Privacy Rule requirements will not be subject to HIPAA sanctions and penalties, according to a “COVID-19 & HIPAA Bulletin” issued by U.S. Health and Human Services Secretary Alex M. Azar. The waiver was implemented as a response to President Trump’s recent declaration of a nationwide emergency concerning COVID-19 and Secretary Azar’s declaration of a public health emergency on January 31, 2020.

Note that this HIPAA waiver is limited. It only applies to (1) hospitals located in an emergency area identified in a public health emergency declaration; (2) hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the hospital institutes its disaster protocol . When President Trump’s or Secretary Azar’s emergency declaration ends, the HIPAA waiver will end.

In addition, the HIPAA waiver only applies to the following specific HIPAA Privacy Rule requirements:

  • obtaining the patient’s consent to speak with family and friends involved in patient care as per 45 C.F.R. 164.510(b)
  • honoring the patient’s request to opt out of being included in the facility directory as per 45 C.F.R. 164.510(a)
  • distributing the Notice of Privacy Practices to patients as per 45 C.F.R. 164.520
  • giving individuals the right to request restrictions on the use or disclosure of their protected health information as per 45 C.F.R. 164.522(a)
  • honoring the individual’s right to restrict disclosure of protected health information to a health plan as per 45 C.F.R. 164522(b)

The Bulletin reiterates many of the points addressed in HHS’s February 3, 2020 Bulletin on HIPAA and COVID-19, discussed here in a prior post. The bottom line?  HIPAA remains in place during emergencies, except for a limited set of covered entities and with respect to limited provisions of the HIPAA Privacy Rule as described above.