Beware, Persons Posing as OCR Investigators Demand PHI, Says OCR Alert

On April 3, the Office for Civil Rights (OCR) issued an alert to covered entities and business associates. Evidently, one or more individuals are posing as OCR Investigators and contacting HIPAA covered entities and business associates in an attempt to obtain protected health information (PHI).  The individual identifies on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. In this environment, with many healthcare providers stretched to their limits dealing with COVID-19, workforce members may be distracted, fail to follow normal protocols, and simply comply with the request.

Verification should be a regular step, second-nature, in the process of making disclosures of PHI. The basic rule at 45 CFR 164.514(h) provides that, in general

Prior to any disclosure permitted by this subpart, a covered entity must:

(i) … verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and

(ii) Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart.

OCR recommends HIPAA covered entities and business associates should alert their workforce members of these potential scams, and remind them of the basic verification requirement. They also should provide some easy to follow tips for verification, such as:

  • Do not provide any PHI information based solely on a telephone request until verified.
  • Ask for the name and transaction number for the matter the caller is calling about.
  • Ask for the caller to provide his or her email address, it should end in
  • Ask the caller’s name, title, and what OCR office they are calling from.
  • Ask for an email from the OCR investigator confirming the nature and scope of the request.
  • Ask the caller if he or she has communicated with anyone else at the organization about the matter.
  • Ask for a copy of any prior written request(s) for the information, there usually is one.
  • Remind workforce members about best practices for responding to phishing and spoofing attacks.

Covered entities and business associates might also centralize the function of responding to such requests to one person, a small group of workforce members, or a third party. Typically, that person, group, or third party is better trained to follow these and other best practices for verification.

Organizations with additional questions or concerns, or that may be questioning a particular inquiry, could reach out to the OCR at: The OCR also reminded covered entities about other COVID schemes and that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI) at

More OCR Guidance on COVID-19 and HIPAA Relief – Business Associates

The Office for Civil Rights (OCR) has been moving swiftly to provide guidance on addressing key regulatory issues to aid in the fight to contain and defeat COVID-19. Some of the latest developments include exercising its enforcement discretion on certain good faith disclosures of protected health information (PHI) by business associates, adding FAQs for telehealth providers, and a resource page on its website for COVID-19 issues.

A common thread through all of the federal and state governmental briefings on the COVID-19 is that understanding the spread; managing healthcare personnel, equipment, and personal protective equipment (PPE); and other necessary resources requires data. Roger Severino, OCR Director, recognized the need for “quick access to COVID-19 related health data to fight this pandemic.” Because business associates have limitations on the circumstances under which critical data can be used and disclosed, despite the critical role they often play in storing and analyzing data, “[g]ranting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino added.

The HIPAA Privacy Rule already permits covered entities to provide the kind of data that is needed, however, current regulations allow a HIPAA business associate to use and disclose PHI for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. It is common for business associate agreements to be drafted very narrowly, permitting only specified uses and disclosure. Thus, when federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.

To address this issue, OCR announced that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.

Specifically, the announcement provides that OCR will not impose penalties against a business associate or covered entity under certain Privacy Rule provisions if, and only if:

  • the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities (see 45 CFR 164.512(b)), or health oversight activities (see 45 CFR 164.512(d)); and
  • the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

The OCR provides examples of good faith uses or disclosures:

  • the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).
  • the Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

It is important to note that while the OCR’s announcement provides some relief under HIPAA, it does not extend to other requirements or prohibitions under the Privacy Rule, or to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. This announcement also does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information. Thus, business associates still need to be careful when using and disclosing PHI in these circumstances, although this announcement provides some welcomed relief and should aid the efforts to fight COVID-19.

Key Components of a COVID-19 Screening Program

Stopping the spread of coronavirus is critical to overcoming the COVID-19 pandemic. As testing is ramping up around the country, some states and localities have imposed health screening requirements in an effort to identify persons at risk of being infected and stopping them from infecting others. Whether mandatory or recommended, screening employees and visitors could play an important role in curbing the spread of COVID-19. However, developing and implementing a screening program raises a range of issues organizations need to think through carefully.

Below are some examples of screening program mandates/recommendation around the country:

  • Iowa. On March 26, 2020, Governor Kimberly Reynolds mandated that until April 16, 2020, all hospitals, nursing facilities, intermediate care facilities, residential care facilities, hospice programs, and assisted living facilities must screen all staff at the beginning of their shift for fever or respiratory symptoms, absence or shortness of breath, new or changing cough, or sore throat, and take employees’ temperature.
  • Ionia County, MI. On March 23, 2020, the County’s Health Officer mandated that all persons providing childcare services for compensation must develop and implement a daily screening program for all staff, children, parents, and other visitors entering the facility. The program must include screening for symptoms of a respiratory infection, such as temperature of 100.4 degrees or higher, severe cough, and/or shortness of breath.
  • Delaware. On March 22, 2020, Governor John Carney and the Delaware Division of Public Health strongly recommended that all employers screen employee temperatures each day before work, and those with a temperature of 99.5 degrees or more be sent home. Employers also should require employees to complete a basic questionnaire addressing other symptoms of COVID-19.
  • Ohio. Governor Mike DeWine issued a similar recommendation on March 19, 2020, suggesting that employees be sent home with a fever at or above 100.4 degrees.

Setting up such a screening program requires care planning. Below are some key steps organizations should consider.

  • Identify a Program Leader. With state and local guidance changing rapidly, the leader needs to be informed and practical, as well as sensitive to concerns about confidentiality.
  • Understand Applicable Mandates and Recommendations. Organizations need to develop and implement their programs based on applicable guidance. This can be challenging considering the various federal, state, and local agencies that could issue screening guidelines. Our COVID-19 team has been tracking these and other laws and guidance here.
  • Develop a Plan. Where possible, the program leader should work with appropriate persons in the organization, e.g., legal and HR, to outline the program in writing. The program should include components such as:
    • Designating responsibility. In addition to designating who is responsible for the program as a whole, responsibility for conducting the screening (third party or other employees), maintaining records, addressing disputes about the program, handling requests for information concerning the screenings, etc. also should be made clear.
    • Identifying who is subject to screening. Persons subject to screening might include applicants, employees, contractors, and/or visitors. Note that employers with employees represented by a union may need to bargain and obtain union agreement before implementing the program, particularly if the state or locality is making only a recommendation and not a mandate.
    • Establish procedures for administering the screening. The program needs to set forth the logistics of the screening process. If possible, consult with an available health care professional while doing so. These logistics include where the program can be conducted, identifying the best time of day to conduct the screening, how to position the persons to be screened in order to maintain distancing, obtaining notice/consent (if required), requiring the use of personal protection equipment (PPE), identifying equipment to use when taking temperatures, determining the information to collect in questionnaires, who should receive the results of the screening, and other procedural steps. Determining who will conduct the screening also is an important consideration. Whether the person(s) who administer the screenings are employees of the organization or a third party, consider having an appropriate agreement in place to confirm confidentiality and security of information, among other things.
    • Plans for persons who refuse the screening. The organization needs to be ready to deal with individuals who refuse the screening. For applicants and employees, the HR department should be involved and prepared. For customers or visitors, the organization should ensure customer relations or similar personal are ready. In either case, the program should try to anticipate concerns that may be raised such as confidentiality, logistics of data collection, and securing the data.
    • Arrange for confidential and secure collection, storage, and, if necessary, transmission of screening data. For employee medical information, the Americans with Disability Act requires confidentiality be maintained. Additionally, numerous state data breach notification laws generally require notification if an individual’s medical information is accessed or acquired by an unauthorized person. While the EEOC and California have softened their positions on the kinds medical-related questions employers may ask employees, appropriate safeguards should be in place to protect individually identifiable medical information collected as part of a screening program. These safeguards should include clear guidelines on the circumstances under which such information may be disclosed.
    • Training on program requirements. If applicable, the organization should provide those employees responsible for administering the program a reasonable opportunity to understand the program requirements and get their questions answered. This includes making sure employees understand how to use any equipment required during the screening, such as a particular thermometer, and completing screening questionnaires. Persons conducting the screening also should have a clear understanding when screening results will require them to prohibit a screened individual from entering the facility.
  • Communicate. Developments concerning COVID-19 and government reactions happen fast, but organizations should try to provide as much notice as possible to those who would be subject to the screening. Organizations also should not ignore communicating with those found to have COVID-19 symptoms. Having information available to inform such individuals about best practices for self-quarantine and other measure to prevent further spread can be very helpful.

As COVID-19 spreads, more state and local governments may require or recommend organizations conduct coronavirus screening at their facilities. Organizations also may decide to proactively establish such a program. In either case, the program should be carefully considered and implemented.

OCR HIPAA Guidance For Getting PHI of COVID-19 Exposed Individuals to First Responders

With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. To help clarify when PHI can be shared in these circumstances, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance relating to sharing PHI about individuals who have been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities.

The idea is to make clear when PHI can be given to first responders and others so they can take extra precautions or use personal protective equipment (PPE), and to remind covered entities to follow the “minimum necessary” rule in the process.

According to the guidance, the HIPAA Privacy Rule permits a covered entity to disclose PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances, including the following:

  • To provide treatment. For example, a nurse in a skilled nursing facility can alert emergency medical transport personnel that the individual they are transporting to a hospital’s emergency department has COVID-19.
  • When required by law. An example is a hospital making a disclosure of positive COVID status pursuant to a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
  • When first responders may be at risk for an infection. Covered entities authorized by law to notify persons as necessary in the conduct of a public health intervention or investigation may inform first responders who may be at risk of infection. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. Similarly, a covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use PPE.
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a covered entity may, consistent with applicable law and standards of ethical conduct, disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

These are just some of the examples in which PHI about an individual’s COVID-19 infection can be shared with first responders. The primary authority for these exceptions to the general rule of nondisclosure without an authorization is for treatment disclosures (45 CFR 164.502(a)(1)(ii)), legal requirements (45 CFR 164.502(a)(2)), and other purposes (45 CFR 164.512). Note, however, that unless the disclosure is required by law, for treatment purposes, or for certain other purposes, the covered entity must make reasonable efforts to limit the information used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

Remember also that state laws may be more stringent than HIPAA concerning uses and disclosures of PHI. Thus, covered entities should consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ PHI, as such laws may place further restrictions on disclosures that would otherwise be permitted by HIPAA.

EEOC Updates Its 2009 Guidance Concerning Pandemic Preparedness

On March 19, 2020, the Equal Employment Opportunity Commission updated its 2009 pandemic preparedness guidance: Pandemic Preparedness in the Workplace and the Americans with Disabilities Act. It includes the following note:

The EEOC is updating this 2009 publication to address its application to coronavirus disease 2019 (COVID-19).  Employers and employees should follow guidance from the Centers for Disease Control and Prevention (CDC) as well as state/local public health authorities on how best to slow the spread of this disease and protect workers, customers, clients, and the general public.  The ADA and the Rehabilitation Act do not interfere with employers following advice from the CDC and other public health authorities on appropriate steps to take relating to the workplace.  This update retains the principles from the 2009 document but incorporates new information to respond to current employer questions.   

Many employers are struggling with questions such as:

  • If we follow CDC or state/local public health authorities, can we still violate the ADA?
  • Can we take our employees’ temperatures?
  • Does someone with COVID-19 symptoms in the workplace pose a direct threat?
  • May we screen applicants for COVID-19?

These and other questions are addressed in the guidance. However, as discussed here, there still may be other issues to consider, such as state and local privacy laws.

We paste below some of the key clarifications in the EEOC’s update:

Does someone with COVID-19 symptoms in the workplace pose a direct threat?

Based on guidance of the CDC and public health authorities as of March 2020, the COVID-19 pandemic meets the direct threat standard.  The CDC and public health authorities have acknowledged community spread of COVID-19 in the United States and have issued precautions to slow the spread, such as significant restrictions on public gatherings.  In addition, numerous state and local authorities have issued closure orders for businesses, entertainment and sport venues, and schools in order to avoid bringing people together in close quarters due to the risk of contagion.  These facts manifestly support a finding that a significant risk of substantial harm would be posed by having someone with COVID-19, or symptoms of it, present in the workplace at the current time.  At such time as the CDC and state/local public health authorities revise their assessment of the spread and severity of COVID-19, that could affect whether a direct threat still exists.

During a pandemic, may an ADA-covered employer take its employees’ temperatures to determine whether they have a fever?

Generally, measuring an employee’s body temperature is a medical examination. If pandemic influenza symptoms become more severe than the seasonal flu or the H1N1 virus in the spring/summer of 2009, or if pandemic influenza becomes widespread in the community as assessed by state or local health authorities or the CDC, then employers may measure employees’ body temperature.

However, employers should be aware that some people with influenza, including the 2009 H1N1 virus or COVID-19, do not have a fever.

Because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions as of March 2020, employers may measure employees’ body temperature. As with all medical information, the fact that an employee had a fever or other symptoms would be subject to ADA confidentiality requirements.

If an employer is hiring, may it screen applicants for symptoms of COVID-19?

Yes. An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job. An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job.  This ADA rule allowing post-offer (but not pre-offer) medical inquiries and exams applies to all applicants, whether or not the applicant has a disability.

May an employer take an applicant’s temperature as part of a post-offer, pre-employment medical exam?

Yes.  Any medical exams are permitted after an employer has made a conditional offer of employment.  However, employers should be aware that some people with COVID-19 do not have a fever.

May an employer delay the start date of an applicant who has COVID-19 or symptoms associated with it?

Yes.  According to current CDC guidance, an individual who has COVID-19 or symptoms associated with it should not be in the workplace.

CDC has issued guidance applicable to all workplaces generally, but also has issued more specific guidance for particular types of workplaces (e.g. health care employees). Guidance from public health authorities is likely to change as the COVID-19 pandemic evolves.  Therefore, employers should continue to follow the most current information on maintaining workplace safety.   To repeat:  the ADA does not interfere with employers following recommendations of the CDC or public health authorities, and employers should feel free to do so.

May an employer withdraw a job offer when it needs the applicant to start immediately but the individual has COVID-19 or symptoms of it?

Based on current CDC guidance, this individual cannot safely enter the workplace, and therefore the employer may withdraw the job offer.

During a pandemic, must an employer continue to provide reasonable accommodations for employees with known disabilities that are unrelated to the pandemic, barring undue hardship?

Generally, yes. But, the EEOC clarifies:

The rapid spread of COVID-19 has disrupted normal work routines and may have resulted in unexpected or increased requests for reasonable accommodation.  Although employers and employees should address these requests as soon as possible, the extraordinary circumstances of the COVID-19 pandemic may result in delay in discussing requests and in providing accommodation where warranted.  Employers and employees are encouraged to use interim solutions to enable employees to keep working as much as possible.

This is helpful guidance and provides some clarity, but employers will still need to assess their situations locally, weighing various factors when making these critical decisions.

HHS Removes Enforcement Barriers for Telehealth during COVID-19 Nationwide Public Health Emergency

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) wants to make it easier for individuals to reach a healthcare provider, including those most at risk (older persons and persons with disabilities). Effective immediately, during the COVID-19 nationwide public health emergency, OCR announced it will not enforce noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth.

In short, covered health care providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communications technologies, some of which may not fully comply with the requirements of the HIPAA Rules, without the threat of enforcement.

A couple of key points about this announcement:

  • covered health care providers that want to use audio or video communication technology to provide telehealth in good faith to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.
  • The announcement applies to telehealth provided for any reason, not just services related to the diagnosis and treatment of health conditions related to COVID-19.

In the exercise of their professional judgement, for example, a covered health care provider may request to examine a patient exhibiting COVID- 19 symptoms using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.  The provider may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth.

However, OCR advises providers to take some precautions:

  • notify patients that these third-party applications potentially introduce privacy risks,
  • enable all available encryption and privacy modes when using such applications,
  • public facing video communication applications, such as Facebook Live, Twitch, TikTok, and similar should not be used in the provision of telehealth,
  • where applicable, use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. OCR listed some vendors that represent that they provide HIPAA-compliant video communication and that will enter into a HIPAA BAA (Skype for Business, Updox, VSee, Zoom for Healthcare,, Google G Suite Hangouts Meet), but has not endorsed any of these or their BAAs.

The OCR’s guidance extends to BAAs in this context. It will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors relating to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

This is welcomed news and should help facilitate the availability of care, particularly to those most at risk.

HIPAA Privacy Rule Waiver, Other Medical Information Questions During the COVID-19 Pandemic

As the coronavirus spreads across the globe and in the United States, providers, businesses, employers, and others are struggling to understand what medical information they can collect and what information they can share. These are difficult questions the answers to which involve considering factors such as long-standing compliance requirements (e.g., HIPAA, ADA, GINA, state law), the unprecedented times we are in, business risk, and common sense. Government is trying to act to relieve some of these challenges, but questions still remain.

HIPAA Privacy Rule Waiver of Penalties and Sanctions

Effective March 15, 2020, for example, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar (Secretary) waived certain penalties and sanctions under the HIPAA Privacy Rule against hospitals in its March 2020 COVID-19 and HIPAA Bulletin. These waivers were issued in response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and the Secretary’s earlier declaration of a public health emergency on January 31, 2020. The Secretary’s guidance makes clear that the Privacy Rule is not suspended during this crisis and provides guidance about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel. But, in the following areas, the Secretary has waived sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020, and there is more information and access to resources in the Bulletin about where it applies and for how long.

Reminder About What Entities Are Covered Entities and Business Associates

As part of its guidance on HIPAA privacy and disclosures in emergency situations, the Bulletin reminds readers what entities are covered by these rules – covered entities and business associates. There can be some tricky questions here, but these are the basic rules from the Bulletin:

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.

Employers are Not Covered Entities or Business Associates – But Still Have Privacy and Confidentiality Obligations

When conducting its business, an organization can be a HIPAA covered entity and/or a business associate. However, when that business is functioning as an employer, it is neither a HIPAA covered entity nor a business associate, although it may sponsor a covered health plan subject to the HIPAA privacy and security rules. As organizations face the coronavirus threat to their workforce and their business, many questions arise about the collection, processing, and disclosure of medical information from employees, their family members, and visitors to their facilities. These can be thorny questions and organizations should seek qualified counsel, but here are some general rules:

When may an ADA-covered employer take the body temperature of employees during the COVID-19 pandemic? Read More

Work-From-Home Checklist During the Coronavirus Pandemic

The debate over working from home continues, reaching a high point in 2013 when Marissa Mayer, then CEO of Yahoo, sought to curb the practice. However, as the Coronavirus continues to spread across the U.S., more companies are instructing their employees to work-from-home as a social distancing technique to help contain the spread and remain productive.  No doubt advances in technology and widespread availability of broadband access have made it possible for many to carry out their employment duties from anywhere.

But, of course, remote work is not available for everyone. Restaurant workers, retail store employees, delivery drivers, and other occupations cannot telecommute. However, when work can be performed from home, there are a range of issues for businesses to consider as the workplace expands.

By no means an exhaustive list of the all of the issues that may arise, here are some items to consider when implementing a work-from-home policy.

  • Making the decision
    • Review existing resources, applicable policies, and customer/client agreements to determine if remote work is feasible, prudent, and contractually permissible.
    • Have a plan for resources, communications, expense reimbursement, etc.
    • Review insurance policies (e.g., employee benefits, workers compensation, cyber, etc.) to ensure coverage.
    • Stay on top of developments as plans may need to be changed.
  • Confirm the IT infrastructure can support remote work.
    • Be ready to address systems and equipment needs of employees who may not be set up to work from home.
    • Beef up staffing, including help desk capacity to support workers not used to remote work.
    • Ensure data privacy and security (see below).
  • Communicate clearly and consistently.
    • Ensure critical lines of communication between management are open.
    • In the course of developing communications to employees, examine existing policies closely, such as confidentiality, written information security programs, business continuity, bring your own device (BYOD), etc. Companies without these policies or a comprehensive telework policy, should consider putting them in place. In general, all existing company policies should apply whether an employee is working at the office or at home.
    • A localized approach may be warranted based on local conditions. But, be sure managers are on the same page to avoid inconsistent application of policy.
    • Provide employees system access instructions and where to go for help.
    • Outline best practices for maintaining a safe “workspace.”
    • Be understanding and solution-oriented
  • Ensure data privacy and security.
    • Implement the work-from-home arrangement consistent with company’s written information security program to ensure the access, transmission, and storage of confidential business and personal information is safeguarded. Some key safeguards include:
      • Permit access only through VPN or similar connection.
      • Require two-factor authentication.
      • Supply employees with secure laptops.
    • Communicate critical reminders for employees, such as
      • Elements of confidential business and personal information that warrant protection.
      • Minimum necessary rule – basically, only use confidential and personal information as needed to complete the employee’s assigned tasks.
      • Being aware of phishing attacks, which are a particular concern now as threat actors are using the coronavirus as part of their attacks.
      • Knowing where to report a data incident.
      • Following instructions for system updates and security patches.
      • Saving company data only on the network, and not personal devices.
      • Not permitting others to access the company’s systems, including the personal device that has access to the company’s systems.
      • Setting devices to lock automatically for periods of nonuse.
      • Avoid printing sensitive corporate materials unless the reason to do so outweighs the risk.
      • Not sending sensitive corporate data to personal email or cloud accounts.
  • Obtain employees’ agreement to conditions for remote work. Items to cover in the agreement might include:
    • Continuing requirement to complete work assignments.
    • Maintaining availability during normal business hours.
    • Adherence to the company’s data privacy, security, and confidentiality policies.
    • Maintaining safe conditions and safety habits at the home office as established at company facilities.
    • Ensure all work time is recorded.
  • Consider tax issues associated with employees working from home, including those out of state, and reimbursement for costs related to equipment and service-related costs needed to perform work duties.

Jackson Lewis attorneys from multiple practices and industries are actively assisting businesses on the rapidly evolving Coronavirus/COVID-19 workplace health challenge. We are closely monitoring and updating our information as the situation continues to evolve. Below are some additional important resources to help answer some of the most common questions:

California AG Urges Congress Not to Preempt the CCPA

Earlier this month, California Attorney General (“AG”) Xavier Becerra sent a letter to several members of U.S. Congress, providing an update on the implementation of the newly effective California Consumer Privacy Act (CCPA), and urging Congress not to enact a federal law that would preempt the CCPA and other state consumer privacy measures. Instead, AG Becerra called on Congress to develop a law that would “build on the rights” provided for by the CCPA, and partner with states to ensure greater consumer privacy protections.

“I invite Congress to look to the states as sources of innovation and expertise in data privacy, and not to undermine protections, like CCPA, that states have already developed. Therefore, as I noted above, I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state— and others that may follow—the opportunity to provide further protections tailored to our residents,” wrote AG Becerra. 

In addition, AG Becerra emphasized that Congress in its development of a federal consumer privacy law should extend enforcement powers broadly, providing state attorney generals with parallel enforcement authority, and consumers the ability to protect their rights directly under a private right of action. It is not clear the extent to which AG Becerra is suggesting the inclusion of a private right of action in federal law. The CCPA only authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach, and is not available when a consumer’s individual rights under the CCPA are violated. Moreover, the definition of personal information for a private right of action is much narrower than the general definition of personal information under the rest of the CCPA.

AG Becerra is instrumental in the CCPA legislative process, in particular his office is tasked with development of regulations to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law. AG Becerra announced proposed regulations in October 2019, and following a series of public hearings across California, announced a regulatory update to the existing proposed regulations in early February 2020, and then again last week. The AG’s regulations must be finalized and implemented by July 1, 2020.

In the meantime, the U.S. Congress has been plugging away at a federal consumer privacy law over the last couple years, with limited progress. Most recently, two competing federal consumer privacy bills were introduced. The first proposal, Consumer Online Privacy Rights Act, introduced by Sen. Maria Cantwell (D-Wash), and shortly after the United States Consumer Data Privacy Act , introduced by Senator Roger Wicker (R-Miss). While the two proposals have significant overlap, a key difference is their treatment of state consumer privacy laws. Cantwell’s proposal includes preemption of “directly conflicting state laws”, but stipulates that the federal law would not override state laws with a “greater level of protection”. Conversely, Wicker’s proposal includes a broad provision expressly preempting any state law “related to the data privacy or security and associated covered entities”.

A federal consumer privacy law, while still unclear what shape it will take and when, is almost inevitable.   With the CCPA in effect and other state measures on the horizon, the development of a meaningful data privacy and protection program has never been more important.

New York SHIELD Act FAQs

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.

This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.

When does the SHIELD Act become effective?

The SHIELD Act has two effective dates:

  • October 23, 2019 – Changes to the existing breach notification rules
  • March 21, 2020 – Data security requirements

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.

Are there any exceptions for small businesses?

As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.

However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with: Read More