As the COVID-19 crisis continues, many companies throughout the country have arranged for significant portions of their workforce to work from home. A natural part of that arrangement is conducting videoconferences. With employees working at home in isolation, many seek opportunities to connect with others through a visual medium. Thus, companies are using videoconferencing to conduct business meetings. In other circumstances, employees are using it simply to connect visually with co-workers to catch up on work and life in general. Companies must, however, devote attention to a variety of privacy-related concerns when relying on this technology (as well as other related technologies) that enable expanded work from home opportunities. Recently, we created a work-from-home checklist including a number of relevant privacy issues.

When discussing video conferencing today, there are many options including Google Hangouts, Skype, and WebEx. However, it appears the option gaining the most popularity is Zoom Video Communications.

Last week, a class action lawsuit was commenced in a California federal court against Zoom alleging under the California Consumer Privacy Act and related laws, that it failed to properly safeguard the personal information of its users.

According to the complaint, “upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties…invading the privacy of millions of users.” The complaint describes that the Zoom app notifies third-party social media app users “when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.”

The proposed class includes “all persons and businesses in the United States” whose personal information was collected or disclosed to a third party “upon installation or opening” of the Zoom app.”

The complaint acknowledges that on March 27, 2020, Zoom released a new version of the app that purports to no longer send unauthorized personal information of its users to Facebook.

According to a March 27 blog post, Zoom CEO Eric Yuan stated that, “Zoom takes its users’ privacy extremely seriously” and described changes Zoom was making to its software that would take effect when users update to the latest version.

Considering the lightning speed with which this case was brought, companies everywhere should take this opportunity to review its procedures and best practices regarding video conferencing platforms and other technologies in place supporting work from home arrangements. Not only could you avoid a class action lawsuit, but you will also be taking steps to protect the company’s proprietary information as well as any personal identifying information of its employees and customers that you maintain.

In the US, many organizations anxiously awaiting assistance under the CARES Act are becoming the targets of cyberattackers looking to feed off of the massive relief being provided by the US treasury. Yesterday, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of a substantial increase in these attacks, providing helpful guidance concerning the nature of the attacks and related information.

Specifically, the alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice. The alert notes that the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.

Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Here are just a few of those steps.

Before an Attack

  1. Build the right team
  • Ensure you have an IT team in place, whether internal or through a third-party vendor, that is well-versed in emerging threats and prepared to support the organization in the event of an attack.
  1. Secure the systems
  • Conduct a risk assessment and penetration test to understand the potential for exposure to malware.
  • Implement technical measures and policies that can prevent an attack, such as endpoint security, multi-factor authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.
  1. Make your employees aware of the risks and steps they must take in case of an attack
  • This is particularly critical now – educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently.
  • Employees should avoid revealing personal or financial information about themselves,  other employees, customers, and the company in email, including wiring instructions. If they must, they should confirm by phone.
  • Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures) and what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).
  1. Maintain backups
  • Backup data early and often.
  • Keep backup files disconnected from the network and in separate locations.
  1. Develop and practice an “Incident Response Plan”
  • Identify the internal team (e.g., leadership, IT, general counsel, and HR).
  • Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).
  • Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.
  • Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).
  • Plan to identify, assess, and comply with legal and contractual obligations.
  • Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.

After an Attack Continue Reading UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks

On April 3, the Office for Civil Rights (OCR) issued an alert to covered entities and business associates. Evidently, one or more individuals are posing as OCR Investigators and contacting HIPAA covered entities and business associates in an attempt to obtain protected health information (PHI).  The individual identifies on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. In this environment, with many healthcare providers stretched to their limits dealing with COVID-19, workforce members may be distracted, fail to follow normal protocols, and simply comply with the request.

Verification should be a regular step, second-nature, in the process of making disclosures of PHI. The basic rule at 45 CFR 164.514(h) provides that, in general

Prior to any disclosure permitted by this subpart, a covered entity must:

(i) … verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and

(ii) Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart.

OCR recommends HIPAA covered entities and business associates should alert their workforce members of these potential scams, and remind them of the basic verification requirement. They also should provide some easy to follow tips for verification, such as:

  • Do not provide any PHI information based solely on a telephone request until verified.
  • Ask for the name and transaction number for the matter the caller is calling about.
  • Ask for the caller to provide his or her email address, it should end in @hhs.gov.
  • Ask the caller’s name, title, and what OCR office they are calling from.
  • Ask for an email from the OCR investigator confirming the nature and scope of the request.
  • Ask the caller if he or she has communicated with anyone else at the organization about the matter.
  • Ask for a copy of any prior written request(s) for the information, there usually is one.
  • Remind workforce members about best practices for responding to phishing and spoofing attacks.

Covered entities and business associates might also centralize the function of responding to such requests to one person, a small group of workforce members, or a third party. Typically, that person, group, or third party is better trained to follow these and other best practices for verification.

Organizations with additional questions or concerns, or that may be questioning a particular inquiry, could reach out to the OCR at: OCRMail@hhs.gov. The OCR also reminded covered entities about other COVID schemes and that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI) at www.ic3.gov.

The Office for Civil Rights (OCR) has been moving swiftly to provide guidance on addressing key regulatory issues to aid in the fight to contain and defeat COVID-19. Some of the latest developments include exercising its enforcement discretion on certain good faith disclosures of protected health information (PHI) by business associates, adding FAQs for telehealth providers, and a resource page on its website for COVID-19 issues.

A common thread through all of the federal and state governmental briefings on the COVID-19 is that understanding the spread; managing healthcare personnel, equipment, and personal protective equipment (PPE); and other necessary resources requires data. Roger Severino, OCR Director, recognized the need for “quick access to COVID-19 related health data to fight this pandemic.” Because business associates have limitations on the circumstances under which critical data can be used and disclosed, despite the critical role they often play in storing and analyzing data, “[g]ranting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino added.

The HIPAA Privacy Rule already permits covered entities to provide the kind of data that is needed, however, current regulations allow a HIPAA business associate to use and disclose PHI for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. It is common for business associate agreements to be drafted very narrowly, permitting only specified uses and disclosure. Thus, when federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.

To address this issue, OCR announced that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.

Specifically, the announcement provides that OCR will not impose penalties against a business associate or covered entity under certain Privacy Rule provisions if, and only if:

  • the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities (see 45 CFR 164.512(b)), or health oversight activities (see 45 CFR 164.512(d)); and
  • the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

The OCR provides examples of good faith uses or disclosures:

  • the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).
  • the Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

It is important to note that while the OCR’s announcement provides some relief under HIPAA, it does not extend to other requirements or prohibitions under the Privacy Rule, or to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. This announcement also does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information. Thus, business associates still need to be careful when using and disclosing PHI in these circumstances, although this announcement provides some welcomed relief and should aid the efforts to fight COVID-19.

Stopping the spread of coronavirus is critical to overcoming the COVID-19 pandemic. As testing is ramping up around the country, some states and localities have imposed health screening requirements in an effort to identify persons at risk of being infected and stopping them from infecting others. Whether mandatory or recommended, screening employees and visitors could play an important role in curbing the spread of COVID-19. However, developing and implementing a screening program raises a range of issues organizations need to think through carefully.

Below are some examples of screening program mandates/recommendation around the country:

  • Iowa. On March 26, 2020, Governor Kimberly Reynolds mandated that until April 16, 2020, all hospitals, nursing facilities, intermediate care facilities, residential care facilities, hospice programs, and assisted living facilities must screen all staff at the beginning of their shift for fever or respiratory symptoms, absence or shortness of breath, new or changing cough, or sore throat, and take employees’ temperature.
  • Ionia County, MI. On March 23, 2020, the County’s Health Officer mandated that all persons providing childcare services for compensation must develop and implement a daily screening program for all staff, children, parents, and other visitors entering the facility. The program must include screening for symptoms of a respiratory infection, such as temperature of 100.4 degrees or higher, severe cough, and/or shortness of breath.
  • Delaware. On March 22, 2020, Governor John Carney and the Delaware Division of Public Health strongly recommended that all employers screen employee temperatures each day before work, and those with a temperature of 99.5 degrees or more be sent home. Employers also should require employees to complete a basic questionnaire addressing other symptoms of COVID-19.
  • Ohio. Governor Mike DeWine issued a similar recommendation on March 19, 2020, suggesting that employees be sent home with a fever at or above 100.4 degrees.

Setting up such a screening program requires care planning. Below are some key steps organizations should consider.

  • Identify a Program Leader. With state and local guidance changing rapidly, the leader needs to be informed and practical, as well as sensitive to concerns about confidentiality.
  • Understand Applicable Mandates and Recommendations. Organizations need to develop and implement their programs based on applicable guidance. This can be challenging considering the various federal, state, and local agencies that could issue screening guidelines. Our COVID-19 team has been tracking these and other laws and guidance here.
  • Develop a Plan. Where possible, the program leader should work with appropriate persons in the organization, e.g., legal and HR, to outline the program in writing. The program should include components such as:
    • Designating responsibility. In addition to designating who is responsible for the program as a whole, responsibility for conducting the screening (third party or other employees), maintaining records, addressing disputes about the program, handling requests for information concerning the screenings, etc. also should be made clear.
    • Identifying who is subject to screening. Persons subject to screening might include applicants, employees, contractors, and/or visitors. Note that employers with employees represented by a union may need to bargain and obtain union agreement before implementing the program, particularly if the state or locality is making only a recommendation and not a mandate.
    • Establish procedures for administering the screening. The program needs to set forth the logistics of the screening process. If possible, consult with an available health care professional while doing so. These logistics include where the program can be conducted, identifying the best time of day to conduct the screening, how to position the persons to be screened in order to maintain distancing, obtaining notice/consent (if required), requiring the use of personal protection equipment (PPE), identifying equipment to use when taking temperatures, determining the information to collect in questionnaires, who should receive the results of the screening, and other procedural steps. Determining who will conduct the screening also is an important consideration. Whether the person(s) who administer the screenings are employees of the organization or a third party, consider having an appropriate agreement in place to confirm confidentiality and security of information, among other things.
    • Plans for persons who refuse the screening. The organization needs to be ready to deal with individuals who refuse the screening. For applicants and employees, the HR department should be involved and prepared. For customers or visitors, the organization should ensure customer relations or similar personal are ready. In either case, the program should try to anticipate concerns that may be raised such as confidentiality, logistics of data collection, and securing the data.
    • Arrange for confidential and secure collection, storage, and, if necessary, transmission of screening data. For employee medical information, the Americans with Disability Act requires confidentiality be maintained. Additionally, numerous state data breach notification laws generally require notification if an individual’s medical information is accessed or acquired by an unauthorized person. While the EEOC and California have softened their positions on the kinds medical-related questions employers may ask employees, appropriate safeguards should be in place to protect individually identifiable medical information collected as part of a screening program. These safeguards should include clear guidelines on the circumstances under which such information may be disclosed.
    • Training on program requirements. If applicable, the organization should provide those employees responsible for administering the program a reasonable opportunity to understand the program requirements and get their questions answered. This includes making sure employees understand how to use any equipment required during the screening, such as a particular thermometer, and completing screening questionnaires. Persons conducting the screening also should have a clear understanding when screening results will require them to prohibit a screened individual from entering the facility.
  • Communicate. Developments concerning COVID-19 and government reactions happen fast, but organizations should try to provide as much notice as possible to those who would be subject to the screening. Organizations also should not ignore communicating with those found to have COVID-19 symptoms. Having information available to inform such individuals about best practices for self-quarantine and other measure to prevent further spread can be very helpful.

As COVID-19 spreads, more state and local governments may require or recommend organizations conduct coronavirus screening at their facilities. Organizations also may decide to proactively establish such a program. In either case, the program should be carefully considered and implemented.

With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. To help clarify when PHI can be shared in these circumstances, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance relating to sharing PHI about individuals who have been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities.

The idea is to make clear when PHI can be given to first responders and others so they can take extra precautions or use personal protective equipment (PPE), and to remind covered entities to follow the “minimum necessary” rule in the process.

According to the guidance, the HIPAA Privacy Rule permits a covered entity to disclose PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances, including the following:

  • To provide treatment. For example, a nurse in a skilled nursing facility can alert emergency medical transport personnel that the individual they are transporting to a hospital’s emergency department has COVID-19.
  • When required by law. An example is a hospital making a disclosure of positive COVID status pursuant to a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
  • When first responders may be at risk for an infection. Covered entities authorized by law to notify persons as necessary in the conduct of a public health intervention or investigation may inform first responders who may be at risk of infection. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. Similarly, a covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use PPE.
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a covered entity may, consistent with applicable law and standards of ethical conduct, disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

These are just some of the examples in which PHI about an individual’s COVID-19 infection can be shared with first responders. The primary authority for these exceptions to the general rule of nondisclosure without an authorization is for treatment disclosures (45 CFR 164.502(a)(1)(ii)), legal requirements (45 CFR 164.502(a)(2)), and other purposes (45 CFR 164.512). Note, however, that unless the disclosure is required by law, for treatment purposes, or for certain other purposes, the covered entity must make reasonable efforts to limit the information used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

Remember also that state laws may be more stringent than HIPAA concerning uses and disclosures of PHI. Thus, covered entities should consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ PHI, as such laws may place further restrictions on disclosures that would otherwise be permitted by HIPAA.

On March 19, 2020, the Equal Employment Opportunity Commission updated its 2009 pandemic preparedness guidance: Pandemic Preparedness in the Workplace and the Americans with Disabilities Act. It includes the following note:

The EEOC is updating this 2009 publication to address its application to coronavirus disease 2019 (COVID-19).  Employers and employees should follow guidance from the Centers for Disease Control and Prevention (CDC) as well as state/local public health authorities on how best to slow the spread of this disease and protect workers, customers, clients, and the general public.  The ADA and the Rehabilitation Act do not interfere with employers following advice from the CDC and other public health authorities on appropriate steps to take relating to the workplace.  This update retains the principles from the 2009 document but incorporates new information to respond to current employer questions.   

Many employers are struggling with questions such as:

  • If we follow CDC or state/local public health authorities, can we still violate the ADA?
  • Can we take our employees’ temperatures?
  • Does someone with COVID-19 symptoms in the workplace pose a direct threat?
  • May we screen applicants for COVID-19?

These and other questions are addressed in the guidance. However, as discussed here, there still may be other issues to consider, such as state and local privacy laws.

We paste below some of the key clarifications in the EEOC’s update:

Does someone with COVID-19 symptoms in the workplace pose a direct threat?

Based on guidance of the CDC and public health authorities as of March 2020, the COVID-19 pandemic meets the direct threat standard.  The CDC and public health authorities have acknowledged community spread of COVID-19 in the United States and have issued precautions to slow the spread, such as significant restrictions on public gatherings.  In addition, numerous state and local authorities have issued closure orders for businesses, entertainment and sport venues, and schools in order to avoid bringing people together in close quarters due to the risk of contagion.  These facts manifestly support a finding that a significant risk of substantial harm would be posed by having someone with COVID-19, or symptoms of it, present in the workplace at the current time.  At such time as the CDC and state/local public health authorities revise their assessment of the spread and severity of COVID-19, that could affect whether a direct threat still exists.

During a pandemic, may an ADA-covered employer take its employees’ temperatures to determine whether they have a fever?

Generally, measuring an employee’s body temperature is a medical examination. If pandemic influenza symptoms become more severe than the seasonal flu or the H1N1 virus in the spring/summer of 2009, or if pandemic influenza becomes widespread in the community as assessed by state or local health authorities or the CDC, then employers may measure employees’ body temperature.

However, employers should be aware that some people with influenza, including the 2009 H1N1 virus or COVID-19, do not have a fever.

Because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions as of March 2020, employers may measure employees’ body temperature. As with all medical information, the fact that an employee had a fever or other symptoms would be subject to ADA confidentiality requirements.

If an employer is hiring, may it screen applicants for symptoms of COVID-19?

Yes. An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job. An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job.  This ADA rule allowing post-offer (but not pre-offer) medical inquiries and exams applies to all applicants, whether or not the applicant has a disability.

May an employer take an applicant’s temperature as part of a post-offer, pre-employment medical exam?

Yes.  Any medical exams are permitted after an employer has made a conditional offer of employment.  However, employers should be aware that some people with COVID-19 do not have a fever.

May an employer delay the start date of an applicant who has COVID-19 or symptoms associated with it?

Yes.  According to current CDC guidance, an individual who has COVID-19 or symptoms associated with it should not be in the workplace.

CDC has issued guidance applicable to all workplaces generally, but also has issued more specific guidance for particular types of workplaces (e.g. health care employees). Guidance from public health authorities is likely to change as the COVID-19 pandemic evolves.  Therefore, employers should continue to follow the most current information on maintaining workplace safety.   To repeat:  the ADA does not interfere with employers following recommendations of the CDC or public health authorities, and employers should feel free to do so.

May an employer withdraw a job offer when it needs the applicant to start immediately but the individual has COVID-19 or symptoms of it?

Based on current CDC guidance, this individual cannot safely enter the workplace, and therefore the employer may withdraw the job offer.

During a pandemic, must an employer continue to provide reasonable accommodations for employees with known disabilities that are unrelated to the pandemic, barring undue hardship?

Generally, yes. But, the EEOC clarifies:

The rapid spread of COVID-19 has disrupted normal work routines and may have resulted in unexpected or increased requests for reasonable accommodation.  Although employers and employees should address these requests as soon as possible, the extraordinary circumstances of the COVID-19 pandemic may result in delay in discussing requests and in providing accommodation where warranted.  Employers and employees are encouraged to use interim solutions to enable employees to keep working as much as possible.

This is helpful guidance and provides some clarity, but employers will still need to assess their situations locally, weighing various factors when making these critical decisions.

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) wants to make it easier for individuals to reach a healthcare provider, including those most at risk (older persons and persons with disabilities). Effective immediately, during the COVID-19 nationwide public health emergency, OCR announced it will not enforce noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth.

In short, covered health care providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communications technologies, some of which may not fully comply with the requirements of the HIPAA Rules, without the threat of enforcement.

A couple of key points about this announcement:

  • covered health care providers that want to use audio or video communication technology to provide telehealth in good faith to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.
  • The announcement applies to telehealth provided for any reason, not just services related to the diagnosis and treatment of health conditions related to COVID-19.

In the exercise of their professional judgement, for example, a covered health care provider may request to examine a patient exhibiting COVID- 19 symptoms using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.  The provider may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth.

However, OCR advises providers to take some precautions:

  • notify patients that these third-party applications potentially introduce privacy risks,
  • enable all available encryption and privacy modes when using such applications,
  • public facing video communication applications, such as Facebook Live, Twitch, TikTok, and similar should not be used in the provision of telehealth,
  • where applicable, use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. OCR listed some vendors that represent that they provide HIPAA-compliant video communication and that will enter into a HIPAA BAA (Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet), but has not endorsed any of these or their BAAs.

The OCR’s guidance extends to BAAs in this context. It will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors relating to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

This is welcomed news and should help facilitate the availability of care, particularly to those most at risk.

As the coronavirus spreads across the globe and in the United States, providers, businesses, employers, and others are struggling to understand what medical information they can collect and what information they can share. These are difficult questions the answers to which involve considering factors such as long-standing compliance requirements (e.g., HIPAA, ADA, GINA, state law), the unprecedented times we are in, business risk, and common sense. Government is trying to act to relieve some of these challenges, but questions still remain.

HIPAA Privacy Rule Waiver of Penalties and Sanctions

Effective March 15, 2020, for example, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar (Secretary) waived certain penalties and sanctions under the HIPAA Privacy Rule against hospitals in its March 2020 COVID-19 and HIPAA Bulletin. These waivers were issued in response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and the Secretary’s earlier declaration of a public health emergency on January 31, 2020. The Secretary’s guidance makes clear that the Privacy Rule is not suspended during this crisis and provides guidance about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel. But, in the following areas, the Secretary has waived sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020, and there is more information and access to resources in the Bulletin about where it applies and for how long.

Reminder About What Entities Are Covered Entities and Business Associates

As part of its guidance on HIPAA privacy and disclosures in emergency situations, the Bulletin reminds readers what entities are covered by these rules – covered entities and business associates. There can be some tricky questions here, but these are the basic rules from the Bulletin:

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.

Employers are Not Covered Entities or Business Associates – But Still Have Privacy and Confidentiality Obligations

When conducting its business, an organization can be a HIPAA covered entity and/or a business associate. However, when that business is functioning as an employer, it is neither a HIPAA covered entity nor a business associate, although it may sponsor a covered health plan subject to the HIPAA privacy and security rules. As organizations face the coronavirus threat to their workforce and their business, many questions arise about the collection, processing, and disclosure of medical information from employees, their family members, and visitors to their facilities. These can be thorny questions and organizations should seek qualified counsel, but here are some general rules:

When may an ADA-covered employer take the body temperature of employees during the COVID-19 pandemic? Continue Reading HIPAA Privacy Rule Waiver, Other Medical Information Questions During the COVID-19 Pandemic

The debate over working from home continues, reaching a high point in 2013 when Marissa Mayer, then CEO of Yahoo, sought to curb the practice. However, as the Coronavirus continues to spread across the U.S., more companies are instructing their employees to work-from-home as a social distancing technique to help contain the spread and remain productive.  No doubt advances in technology and widespread availability of broadband access have made it possible for many to carry out their employment duties from anywhere.

But, of course, remote work is not available for everyone. Restaurant workers, retail store employees, delivery drivers, and other occupations cannot telecommute. However, when work can be performed from home, there are a range of issues for businesses to consider as the workplace expands.

By no means an exhaustive list of the all of the issues that may arise, here are some items to consider when implementing a work-from-home policy.

  • Making the decision
    • Review existing resources, applicable policies, and customer/client agreements to determine if remote work is feasible, prudent, and contractually permissible.
    • Have a plan for resources, communications, expense reimbursement, etc.
    • Review insurance policies (e.g., employee benefits, workers compensation, cyber, etc.) to ensure coverage.
    • Stay on top of developments as plans may need to be changed.
  • Confirm the IT infrastructure can support remote work.
    • Be ready to address systems and equipment needs of employees who may not be set up to work from home.
    • Beef up staffing, including help desk capacity to support workers not used to remote work.
    • Ensure data privacy and security (see below).
  • Communicate clearly and consistently.
    • Ensure critical lines of communication between management are open.
    • In the course of developing communications to employees, examine existing policies closely, such as confidentiality, written information security programs, business continuity, bring your own device (BYOD), etc. Companies without these policies or a comprehensive telework policy, should consider putting them in place. In general, all existing company policies should apply whether an employee is working at the office or at home.
    • A localized approach may be warranted based on local conditions. But, be sure managers are on the same page to avoid inconsistent application of policy.
    • Provide employees system access instructions and where to go for help.
    • Outline best practices for maintaining a safe “workspace.”
    • Be understanding and solution-oriented
  • Ensure data privacy and security.
    • Implement the work-from-home arrangement consistent with company’s written information security program to ensure the access, transmission, and storage of confidential business and personal information is safeguarded. Some key safeguards include:
      • Permit access only through VPN or similar connection.
      • Require two-factor authentication.
      • Supply employees with secure laptops.
    • Communicate critical reminders for employees, such as
      • Elements of confidential business and personal information that warrant protection.
      • Minimum necessary rule – basically, only use confidential and personal information as needed to complete the employee’s assigned tasks.
      • Being aware of phishing attacks, which are a particular concern now as threat actors are using the coronavirus as part of their attacks.
      • Knowing where to report a data incident.
      • Following instructions for system updates and security patches.
      • Saving company data only on the network, and not personal devices.
      • Not permitting others to access the company’s systems, including the personal device that has access to the company’s systems.
      • Setting devices to lock automatically for periods of nonuse.
      • Avoid printing sensitive corporate materials unless the reason to do so outweighs the risk.
      • Not sending sensitive corporate data to personal email or cloud accounts.
  • Obtain employees’ agreement to conditions for remote work. Items to cover in the agreement might include:
    • Continuing requirement to complete work assignments.
    • Maintaining availability during normal business hours.
    • Adherence to the company’s data privacy, security, and confidentiality policies.
    • Maintaining safe conditions and safety habits at the home office as established at company facilities.
    • Ensure all work time is recorded.
  • Consider tax issues associated with employees working from home, including those out of state, and reimbursement for costs related to equipment and service-related costs needed to perform work duties.

Jackson Lewis attorneys from multiple practices and industries are actively assisting businesses on the rapidly evolving Coronavirus/COVID-19 workplace health challenge. We are closely monitoring and updating our information as the situation continues to evolve. Below are some additional important resources to help answer some of the most common questions: