As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.

On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) and the commanding general of the U.S. Cyber Command to express their “profound concerns” that healthcare providers are “facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” which “pose an alarming risk of disrupting or undermining our public health response at this time of crisis.” The Senators urged CISA and the Cyber Command to issue guidance and provide technical resources to deter these threats.

Beyond their general call for action, the Senators offered specific measures CISA and the Cyber Command should adopt to protect healthcare providers’ data security:

  1. Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
  2. Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
  3. Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
  4. Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
  5. Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
  6. Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

On the heels of this call for action on data security, the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. In this guidance, the OCR reiterated that “it is not sufficient for a covered health care provider to require the media to mask patients’ identities when airing recorded video (such as by blurring, pixelation, or voice alteration), after the fact. Prior, express authorization from the patient is always required.” While this guidance does not break new ground, it serves as a timely reminder as newscasts focus daily on the efforts of healthcare providers to treat COVID-19 patients.

These are difficult times for healthcare providers, but even as they tackle the clinical demands of the COVID-19 pandemic, the developments discussed above demonstrate the importance of continuing to be vigilant in the enforcement of data security and privacy policies.

For more on recent privacy and cybersecurity updates for healthcare providers, check out some of our past blog posts:

The United States Supreme Court recently granted a petition for certiorari in Van Buren v. United States addressing the issue of whether it is a violation of the Computer Fraud and Abuse Act (“CFAA”) when an individual who is authorized to access information on a computer, accesses the same information for an improper purpose. The Supreme Court will have a chance to resolve the long-standing circuit split regarding the scope of the CFAA. Some circuits (the 2nd, 4th and 9th) take a narrow view of the CFAA, allowing claims against employees who lacked any authorization to access information stored on computers, but not allowing claims against employees who were permitted access and misused that access for allegedly improper purposes. Other circuits (the 1st, 5th, 7th, and 11th) permit CFAA claims against employees for misusing information stored on the computer even though they otherwise were authorized to access such material.

Jackson Lewis’s Privacy, Data and Cybersecurity practice group, in conjunction with the Non-Competes and Protection Against Unfair Competition practice group, published an article on the Jackson Lewis website, explaining the Van Buren case and its potential impact.

Regardless of how the Supreme Court rules in Van Buren, employers should consider reviewing and clarifying their policies concerning which employees have access to what data, particularly in light of the spike in remote work.  We will monitor the Van Buren case and provide updates.

 

Maintain High Service Levels to Support for Work From HomeJust over a month ago, we provided a high-level checklist to help organizations think about critical issues as employees begin working from home to reduce the spread of COVID19. Consistent with “shelter-in-place”/”stay at home” orders, millions of workers that can are now working from home. However, out of sight is not out mind as many organizations want to be sure these workers remain productive. Periodic office visits to chat are not an option right now, but spyware and keylogging technologies are. Some employers are considering these technologies as they balance employee privacy with the need to manage their team and monitor productivity.

Distractions are easy to come by these days – the daily Gov. Cuomo briefing, kids also “working” from home, the latest firetruck birthday party, and the status of toilet paper deliveries.  For many workers, the idea of telecommuting itself is a distraction as they simply are not used to it on a regular basis. These and other distractions raise employers’ suspicion that workers are not being productive or as productive as they could be. But, productivity may not be the employer’s only goal. Protecting trade secrets, avoiding data breaches, finding ways to make remote work easier, and generally dissuading improper behavior are just some of the other drivers for increasing surveillance on remote workers.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

Spyware and keylogging are technologies that have been around for some time and can be attractive options for employers. In general, spyware is software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. This information could include screenshots from the other user’s computer. Screenshots could include, for example, text of “private” messages the employee believes she is sending to a social media friend. “Keyloggers” can be devices but are most often software designed to monitor and log all keystrokes. Like spyware, keylogging can covertly track a user’s keystrokes and obtain in the process private account credentials or confidential communications, and transfer that information to another computer.

This level of surveillance raises a number of legal and employee relations risks. Here are just a few.

  • California Consumer Protection Act (CCPA). Effective January 1, 2020, the CCPA currently applies to personal information of employees, at least until December 31, 2020. It requires that employees be provided a “notice at collection” – this is, a notice describing the categories of personal information (including network activity) that the company collects and the purposes that information is used. Businesses subject to the CCPA will need to be sure that this surveillance activity is appropriately covered in notices of collection for employees who reside in California.
  • State Social Media Password Protection Laws. Over 25 states have laws that prohibit employers from requesting or requiring employees to provide credentials to their online personal accounts. Deploying spyware or keylogging technologies arguably are not requests or requirements in the general sense. However, employers should consider how these laws may be interpreted and shape their approach accordingly.
  • Stored Communications Act. Accessing personal social media communications or other personal online account communications may run up against protections under the Stored Communications Act.
  • Taking action based on information obtained though the surveillance
    • Credit protection laws. Several states, such as California, Maryland, Nevada, have laws prohibiting employment discrimination on the basis of poor credit or payment histories. These laws were passed in reaction to the great recession and likely have increased relevance again today as more than 20 million workers have filed for unemployment.
    • Genetic Information Nondiscrimination Act (GINA). Learning about an employee’s family member suffering from a debilitating health condition or a contagious disease through spyware could raise issues under GINA. EEOC regulations except obtaining this genetic information through inadvertence, but if it was reasonably likely that such data would be collected or if the recipient continues to examine it or look for related information there is risk of a violation. Thus, just the collection of such information could be problematic under GINA, as well as using it for a discriminatory purpose.
    • ADA/State Protections for Medical Information. A similar analysis applies for medical information obtained through monitoring. However, the regulations are less specific under the ADA compared to GINA.
    • Safeguarding the Information Collected. A growing number of states have stringent requirements to maintain reasonable safeguards to protect personal information. The definition of personal information is not limited to SSNs. Medical information, online account credentials, credit card numbers, dates of birth all can be captured and stored using spyware, keylogging, and other surveillance tools.

What can organizations do?

  • Understand the technology. Organizations should avoid having their IT departments deploy these technologies without a careful review, one that involves appropriate persons outside the IT department. Input from HR and the Legal Department can be invaluable for minimizing legal risk and maintaining good employee relations and trust.
  • Acceptable Use and Electronic Communications Policy. When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. In general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs employees on what they can expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectation of privacy, as well as making clear the information systems and activity that are subject to the policy.
  • Monitoring the monitors. Employees asked to perform monitoring using these technologies can sometimes feel empowered and, believing they are helping the organization, make it easier for them to go too far in their surveillance, creating legal risk. For this reason and others, it is recommended that organizations maintain guidelines for these employees to help make clear boundaries that the organization has determined with counsel to be appropriate, and review compliance with those guidelines from time to time.
  • Be prepared to investigate. Surveillance may uncover nonperformance, irregular activity, malicious insiders, and other problematic activity that the organization needs to address. The time to lay out that process and how to further investigate is not when evidence of the activity is discovered. Organizations should be prepared to react to findings with a comprehensive investigation plan that involves the appropriate persons at the earliest time.

It may be that this high level of remote work will continue for a while, or considering this forced experiment, certain organizations will realize that they can remain very productive in some or all parts of their business while deriving enormous savings from utilizing this new “workplace.” Either way, managing that work will raise new challenges for management. When more advanced monitoring and surveillance tools are deployed, organizations need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.

The Telephone Consumer Protection Act (“TCPA”) generally prohibits the use of automated dialing equipment or prerecorded voice messages to make calls, send text messages, or send faxes absent prior consent of the called party. This includes calls or texts to cellular phone numbers as well as calls to residential lines. There are limited exceptions to the TCPA’s consent requirements, including calls or texts sent for “emergency purposes”, meaning calls or texts made necessary in any situation affecting the health and safety of consumers. On March 20, 2020 the Federal Communications Commission (“FCC”) published a Declaratory Ruling confirming that the COVID-19 pandemic is an “emergency” that qualifies for the TCPA’s “emergency purposes” exception.

FCC History Regarding the TCPA’s “Emergency Purposes” Exception

Since the TCPA’s enactment in 1991, federal courts and the FCC have interpreted the “emergency purposes” exception narrowly, and guidance has been limited. In 2016 the FCC issued a narrow Declaratory Ruling in Blackboard-Edison on the TCPA’s “emergency purposes” exception, highlighting permissible automated calls from schools during “threat situations” affecting the “health and safety of students and faculty”. The FCC also clarified in this ruling that utility companies “may make robocalls and send automated texts to their customers concerning matters closely related to the utility service, such as a service outage or warning about potential service interruptions due to severe weather conditions, because their customers provided consent to receive these calls and texts when they gave their phone numbers to the utility company”. Finally, the FCC noted that the ruling was “tailoring relief to narrow circumstances presented in these petitions…without diluting the TCPA’s core consumer protections”.

FCC’s March 2020 Declaratory Ruling on the COVID-19 Pandemic

Now in its March 2020 Declaratory Ruling, the FCC has again narrowly specified that during the COVID-19 pandemic certain calls and messages qualify for the “emergency purposes” exception under the TCPA. Such calls must meet the following requirements: 1) “the caller must be from a hospital, or be a health care provider, state or local health official, or other government official as well as a person under the express direction of such an organization and acting on its behalf”, and 2) “the content of the call must be solely informational, made necessary because of the COVID-19 outbreak, and directly related to the imminent health or safety risk arising out of the COVID-19 outbreak.”

TCPA “Emergency Purposes” Exception and Workplace Correspondence

First, it is worth noting that while common sense would dictate that an employee’s provision of their telephone number to the employer should be viewed as consent to receive calls/texts (just as discussed above in Blackboard-Edison, where a utility company’s customers consented upon provision of their telephone numbers to the company), the TCPA and FCC guidance is silent on whether workplace correspondence are subject to TCPA liability. In at least one case where a claim has been brought against an employer related to the TCPA, the court dismissed the claim finding that the application’s language “authorizing [the employer] to collect, use….personal information provided for employment-related purposes” was consent.

Assuming, however, that an employer’s automated calls/texts to their employees are subject to the TCPA’s consent requirements, the question arises whether safety-related calls/texts made to an employee would qualify under the “emergency purposes” exception.   While this is unclear, given the two FCC Declaratory Rulings discussed above, there is a strong argument that such calls or texts would be considered as for “emergency purposes” and thus would be exempt from the TCPA’s consent requirement.   This is particularly true as Blackboard-Edison applied the emergency purposes exception not just to students, but also to faculty (employees).

Further in the March 20 Declaratory Ruling the FCC emphasized that “In the Blackboard-Edison Declaratory Ruling, the Commission made clear that automated calls to wireless numbers made necessary by incidents of imminent danger including ‘health risks’ affecting health and safety are made for an emergency purpose and do not require prior express consent to be lawful”. Interestingly, while the March 20 Declaratory Ruling is limited to calls made by hospitals, health care providers or health/government officials, this statement seems to indicate that the FCC intended Blackboard-Edison to apply more broadly.

Finally, the March 20 Declaratory Ruling also provided examples of inappropriate uses of the emergency purposes exception including calls that contain advertising or telemarketing of services like “advertising a commercial grocery delivery service, or selling or promoting health insurance, cleaning services, or home test kits” as well as “debt collection calls”. This sheds some light on when the use of the TCPA’s “emergency purposes” exception is appropriate or not generally, and it would seem that safety-related calls to employees, especially in light of the COVID-19 pandemic, would not fall into the category of inappropriate, based on these examples.

Takeaway

These are uncertain times, and of course, the safety and health of employees is critical. To avoid potential risks of a claim under the TCPA (including class actions), employers looking to implement programs to communicate quickly and timely with employees about health and safety risks, including those posed by COVID-19, should assess the applicability of the emergency purposes exception and/or consider obtaining additional consent.

As the COVID-19 crisis continues, many companies throughout the country have arranged for significant portions of their workforce to work from home. A natural part of that arrangement is conducting videoconferences. With employees working at home in isolation, many seek opportunities to connect with others through a visual medium. Thus, companies are using videoconferencing to conduct business meetings. In other circumstances, employees are using it simply to connect visually with co-workers to catch up on work and life in general. Companies must, however, devote attention to a variety of privacy-related concerns when relying on this technology (as well as other related technologies) that enable expanded work from home opportunities. Recently, we created a work-from-home checklist including a number of relevant privacy issues.

When discussing video conferencing today, there are many options including Google Hangouts, Skype, and WebEx. However, it appears the option gaining the most popularity is Zoom Video Communications.

Last week, a class action lawsuit was commenced in a California federal court against Zoom alleging under the California Consumer Privacy Act and related laws, that it failed to properly safeguard the personal information of its users.

According to the complaint, “upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties…invading the privacy of millions of users.” The complaint describes that the Zoom app notifies third-party social media app users “when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.”

The proposed class includes “all persons and businesses in the United States” whose personal information was collected or disclosed to a third party “upon installation or opening” of the Zoom app.”

The complaint acknowledges that on March 27, 2020, Zoom released a new version of the app that purports to no longer send unauthorized personal information of its users to Facebook.

According to a March 27 blog post, Zoom CEO Eric Yuan stated that, “Zoom takes its users’ privacy extremely seriously” and described changes Zoom was making to its software that would take effect when users update to the latest version.

Considering the lightning speed with which this case was brought, companies everywhere should take this opportunity to review its procedures and best practices regarding video conferencing platforms and other technologies in place supporting work from home arrangements. Not only could you avoid a class action lawsuit, but you will also be taking steps to protect the company’s proprietary information as well as any personal identifying information of its employees and customers that you maintain.

In the US, many organizations anxiously awaiting assistance under the CARES Act are becoming the targets of cyberattackers looking to feed off of the massive relief being provided by the US treasury. Yesterday, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of a substantial increase in these attacks, providing helpful guidance concerning the nature of the attacks and related information.

Specifically, the alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice. The alert notes that the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.

Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Here are just a few of those steps.

Before an Attack

  1. Build the right team
  • Ensure you have an IT team in place, whether internal or through a third-party vendor, that is well-versed in emerging threats and prepared to support the organization in the event of an attack.
  1. Secure the systems
  • Conduct a risk assessment and penetration test to understand the potential for exposure to malware.
  • Implement technical measures and policies that can prevent an attack, such as endpoint security, multi-factor authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.
  1. Make your employees aware of the risks and steps they must take in case of an attack
  • This is particularly critical now – educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently.
  • Employees should avoid revealing personal or financial information about themselves,  other employees, customers, and the company in email, including wiring instructions. If they must, they should confirm by phone.
  • Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures) and what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).
  1. Maintain backups
  • Backup data early and often.
  • Keep backup files disconnected from the network and in separate locations.
  1. Develop and practice an “Incident Response Plan”
  • Identify the internal team (e.g., leadership, IT, general counsel, and HR).
  • Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).
  • Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.
  • Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).
  • Plan to identify, assess, and comply with legal and contractual obligations.
  • Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.

After an Attack Continue Reading UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks

On April 3, the Office for Civil Rights (OCR) issued an alert to covered entities and business associates. Evidently, one or more individuals are posing as OCR Investigators and contacting HIPAA covered entities and business associates in an attempt to obtain protected health information (PHI).  The individual identifies on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. In this environment, with many healthcare providers stretched to their limits dealing with COVID-19, workforce members may be distracted, fail to follow normal protocols, and simply comply with the request.

Verification should be a regular step, second-nature, in the process of making disclosures of PHI. The basic rule at 45 CFR 164.514(h) provides that, in general

Prior to any disclosure permitted by this subpart, a covered entity must:

(i) … verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity; and

(ii) Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the protected health information when such documentation, statement, or representation is a condition of the disclosure under this subpart.

OCR recommends HIPAA covered entities and business associates should alert their workforce members of these potential scams, and remind them of the basic verification requirement. They also should provide some easy to follow tips for verification, such as:

  • Do not provide any PHI information based solely on a telephone request until verified.
  • Ask for the name and transaction number for the matter the caller is calling about.
  • Ask for the caller to provide his or her email address, it should end in @hhs.gov.
  • Ask the caller’s name, title, and what OCR office they are calling from.
  • Ask for an email from the OCR investigator confirming the nature and scope of the request.
  • Ask the caller if he or she has communicated with anyone else at the organization about the matter.
  • Ask for a copy of any prior written request(s) for the information, there usually is one.
  • Remind workforce members about best practices for responding to phishing and spoofing attacks.

Covered entities and business associates might also centralize the function of responding to such requests to one person, a small group of workforce members, or a third party. Typically, that person, group, or third party is better trained to follow these and other best practices for verification.

Organizations with additional questions or concerns, or that may be questioning a particular inquiry, could reach out to the OCR at: OCRMail@hhs.gov. The OCR also reminded covered entities about other COVID schemes and that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI) at www.ic3.gov.

The Office for Civil Rights (OCR) has been moving swiftly to provide guidance on addressing key regulatory issues to aid in the fight to contain and defeat COVID-19. Some of the latest developments include exercising its enforcement discretion on certain good faith disclosures of protected health information (PHI) by business associates, adding FAQs for telehealth providers, and a resource page on its website for COVID-19 issues.

A common thread through all of the federal and state governmental briefings on the COVID-19 is that understanding the spread; managing healthcare personnel, equipment, and personal protective equipment (PPE); and other necessary resources requires data. Roger Severino, OCR Director, recognized the need for “quick access to COVID-19 related health data to fight this pandemic.” Because business associates have limitations on the circumstances under which critical data can be used and disclosed, despite the critical role they often play in storing and analyzing data, “[g]ranting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino added.

The HIPAA Privacy Rule already permits covered entities to provide the kind of data that is needed, however, current regulations allow a HIPAA business associate to use and disclose PHI for public health and health oversight purposes only if expressly permitted by its business associate agreement with a HIPAA covered entity. It is common for business associate agreements to be drafted very narrowly, permitting only specified uses and disclosure. Thus, when federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers have requested PHI from HIPAA business associates (i.e., a disclosure of PHI), or requested that business associates perform public health data analytics on such PHI (i.e., a use of PHI by the business associate) for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, some HIPAA business associates have been unable to timely participate in these efforts because their BAAs do not expressly permit them to make such uses and disclosures of PHI.

To address this issue, OCR announced that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.

Specifically, the announcement provides that OCR will not impose penalties against a business associate or covered entity under certain Privacy Rule provisions if, and only if:

  • the business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities (see 45 CFR 164.512(b)), or health oversight activities (see 45 CFR 164.512(d)); and
  • the business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).

The OCR provides examples of good faith uses or disclosures:

  • the Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b).
  • the Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

It is important to note that while the OCR’s announcement provides some relief under HIPAA, it does not extend to other requirements or prohibitions under the Privacy Rule, or to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. This announcement also does not address other federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information. Thus, business associates still need to be careful when using and disclosing PHI in these circumstances, although this announcement provides some welcomed relief and should aid the efforts to fight COVID-19.

Stopping the spread of coronavirus is critical to overcoming the COVID-19 pandemic. As testing is ramping up around the country, some states and localities have imposed health screening requirements in an effort to identify persons at risk of being infected and stopping them from infecting others. Whether mandatory or recommended, screening employees and visitors could play an important role in curbing the spread of COVID-19. However, developing and implementing a screening program raises a range of issues organizations need to think through carefully.

Below are some examples of screening program mandates/recommendation around the country:

  • Iowa. On March 26, 2020, Governor Kimberly Reynolds mandated that until April 16, 2020, all hospitals, nursing facilities, intermediate care facilities, residential care facilities, hospice programs, and assisted living facilities must screen all staff at the beginning of their shift for fever or respiratory symptoms, absence or shortness of breath, new or changing cough, or sore throat, and take employees’ temperature.
  • Ionia County, MI. On March 23, 2020, the County’s Health Officer mandated that all persons providing childcare services for compensation must develop and implement a daily screening program for all staff, children, parents, and other visitors entering the facility. The program must include screening for symptoms of a respiratory infection, such as temperature of 100.4 degrees or higher, severe cough, and/or shortness of breath.
  • Delaware. On March 22, 2020, Governor John Carney and the Delaware Division of Public Health strongly recommended that all employers screen employee temperatures each day before work, and those with a temperature of 99.5 degrees or more be sent home. Employers also should require employees to complete a basic questionnaire addressing other symptoms of COVID-19.
  • Ohio. Governor Mike DeWine issued a similar recommendation on March 19, 2020, suggesting that employees be sent home with a fever at or above 100.4 degrees.

Setting up such a screening program requires care planning. Below are some key steps organizations should consider.

  • Identify a Program Leader. With state and local guidance changing rapidly, the leader needs to be informed and practical, as well as sensitive to concerns about confidentiality.
  • Understand Applicable Mandates and Recommendations. Organizations need to develop and implement their programs based on applicable guidance. This can be challenging considering the various federal, state, and local agencies that could issue screening guidelines. Our COVID-19 team has been tracking these and other laws and guidance here.
  • Develop a Plan. Where possible, the program leader should work with appropriate persons in the organization, e.g., legal and HR, to outline the program in writing. The program should include components such as:
    • Designating responsibility. In addition to designating who is responsible for the program as a whole, responsibility for conducting the screening (third party or other employees), maintaining records, addressing disputes about the program, handling requests for information concerning the screenings, etc. also should be made clear.
    • Identifying who is subject to screening. Persons subject to screening might include applicants, employees, contractors, and/or visitors. Note that employers with employees represented by a union may need to bargain and obtain union agreement before implementing the program, particularly if the state or locality is making only a recommendation and not a mandate.
    • Establish procedures for administering the screening. The program needs to set forth the logistics of the screening process. If possible, consult with an available health care professional while doing so. These logistics include where the program can be conducted, identifying the best time of day to conduct the screening, how to position the persons to be screened in order to maintain distancing, obtaining notice/consent (if required), requiring the use of personal protection equipment (PPE), identifying equipment to use when taking temperatures, determining the information to collect in questionnaires, who should receive the results of the screening, and other procedural steps. Determining who will conduct the screening also is an important consideration. Whether the person(s) who administer the screenings are employees of the organization or a third party, consider having an appropriate agreement in place to confirm confidentiality and security of information, among other things.
    • Plans for persons who refuse the screening. The organization needs to be ready to deal with individuals who refuse the screening. For applicants and employees, the HR department should be involved and prepared. For customers or visitors, the organization should ensure customer relations or similar personal are ready. In either case, the program should try to anticipate concerns that may be raised such as confidentiality, logistics of data collection, and securing the data.
    • Arrange for confidential and secure collection, storage, and, if necessary, transmission of screening data. For employee medical information, the Americans with Disability Act requires confidentiality be maintained. Additionally, numerous state data breach notification laws generally require notification if an individual’s medical information is accessed or acquired by an unauthorized person. While the EEOC and California have softened their positions on the kinds medical-related questions employers may ask employees, appropriate safeguards should be in place to protect individually identifiable medical information collected as part of a screening program. These safeguards should include clear guidelines on the circumstances under which such information may be disclosed.
    • Training on program requirements. If applicable, the organization should provide those employees responsible for administering the program a reasonable opportunity to understand the program requirements and get their questions answered. This includes making sure employees understand how to use any equipment required during the screening, such as a particular thermometer, and completing screening questionnaires. Persons conducting the screening also should have a clear understanding when screening results will require them to prohibit a screened individual from entering the facility.
  • Communicate. Developments concerning COVID-19 and government reactions happen fast, but organizations should try to provide as much notice as possible to those who would be subject to the screening. Organizations also should not ignore communicating with those found to have COVID-19 symptoms. Having information available to inform such individuals about best practices for self-quarantine and other measure to prevent further spread can be very helpful.

As COVID-19 spreads, more state and local governments may require or recommend organizations conduct coronavirus screening at their facilities. Organizations also may decide to proactively establish such a program. In either case, the program should be carefully considered and implemented.

With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. To help clarify when PHI can be shared in these circumstances, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance relating to sharing PHI about individuals who have been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities.

The idea is to make clear when PHI can be given to first responders and others so they can take extra precautions or use personal protective equipment (PPE), and to remind covered entities to follow the “minimum necessary” rule in the process.

According to the guidance, the HIPAA Privacy Rule permits a covered entity to disclose PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances, including the following:

  • To provide treatment. For example, a nurse in a skilled nursing facility can alert emergency medical transport personnel that the individual they are transporting to a hospital’s emergency department has COVID-19.
  • When required by law. An example is a hospital making a disclosure of positive COVID status pursuant to a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
  • When first responders may be at risk for an infection. Covered entities authorized by law to notify persons as necessary in the conduct of a public health intervention or investigation may inform first responders who may be at risk of infection. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. Similarly, a covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use PPE.
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a covered entity may, consistent with applicable law and standards of ethical conduct, disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

These are just some of the examples in which PHI about an individual’s COVID-19 infection can be shared with first responders. The primary authority for these exceptions to the general rule of nondisclosure without an authorization is for treatment disclosures (45 CFR 164.502(a)(1)(ii)), legal requirements (45 CFR 164.502(a)(2)), and other purposes (45 CFR 164.512). Note, however, that unless the disclosure is required by law, for treatment purposes, or for certain other purposes, the covered entity must make reasonable efforts to limit the information used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

Remember also that state laws may be more stringent than HIPAA concerning uses and disclosures of PHI. Thus, covered entities should consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ PHI, as such laws may place further restrictions on disclosures that would otherwise be permitted by HIPAA.