The Department of Health and Human Services, Office of Civil Rights (OCR) recently released guidance and helpful examples illustrating how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to Essential Providers. Read the full post on our Healthcare Law Insights blog.
On March 20, 2020 OCR released a Frequently Asked Questions list to help further clarify its March 17th Waiver. In the FAQ, OCR clarifies that the waiver not only allows providers to utilize platforms that do not comply with the requirements of the Security Rule (discussed in our original post), but it also applies to the Breach Notification and Privacy Rules that may be implicated when using a less secure platform. OCR also assures providers that if protected health information is intercepted and during the the “good faith provision of telehealth,” OCR will not pursue otherwise applicable penalties.
Keypoint: Individuals and businesses should take steps to prevent against becoming victims of the rapid rise in Coronavirus-related hacking scams.
On March 20, 2020, the FBI issued an alert warning that cyber thieves are actively trying to exploit the Coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.
Keypoint: The California Attorney General’s office does not currently plan to extend the CCPA’s enforcement deadline but left the door open to reconsider its position as the coronavirus crisis unfolds.
As we previously reported, on March 17, 2020, over thirty trade associations, companies, and organizations sent a letter to California Attorney General Becerra requesting that, in light of the coronavirus crisis and unfinished status of the regulations, he “forebear from enforcing the CCPA until January 2, 2021 so businesses are able to build processes that are in line with the final regulations before they may be subject to enforcement actions for allegedly violating the law’s terms.”
Keypoint: The California Attorney General’s office has not addressed whether businesses may delay responding to CCPA requests due to the Coronavirus pandemic; however, businesses can look to the CCPA’s 45-day extension for relief, at least with respect to responding to requests to know and delete.
To state the obvious, businesses subject to the California Consumer Privacy Act (CCPA) may have more urgent matters to handle these days than responding to CCPA consumer requests.
Yet, the California Attorney General’s office – the CCPA’s enforcement arm – has been silent on whether it will take into account these extenuating circumstances when exercising its enforcement authority come July 1. This may be due to the unique circumstance in which the Attorney General finds itself – i.e., stuck between the CCPA’s effective date and enforcement date.
Before the Coronavirus pandemic, the Attorney General publicly stated that CCPA enforcement actions can cover activities between January 1 and July 1 (see here and here). Whether or not that position is ultimately legal, it places businesses in a difficult situation when balancing Coronavirus-related business disruptions and responding to CCPA consumer requests in a timely manner.
On March 17, 2019, the Department of Health and Human Services, Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and waive potential penalties for HIPAA violations against healthcare providers that see patients through non-public communication applications during the COVID-19 nationwide public health emergency.
Background on Security Requirements for Telemedicine providers
Under what is commonly referred to as the HIPAA “Security Rule,” CMS requires organizations to have certain safeguards in place to protect patients’ health information. These safeguards require organizations to comply with certain minimum technical and organizational requirements. Part of the technical requirements is that organizations must have security measures in place “to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This requires providers to utilize telehealth platforms that have, at a minimum, certain encryption and integrity controls in place. Furthermore, as an organizational safeguard, the Security Rule requires that telehealth providers enter into Business Associate Agreements with these platforms to ensure the platform will comply with HIPAA and protect patients’ health information.
On Monday, the Chair of the European Data Protection Board (EDPB) issued a statement on the processing of personal data in the context of the COVID-19 outbreak. In that statement, the Chair acknowledged that although the EU General Data Protection Regulation (GDPR) provides broad and comprehensive privacy rights to individuals, it does have mechanisms in place that allow certain data collectors/processors, such as employers, as well as competent public health authorities, to process personal data in the context of epidemics without the need to obtain the consent of the data subject. Articles 6 and 9 of the GDPR, for example, permit the nonconsensual processing of personal data where it is necessary for reasons of public interest in the area of public health or to protect vital interests.
The statement also addressed the fact that additional rules apply to the processing of electronic personal data, such as geolocation data, even during a pandemic. Per national laws implementing the ePrivacy Directive, if a data operator cannot obtain the consent of a data subject to the use of his or her personal geolocation data, the operator should do everything possible to only use the data in an anonymous format (e.g., aggregating location data to get a general sense of how many people are in a given location, with no possibility of reverse tracing that data). If anonymous collection is not possible, a government can invoke Article 15 of the ePrivacy Directive and introduce legislation pursuing national or public security (a pandemic could qualify as either) if it constitutes “a necessary, appropriate and proportionate measure within a democratic society.” If a member state does this, it must provide adequate safeguards, such as allowing a judicial remedy to aggrieved data subjects.
On March 11, 2020, the California Attorney General’s office published a second set of modified proposed CCPA regulations. Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, March 17, from 12:00-1:00 p.m. CT, to analyze the second set of modified proposed regulations. Click here to register.
Keypoint: For the second year in a row, the Washington Privacy Act has failed to become law.
Yesterday afternoon, on the final day of the Washington legislative session, Senator Reuven Carlyle issued a statement announcing the failure of the Senate and House to reach a compromise on the Washington Privacy Act (WPA) (SB 6281). Senator Carlyle’s statement identified one insurmountable obstacle – enforcement.
Keypoint: This modified draft of proposed regulations retracts some of the modifications as published on February 10 and adds new revisions. There is an additional comment period, which delays publication of final regulations and further shortens the time businesses will have to drive compliance before the July 1, 2020 enforcement date.
On Wednesday, March 11, 2020, the California Attorney General’s office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The Attorney General’s office also published redline and clean versions of the second set of modified regulations.
In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.