FTC Issues Tips for Working from Home During Coronavirus Outbreak

In response to the coronavirus crisis, many companies have mandated that employees work from home in order to assist in slowing the spread of the virus. With more employees working from home, and a wider network to protect, security experts are warning companies to be vigilant with security measures. In addition, it is widely reported that cyber-criminals are taking advantage of the crisis to ramp up cyber-attacks and scams.

The transition from accessing a company’s network from the office—a more secured environment— to one where employees are working from home in less secured environments, makes it difficult for IT professionals to protect company data.

The Federal Trade Commission (FTC) issued tips for consumers on working from home, which are easy to understand and worth reading and sending to employees.

The tips include:

  • Start with cybersecurity basics.
  • Secure your home network.
  • Keep an eye on your laptop.
  • Securely store sensitive files.
  • Dispose of sensitive data in a secure manner.
  • Follow your employer’s security practices.

I would add (this is not an exhaustive list):

  • Patch vulnerabilities when prompted.
  • Continue to use complex passphrases.
  • Use the VPN.
  • Be extra wary of phishing emails and scams as they are ramped up.
  • Be vigilant about clicking on links or attachments.
  • Be cautious when accessing websites.
  • Be wary of emails, links and attachments that reference coronavirus or COVID-19.
  • If you believe you clicked on something you shouldn’t have, call IT. Even though you are working from home, your IT department is there to help you, and it is the job of all employees to protect the company.

Working from home adds risk to companies. Employees must be aware of this fact and be given tools to address the risk.

Privacy Tip #231 – Out of Work Because of Coronavirus? Beware of Scammers Pretending to Be Employers

It is an old trick, and one that scammers are once again using following massive lay-offs after the coronavirus outbreak and mandates to shelter from home. The trick is to impersonate an employer recruiting for jobs, or touting the ability to make lots of money while working from home. As the old adage says, “If it is too good to be true, it probably is.”

KrebsonSecurity reported this week that scammers using the name Vasty Health Care Foundation are double dipping, that is, not only recruiting employees, but also scamming people into giving money to a “foundation” dedicated to assisting victims of the coronavirus. It states that it is a not-for-profit organization located in Nebraska and Quebec. According to Krebs, almost the entire website of Vasty was “lifted” from globalgiving.org, which is a legitimate nonprofit organization. The scammers are posting job opportunities for globalgiving.org on Indeed and Monster.com, and when more savvy individuals call globalgiving.org to confirm the job opportunity, they are told that it is not legitimate and not to cash any checks from the fraudulent organization.

It is a sophisticated scheme, and one to which many are falling victim. To read more on Krebs’ account, click here.

Be aware that cyber criminals use times of crisis and vulnerability to attack victims. This is just one more way they are doing it in a time of increased layoffs.

HHS Issues Confusing Limited Waiver on Sharing of Patient Information Following COVID-19

Acknowledging the “additional challenges” on health care providers following the outbreak of COVID-19, the Department of Health and Human Services (HHS) recently issued several waivers for covered entities to address the need to share patient information after the President declared a national emergency concerning COVID-19.

One of the waivers issued by HHS is to “waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver is effective as of March 15, 2020. The waiver is applicable only in reference to the COVID-19 declared emergency; only for hospitals that have “instituted a disaster protocol;” and “for up to 72 hours from the time the hospital implements its disaster protocol.”

The restrictions are confusing to covered entities and cause additional questions:

  • What if we have implemented contingent operations but not disaster protocols—does the waiver apply?
  • Do we have to institute disaster protocols instead of contingent operations?
  • How do we only address the waiver for the first 72 hours after the disaster protocols are implemented? For instance, does that mean that all of the rights listed above are only waived for 72 hours?
  • What happens after the first 72 hours after the hospital institutes its disaster protocol? Do the waivers no longer apply?
  • What is the logic or reasoning behind the waivers only being applicable for 72 hours?

It would be helpful if additional guidance was provided by HHS to these questions, as many covered entities are concerned about relying on the waivers when they are confusing or they are not sure of the intent. These are trying times for healthcare providers, and introducing further confusion into compliance efforts is particularly difficult for them.

FERPA and COVID-19 Virus DOE Guidelines

The COVID-19 virus is having an unprecedented effect on all aspects of our daily lives, and has hit the educational system especially hard with forced closures and cancellations.  Because educational institutions play such a vital role in our communities, the Department of Education (DOE) recently issued guidance in the form of Frequently Asked Questions (Guidance)  to assist school officials with how to address this public health concern while appropriately protecting student privacy.

The Guidance first reminds school officials that generally they need to obtain consent before releasing a student’s personally identifiable information (PII).  However, given the threat posed by COVID-19, there are circumstances when the “health or safety emergency” exception to consent may apply.  The Guidance states that the “public health emergency” provision is not applicable if the circumstances are based on “a generalized or distant threat of a possible event or emergency for which the likelihood of occurrence is unknown.”  It goes on to list several specific situations where the health or safety emergency exception may or may not apply.

First, if an institution determines, based on the totality of the circumstances, that there is an articulable and significant threat to the health or safety of a student, the institution may disclose to appropriate officials at a public health department PII without prior written consent to protect the health or safety of a student or other individual.

Second, if an institution learns that a student in attendance at the school is out sick due to COVID-19 it may disclose this information to other students and parents in the school community, but only in a manner that prevents the student from being identified. In a rare situation, an institution may determine, in conjunction with health, law enforcement or other government officials, that parents or eligible students may need to be advised of the identity of a student with COVID-19.  The Guidance uses the example of a student wrestler with COVID-19 who has been in direct and close contact with other students or students who have higher health risks.  In these circumstances, school officials should determine on a case-by-case basis whether a disclosure of the student’s name is absolutely necessary to protect the health or safety of students or other individuals or whether a general notice is sufficient.  School officials should consider the totality of the circumstances, including the needs of students or other individuals to have the information in order to take appropriate precautions and the risks presented.

Third, while directory information such as a student’s name, address and phone number can be released, it cannot be released in conjunction with nondirectory information such as a list of students absent from school.  The health or safety emergency exception may apply to give public health officials a list of students absent from school, but only if the school, with the concurrence or at the direction of local health authorities can determine that there is, in fact, a public emergency in the community.  The Guidance suggests that institutions prepare consent forms for parents or eligible students to sign to allow this information to be shared if the government institutes a tracking or monitoring system to identify an outbreak before an emergency is recognized.  If a parent refuses to sign the consent form, then the institution may not make the disclosure unless the health or safety emergency exception applies.

Fourth, even if an institution determines that a health or safety emergency exists, it cannot disclose PII from a student’s education records to the media without consent.  Under the health or safety emergency exception, the disclosure can only be made to “appropriate parties” whose knowledge is necessary to protect the health and safety of students and other individuals, which are generally parties who provide specific medical or safety attention, such as health and law enforcement officials.  The media is not an “appropriate party” even though it may alert the community of an outbreak.

Fifth, an institution may disclose to an eligible student’s parents that the eligible student has COVID-19 if the parents claim the eligible student as a dependent under section 152 of the Internal Revenue Code of 1986 or if the disclosure is in connection with the health or safety emergency exception.

If an institution discloses PII from a student’s educational records to the public health department or other agency pursuant to the health or safety emergency exception, the institution is required to record the request and disclosure for each student as well as an explanation of the articulable and significant threat to the health or safety of a student or other individual that caused the institution to disclose the information.  Any disclosure made with the written consent of a parent or eligible student need not be recorded.

For more information, click here.

City of Durham, NC Hit With Ryuk Ransomware

Another city—Durham, North Carolina—has become the victim of a ransomware attack stemming from a Russian hacker group following a successful phishing scheme. After falling victim to the ransomware attack last weekend, the city shut down its network, including disabling access to the network by the Durham Police Department, the Sheriff’s Office and the communications center.

The ransomware attack disabled the Fire Department’s telephone service, but other critical public safety systems, including access to the 911 network, remained operational through the emergency cyber-attack remediation system.

The City of Durham has issued a warning to residents to be cautious about any emails that might be impersonating city communications, but which could be possible phishing schemes.

Vermont Governor Signs Bill Requiring Data Privacy Inventory of Citizens’ PII

On March 5, 2020, Vermont Governor Phil Scott signed into law Senate Bill 110, “An act relating to data privacy and consumer protection,” which provides authority to develop a statewide data privacy inventory of the personally identifiable information (PII) that the state collects from and maintains of its citizens.

According to the bill, the data privacy inventory will be developed by, and be the joint responsibility of, the State Court Administrator of the Judicial Branch, the Director of Information Technology for the Legislative Branch, and the Chief Data Officer of the Secretary of State’s Office for the Executive Branch. Those individuals will be responsible for directing the state’s efforts in conducting a privacy audit around 1) the state and its agencies’ collection of residents’ personal information; 2) state and federal laws applicable to PII; 3) arrangements or agreements, whether oral or in writing, about the sharing of PII between agencies; and 4) provide recommendations for proposed legislation regarding the collection and management of PII to the Governor.

The bill also expands the definition of personal information subject to the Security Breach Notice Act to include biometric, genetic, tax payer identification numbers, health, medical diagnosis or treatment information, and health insurance policy numbers.

Back to the data privacy inventory. This is also called “data mapping” in the privacy world.

Mapping which state agencies collect, use, maintain and disclose citizens’ personal information will be a monumental task, even in the small state of Vermont. Nonetheless, as private businesses have learned over the years, it is nearly impossible to assess the risk of the data the organization has in its possession, as well as put measures in place to protect it, if you don’t know where it is or what is being done with it.

It is unclear how many states are trying to accomplish this task, but when you look at the amount of sensitive personal data states collect and maintain, this is a worthy and impressive goal by the legislators and Governor. Kudos to lawmakers in Vermont, and may other states follow in Vermont’s footsteps.

Litigation Case Claims Violation of CCPA Under Statutory Private Right of Action

One of the most significant consumer rights offered by the new California Consumer Privacy Act (CCPA) is what we call the “private right of action” afforded by the law. A private right of action under a law basically means that if someone violates the law and a person is damaged, the person can assert a specific claim against the offender by citing the specific law. If the person damaged can prove that s/he was damaged and that the damage was caused by the one who violated the law, that person can potentially get past a Motion to Dismiss.

It is significant that CCPA provides a private right of action, and there has been much speculation about whether the CCPA will open the floodgates of litigation.

One of the first cases that specifically alleges a violation of CCPA was filed on March 10, 2020 in California federal court against Sunshine Behavioral Health Group, LLC (Sunshine). The suit alleges that Sunshine, a drug and alcohol rehabilitation facility, violated CCPA when it suffered a data breach in September of 2019 and did not have appropriate security measures in place. The Plaintiff, a resident of Pennsylvania, alleges that following the data breach (which affected 3,500 patients’ protected health information), someone tried to open a credit card account in his name and that he has received magazine subscriptions he did not order.

The plaintiff is attempting to represent a class of individuals affected by the data breach, and is seeking an order requiring Sunshine to implement “reasonable” security measures. It is unknown whether the plaintiff provided 30 days’ notice to Sunshine to implement security measures before the suit was filed, which is required under CCPA.

Nonetheless, we predict that there will be many more suits alleging a private right of action following a data breach under CCPA, and this case is a good reminder of the CCPA statutory requirement for companies to have appropriate security measures in place to protect personal information in its possession relating to California residents.

Coronavirus and Remote Workers: Consider Increased Risk of Insider Threat Issues

The conference I was supposed to speak at next week was just cancelled, as many are and will be, due to coronavirus concerns. The topic was “Insider Threats and How to Mitigate Them.” One of the points I was going to make was that insider threats, both malicious and unintentional, are an ongoing and serious problem for companies. On top of that, now that many companies are “going remote” in response to coronavirus concerns, the risks of insider threats will only mount.

What is an insider threat? There are basically two kinds: 1) a malicious act when an employee, vendor or other individual who has access to company information steals personal information, health information or proprietary information; and 2) an unintentional act, such as a misdirected email, falling for a phishing scheme or wire fraud scheme, sending company data to a personal email account, or losing a USB drive or laptop.

How often do insider threats happen? According to a recent survey, 90 percent of respondents feel they are vulnerable to insider threats, 53 percent have confirmed insider attacks against their organization, and 86 percent already have, or are building, an insider threat program. Additional statistics to consider include the fact that insider threats are caused 56 percent of the time by regular employees, 55 percent by privileged IT users or administrators, and 42 percent by contractors, temporary workers or service providers.

These statistics don’t fully recognize the new reality of remote workers due to coronavirus. Many companies are implementing contingent operations plans, which include allowing employees who do not usually have access to company systems remotely or through a virtual private network, to now have access. This means they will be using their home internet connection, potentially their home computer and printer, and using remote connections. The risks associated with remote connectivity in normal times will be magnified in the new reality, without the benefit of completing a full analysis of the risks and security measures to be put in place, including robust employee education.

At the very least, these new remote workers need to understand the risk they pose to the organization and have a clear understanding of the importance of following company policies and procedures around remote access. Thoroughly training employees before they are given remote access is critical to risk reduction. Implementing increased monitoring on email and document access and disclosure is another thing to consider when allowing additional employees remote access. Control of the systems with more remote workers will be an added risk for information technology teams in companies, and mitigating this risk during the roll-out of a new remote workforce is worth the time and effort.

Privacy Tip #229 – Two RSA Conference Attendees Test Positive for Coronavirus

Our firm is a proud member of the International Association of Privacy Professionals (IAPP), as are those of many of my colleagues in the industry. I attend the IAPP Global Privacy Summit every year, and have done so since (I think) 2004. Yikes. Back in the early days, hundreds of individuals attended the conference in one conference room, while now it is held annually in the D.C. Convention Center and the Marriott Marquis as many thousands from all over the world attend. 

I was admittedly bummed when I received the email from IAPP yesterday cancelling the global summit this year, which was scheduled for next month. Bummed, but not so surprised, as every day the coronavirus is wreaking havoc and causing cancellations to conferences and travel plans, and general disruption to everyday life. I was bummed because it is the one time of the year I get to see and socialize with colleagues in other firms, clients, vendors and service providers, which I really enjoy. The speakers and panels are always good, and it is fun to just “talk the talk” with so many of us who are passionate about privacy and security. To all of my peeps that I will not see at IAPP this year–I will miss you!

The decision by the IAPP was understandable and solid, despite my disappointment.  This became clearer to me when I saw the headline that two attendees at the RSA conference in San Francisco (another heavy weight conference for folks like me) have tested positive for Coronavirus. I know many people who attended RSA, so that news is worrisome, but it validates the IAPP’s decision to cancel the Global Provacy Summit. Prioritizing health in what has now been declared a pandemic is the most important consideration hese days.

HHS Finalizes Joint Rules on Electronic Health Record Interoperability and Access

On March 9, 2020, the Department of Health and Human Services (HHS) announced final rules seeking to give patients more access to, and control of, their health data. The final rules were issued by the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS). The ONC rule is available here and the CMS rule here. Both rules implement interoperability and patient access provisions from the 21st Century Cures Act and the Trump administration’s MyHealthEData initiative.

HHS describes the finalizing of these rules as “the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.” The rules focus on data interoperability, preventing information blocking, and facilitating patient access to electronic health records (EHRs). The rules are effective 60 days after publication in the Federal Register.

Below are some highlights:

Data Interoperability

The ONC rule changes the minimum commonly available baseline data requirements for interoperable exchange required for EHR certification. Certification now requires that EHRs meet United States Core Data for Interoperability (USCDI) standards, replacing the previously used Common Clinical Data Set (CCDS). The USCDI is a standardized data set that “includes “clinical notes,” allergies, and medications among other important clinical data, to help improve the flow of electronic health information and ensure that the information can be effectively understood when it is received.” The CCDS standard and supplemental requirements will remain valid for 24 months after the date of this rule’s publication in the Federal Register. This requirement of increased data interoperability is one of many changes the rules make to the EHR certification requirements.

Preventing Information Blocking

The ONC rule also uses the EHR certification requirements to prevent information blocking which is behavior likely to interfere, prevent, or discourage the use of electronic health information. Some examples of information blocking include implementing health IT in nonstandard ways that burden the use of electronic health information, implementing practices that restrict authorized access for treatment and other permitted purposes, and implementing health IT in a way likely to prevent transitions between health IT systems and lead to fraud, waste, abuse, or stifle innovation. The finalized rule makes a condition of EHR certification, that EHR developers not engage in information blocking, and that EHR developers also provide HHS with assurances they will not engage in information blocking. Moreover, the final rule prohibits EHR developers from using EHR contracts to limit certain communications about health IT usability, user experience, interoperability, and security, allowing providers to communicate about these issues.

While the ONC rule focuses on preventing information blocking, it also creates eight exceptions to information blocking when it is reasonable and necessary to interfere, prevent, or discourage the use of electronic health information. The exceptions are located at 45 C.F.R. §§ 171.201-205, 171.301-303. They involve special circumstances involving patient safety, privacy and security, and necessary business practices. Information blocking civil monetary penalties will not apply when exceptions are met.

Facilitating Patient Access

The rules also aim to increase patient EHR access. The ONC rule establishes new standards-based application programming interface (API) requirements. According to HHS, APIs “allow patients to access their data through any third-party application they choose to connect to the API,” including smartphone applications. Under the ONC rule, EHR certification will require developers of Health IT Modules – which are “any service, component, or combination thereof that can meet the requirements of at least one certification criterion adopted by the Secretary” – to “publish APIs and allow electronic health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards.” This will allow patients to securely obtain electronic health information from their provider’s medical record using the smartphone app of their choice.

The CMS rule also attempts to increase access using APIs. The rule requires that beginning January 1, 2021, Medicare Advantage, Medicaid, CHIP, and, for plan years beginning on or after January 1, 2021, plans on the federal Exchanges share claims and other health information with patients via a Patient Access API. This is again targeted at allowing patients to connect third-party applications to their data using the API to facilitate access.

Condition of Participation 

The CMS rule also creates a new Condition of Participation (CoP) for all Medicare and Medicaid participating hospitals encouraging access by “requiring them to send electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred.” CMS has done this by creating a new standard for electronic transmission at 42 C.F.R. § 482.24(d). It requires that hospitals using an electronic medical records system or other electronic administrative system demonstrate:

  1. The system is operational and used for the exchange of patient health information.
  2. The system sends notifications that must include at least patient name, treating practitioner name, and sending institution name.
  3. Consistent with federal and state law and regulations, and not inconsistent with the patient’s expressed privacy preferences, the system sends notifications at the time of:
    1. Registration at the emergency department
    2. Admission to the hospital’s inpatient services
    3. The patient’s discharge or transfer from the hospital’s emergency department
    4. The patient’s discharge or transfer from the hospital’s inpatient services
  4. The system sends the notifications to all applicable post-acute care services providers and suppliers, the patient’s primary care physician, or any other provider the patient indicates is primarily responsible for his or her care.

The CMS rule indicates this change to the CoPs will be effective 6 months after the rule is published in the Federal Register, to give providers time to come into compliance.

As mentioned above, the highlights discussed in this post offer a glimpse at some of the new requirements. As the rules impact payors, providers, health IT vendors, and patients, interested parties should review the finalized rules for applicable new requirements.

This post was authored by Anna Gurevich and Michael Lisitano and is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog. Michael is a legal intern at Robinson+Cole and is not yet admitted to practice law.

LexBlog