Data privacy and security is top of mind for many people during the COVID-19 public health crisis. Many different federal agencies have recently issued guidance specific to data privacy and security issues during COVID-19. Included below are some of the highlights of this important guidance for health care entities, including those covered by HIPAA.
HIPAA Limited Waiver Under Section 1135
On March 13, 2020, OCR issued its Waiver or Modification of Requirements under Section 1135 of the Social Security Act pursuant to the COVID-19 public health emergency. Notably, the HIPAA Rules are not waived in their entirety. Rather, the waiver under Section 1135 applies to the following requirements only:
- Obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care (see 45 C.F.R. § 164.510(b));
- Honoring a request to opt out of the facility directory (see 45 C.F.R. § 164.510(a));
- Distributing a notice of privacy practices (see 45 C.F.R. § 164.520);
- Honoring the patient’s right to request privacy restrictions (see 45 C.F.R. § 164.522(a)); and
- Honoring the patient’s right to request confidential information (see 45 C.F.R. § 164.522(b)).
The waiver became effective on March 15, 2020, where a retroactive date of March 1, 2020, applies to the waiver of the requirements. The waiver only applies in emergency areas identified in the public health emergency declaration, to hospitals that have instituted a disaster protocol, and up to seventy-two hours after the institution of the disaster protocol. All other requirements under the HIPAA Rules, such as breach notification requirements and implementing reasonable safeguards to protect patient information from impermissible uses and/or disclosures, remain in full force and effect.
VTC Platforms and Recent COVID-19 Guidance
VTC platforms, while incredibly helpful during this crisis, can also introduce serious privacy and security risks. For example, the Federal Bureau of Investigation (“FBI”) recently issued a warning about multiple “VTC hijacking” events in which an unauthorized, unknown third-party disrupted online conferences with pornographic images, hate images, and threatening language. VTC hijacking can also lead to breaches of protected health information, financial information, confidential client information, and other sensitive information.
Multiple federal agencies recently issued guidance for the safe use of VTC platforms and other teleconferencing technologies, including the FBI, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”), the National Institute of Standards and Technology (“NIST”), and the Federal Trade Commission (“FTC”). Some of the advice the agencies issued, which entities and healthcare providers should follow to protect their confidential communications, includes:
- Always require a meeting password or use a waiting room feature (if available) to control the admittance of guests. Do not share the VTC meeting link on an unrestricted, publicly available social media account.
- Carefully manage screen-sharing features. For example, use the “host only” option for screen sharing.
- Ensure all users have the most up-to-date version of the VTC platform.
- Ensure your policies address requirements for physical and information security related to VTC platforms. If the policies are silent on the topic or outdated, update them.
- Protect VTC platforms against eavesdropping. Ensure your users’ personal networks are set up securely. Specifically, all users should use an encrypted router by enabling “WPA2” or “WPA3.” Create or direct your employees to online tutorial videos that show them how to enable WPA2 or WPA3 on a router.
- Require all employees to connect through a virtual private network (“VPN”) to guarantee a secure, online network. If your business is unable to establish its own VPN, require your employees to download and use their own VPNs when conducting business.
- If employees use their personal computers and/or mobile devices, confirm that they have enabled basic security features, such as enabling the PIN, fingerprint, or facial ID feature.
- Require employees to report unusual or suspicious activity to your help desk, security operations center, or other appropriate contact.
- Never leave personal devices unattended.
- Require that employee laptops be password protected, locked, and secured. Passwords should be at least twelve (12) characters, with a mix of numbers, symbols, and capital/lowercase letters.
- Ensure all work devices have up-to-date security features. Employees should enable “automatic software updates” on all of their devices.
- For health care providers, use VTC platforms only in private settings, such as a clinic or office. Likewise, patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances. If telehealth cannot be provided in a private setting, providers should implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information, such as: using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others.
- Only use “non-public facing” products. A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point.
- For healthcare providers and other covered entities and business associates subject to HIPAA, enter into a business associate agreement with the VTC platform.
- Review privacy notices to make sure you are transparent regarding the collection, use or other processing of personal information via VTC platforms.
COVID-19 Community Based Testing Centers
Most recently with regard to Notices, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published a Notice of Enforcement Discretion (Notice) for HIPAA COVID-19 Community-Based Testing Sites (CBTSs). Specifically, OCR stated in the Notice that, while OCR encourages HIPAA compliance, it will not impose penalties for non-compliance with the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) against HIPAA covered health care providers and their business associate in the good faith operation of a CBTS (in other words, mobile, drive-through, or walk-up sites that provide only COVID-19 specimen collection or testing services to the public) during the national public health emergency.
Importantly, the Notice does not apply to non-CBTS related activities of a HIPAA covered health care provider or business associate that may be providing the CBTS (like indoor retail pharmacy operations), and the Notice does not apply at all to health plans or health care clearinghouses. However, HIPAA covered health care providers should consider implementing appropriate safeguards to avoid potential consumer complaints and as a reflection of the “good faith operation” of the CBTSs.
Such safeguards would include administrative, physical, and technical safeguards, as required by the HIPAA Rules, and the Notice enumerates the following as examples of what would be “reasonable safeguards” for CBTSs:
- Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
- Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
- Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
- Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
- Using secure technology at a CBTS to record and transmit electronic PHI.
- Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.
The Notice has a retroactive date of March 13, 2020, and it will remain in effect until the earlier of the Secretary of HHS declaring that the public health emergency no longer exists or upon expiration of the declared public health emergency (including any extensions).
Text Messages related to COVID-19
In 1991, the Telephone Consumer Protection Act (“TCPA”) (47 U.S.C. § 227) was enacted to address unwanted telephone calls and faxes for marketing. The Federal Communications Commission (“FCC”) Enforcement Bureau expanded the provisions of TCPA to include limits for the use of automated text messages. Specifically, the FCC has stated that the restrictions on making “autodialed” calls to cell phones include both voice calls and texts. As such, automated calls and text messages to cell phones are subject to the requirements of TCPA. Generally, entities can send automated text messages without the prior express, written consent of the recipient only in emergency circumstances, or if such text messages are directly related to urgent and crucial matters of health care treatment for an individual.
On March 20, 2020, FCC issued a Declaratory Ruling regarding the COVID-19 pandemic, noting that it constitutes an “emergency” under the TCPA. In the Declaratory Ruling, the FCC stated that, for purposes of messages for “emergency purposes” related to COVID-19, two elements must particularly be considered: the identity of the caller; and the content of the call or message. According to the FCC:
First, the caller must be from a hospital, or be a health care provider, state or local health official, or other government official as well as a person under the express direction of such an organization and acting on its behalf. Second, the content of the call must be solely informational, made necessary because of the COVID-19 outbreak, and directly related to the imminent health or safety risk arising out of the COVID-19 outbreak.
The FCC also gave several important examples of communications permitted and not permitted under the exception for COVID-19:
A call originating from a hospital that provides vital and time-sensitive health and safety information that citizens welcome, expect, and rely upon to make decisions to slow the spread of the COVID-19 disease would fall squarely within an emergency purpose. An informational call designed to inform and update the public regarding measures to address the current pandemic made on behalf of, and at the express direction of, a health care provider would be made in a situation that “affect[s] the health and safety of consumers” and would thus be exempt. In turn, a call made by a county official to inform citizens of shelter-in-place requirements, quarantines, medically administered testing information, or school closures necessitated by the national emergency would be made for an emergency purpose as such measures are designed to inhibit the spread of the disease.
In contrast, calls that contain advertising or telemarketing of services do not constitute calls made for an “emergency purpose” (e.g., advertising a commercial grocery delivery service, or selling or promoting health insurance, cleaning services, or home test kits). Calls made to collect debt, even if such debt arises from related health care treatment, are not made for an “emergency purpose,” as those calls are not time-sensitive, do not “affect the health and safety of consumers,” and are not directly related to an imminent health or safety risk. Such debt collection, advertising, or telemarketing automated calls require the prior express consent of the called party.
As such, the FCC, in this Declaratory Ruling, has arguably limited the emergency exception for communications to specific circumstances related to health care and public health. As a result, communications to individuals without express written consent under the TCPA should be limited to those specifically related to their treatment by health care providers, and those related specifically to COVID-19 issues identified by health care providers and for public health purposes.