COVID-19: Privacy and Cybersecurity Regulatory and Enforcement Guidance

30 April 2020 Blog
Author(s): Samuel D. Goldstick Christi A. Lawson Steven M. Millendorf Jennifer L. Urban Eileen R. Ridley Aaron K. Tantleff
Published To: Coronavirus Resource Center:Back to Business Health Care Law Today Innovative Technology Insights Consumer Class Defense Counsel

Updated as of May 11, 2020:

As industry continues to adapt to the evolving realities of shelter-in-place orders, companies face challenges in supporting an unprecedented remote workforce while balancing compliance with a variety of regulatory agencies. The following alert highlights key areas to consider in the privacy and cybersecurity field, including regulatory and enforcement guidance from or related to:

Foley’s team of privacy and cybersecurity attorneys will continue to actively monitor for new and revised regulatory and enforcement guidance in these areas and others, and will update this alert accordingly.

General Data Protection Regulation

On March 19, 2020, the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB made it clear that while the EU’s General Data Protection Regulation (GDPR) should not hinder measures taken in the fight against the current coronavirus pandemic, businesses are not exempt from complying with the GDPR and ensuring the protection of individuals’ personal data “even in these exceptional times.” Specifically, the EDPB explained that any measure taken in this context should comply with general principles of law, adding that “emergency is a legal condition which may legitimize restrictions to freedom provided these restrictions are proportionate and limited to the emergency period.” However, though the EDPB provided answers to some questions about the processing of data in the employment context, it failed to offer any concrete recommendations and limited its answers primarily to restating the general data protection rules (such as proportionality and data minimization principles) and relevant national laws.

Countries having issued emergency laws that will allow companies to use this last basis of public health to process sensitive personal data include:

  • France: Les Agences régionales de santé (ARS) has issued an information notice.

  • Germany: The Infection Protection Act (IfSG) and the Hygiene Regulations of the German Federal States regulate the processing of healthcare information in these circumstances.

  • Italy: The Italian Civil Protection Department has adopted a Civil Protection Ordinance.

To provide much needed clarity, the data protection authorities (DPAs) of nearly all EU Member States have issued specific guidance on how to collect and process personal data related to COVID-19. For further insight into this and the core principles emerging from the guidance, please see our discussion posted here.

California Consumer Privacy Act

The California Attorney General (AG), Xavier Becerra, has commented that the state is not currently considering delaying enforcement of the California Consumer Privacy Act (CCPA). This comment comes after an open letter sent by a coalition of industry groups to the AG, urging Becerra to temporarily delay enforcement of the CCPA until January 2, 2021, to give industry more time to understand and operationalize the regulations once finalized as well as to respond to the unprecedented challenges and economic considerations faced by industry while it recovers from the pandemic. It remains to be seen whether the AG’s response will change if other regulators begin relaxing enforcement in light of the pandemic.

The AG’s office also emphasized data security in light of the pandemic, highlighting certain risks that companies are potentially exposed to while attempting to safeguard their workforces. In particular, companies should consider if their data security procedures are sufficient to cover any change in the sensitivity of the data held by the business in response to COVID-19. For example, companies should review if they are receiving any new types of information from employees during this pandemic such as health information. Under the CCPA, employee health information received by an employer is personal information regulated by the CCPA that is not available for an exclusion as health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or from an employee’s private right of action for failure to maintain reasonable security practices in the event of a security incident. For companies that are collecting such health information, further security measures may be necessary.

Health Care

The federal government has issued various guidance on how organizations in the health care space may operate to efficiently and effectively combat the COVID-19 pandemic, including updates to how health information may be used and disclosed in response to the pandemic to relieve immediate privacy concerns and ease enforcement in certain areas — at least on a temporary basis. These updates are helpful to understand the government’s current position on regulation governing the health care space, especially privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), which governs the use and disclosure of protected health information (PHI) by health care providers, health plans, health care clearinghouses, and business associates, and 42 C.F.R. Part 2 (Part 2), which governs the confidentiality of substance use disorder records.

For ease of reference, below we have consolidated some of the most important, recent regulatory updates into high-level categories that reflect relevant issues affecting the health care industry and linked to further information online:

1.  Waivers announced by the Secretary of the U.S. Department of Health & Human Services (HHS), Alex Azar, including a limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency as well as a waiver or modification of requirements under Section 1135 of the Social Security Act

2.  Guidance from the HHS’ Office for Civil Rights (OCR) on HIPAA requirements and related enforcement discretion regarding:

a.  General requirements: The OCR has a main web page with all COVID-19-related notifications, guidance, and bulletins issued by the agency.

b.  Community-based testing sites: On April 9, 2020, the OCR announced notification that, retroactively effective to March 13, 2020, it will exercise its enforcement discretion and will not impose penalties for violations of HIPAA against covered entities or business associates in connection with the good faith participation in the operation of community-based testing sites (CBTS), which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

c.  Telehealth remote communications: On March 17, 2020, the OCR announced notification that, effective immediately, it will exercise its enforcement discretion for telehealth remote communications and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. The OCR issued further guidance and FAQs regarding telehealth remote communications.

d.  How first responders and others can receive PHI about individuals who are exposed to COVID-19: The OCR issued guidance regarding the disclosure to law enforcement, paramedics, other first responders, and public health authorities of the name or other identifying information of an individual who has been infected with or exposed to the virus without that individual’s authorization.

e.  How HIPAA applies in an emergency: In February, the OCR issued a bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The OCR has since highlighted guidance regarding the release of PHI for planning or response activities in emergency situations, such as during the COVID-19 national emergency. The agency also provides a decision tool to aid in determining how the Privacy Rule applies to a particular disclosure in question. For more background regarding exceptions to the authorization requirement that may be relevant to HIPAA-covered entities treating patients with COVID-19, please see our discussion posted here.

f.  How business associates can share PHI for public health and health care operations purposes: On April 2, 2020, the OCR announced notification of enforcement discretion to allow uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. For a more detailed summary of HIPAA’s exceptions for the use and disclosure of PHI by business associates for public health and health oversight activities, please see our discussion posted here.

g.  Media and film crew access to PHI: On May 5, 2020, the OCR issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where PHI will be accessible without the patients’ prior authorization. Among other points, the guidance clarifies that even during the current COVID-19 public health emergency, covered health care providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI — simply masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient.

For additional information, the OCR hosted a webinar for health IT stakeholders on April 24, 2020, that addressed HIPAA privacy and security issues related to COVID-19 as well as recent OCR actions related to the pandemic. A recording of this webinar is now available on YouTube and the presentation slides may be viewed here.

3.  Revisions to Part 2 of the CARES Act: The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) recently enacted into law on March 27, 2020, overhauls the federal substance use disorder privacy law, 42 C.F.R. Part 2, dramatically easing the ability of health care providers to disclose protected substance use disorder records with patient consent and generally aligning Part 2 to be more consistent with HIPAA.

4.  Request by CMS for COVID-19 test result reporting: On March 29, 2020, the HHS’ Centers for Medicare & Medicaid Services (CMS) issued a letter to U.S. hospitals on behalf of Vice President Pence requesting that they report data in connection with their efforts to combat COVID-19 that is critical for epidemiological surveillance and public health decision-making.

5. Guidance from the Federal Communications Commission (FCC) on the Telephone Consumer Protection Act (TCPA) and its application to health and safety communications: On March 20, 2020, the FCC issued a Declaratory Ruling confirming that COVID-19 constitutes an “emergency” under the “emergency purpose” exception to the TCPA, making it lawful for hospitals, health care providers, state and local health officials, and those acting on their behalf to make certain automated calls and SMS text messages related to the COVID-19 pandemic without prior written consent.

Consumer Financial Services

The Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) have been working to gather information regarding the measures that financial institutions, financial servicers, and vendors are taking to protect consumers’ non-public personal information (NPPI) during a time with unprecedented rates of remote-workers. The new remote workforce includes workers who have never before been approved to work remotely due to their ability to access NPPI and other sensitive information. A large number of businesses scrambled to provide workers with access to company-issued laptops and/or security software to allow them to work remotely due to short notice of shelter-in-place orders in various locations across the country. There appears to be some concern among regulators as to whether appropriate protections have been instituted.

However, we do not expect that the CFPB and FTC will agree to relax security standards such as those found in the Safeguards Rule, the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA). But, we do expect in the near future to see guidance for businesses that assists them in ensuring the security standards are met while utilizing a remote workforce. For those functions that simply cannot be done remotely, the CFPB and FTC may also consider extending regulatory deadlines to allow the reduced workforce time to meet the demand.

  • CFPB: The CFPB has announced that it is “committed to providing consumers with up-to-date information and resources to protect and manage their finances during this difficult time as the [coronavirus (COVID-19) pandemic] situation evolves.” As part of that commitment, the CFPB has teamed up with the FTC to make consumers aware of scammers that are taking advantage of the COVID-19 pandemic to con people into giving up their money or NPPI. Please visit the CFPB’s COVID-19 Resource Page for up-to-date announcements and guidance from the agency.

Safe Harbor Enactments

No safe harbors related to the COVID-19 pandemic have been announced to date. However, Foley’s privacy and cybersecurity team is monitoring the situation closely and will update this alert should one be announced.

General Considerations for Privacy and Cybersecurity Risk Awareness

The unprecedented circumstances of the COVID-19 pandemic bring forth a variety of unique privacy and cybersecurity risks to which prudent companies should remain alert. In addition to heightened uncertainty surrounding whether and how to collect and disclose employee health information under applicable privacy laws during the current outbreak, COVID-19-related email scams, phishing attempts, malware, and other malicious cyber activities are also on the rise as cybercriminals look to exploit security vulnerabilities within a company’s systems and among its personnel due to the surge in teleworking.

On April 8, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert containing detailed information on exploitation by cybercriminal and advanced persistent threat groups of the current COVID-19 global pandemic. The alert provides an overview of COVID-19-related malicious cyber activity and a non-exhaustive list of indicators of compromise for detection based on analysis from CISA, NCSC, and industry, as well as offers practical mitigation advice and guidance that individuals and organizations can follow to reduce the risk of being impacted.

In addition to following the CISA and NCSC advice set out in their joint alert, the following practical risk assessments should also be considered by all companies, including those deemed to be “essential businesses” under shelter-in-place orders:

  • When gathering medical information regarding your employees, is the company doing what it can to keep individual medical information private to the extent possible (e.g., if notified of potential COVID-19 exposure, is the company preserving the employee’s privacy while also narrowing notice procedures to the appropriate individuals under the more lax HIPAA standards issued due to the COVID-19 pandemic);
  • If the company is subject to GDPR, the company may collect and disclose certain personal data, including sensitive personal data, relating to the COVID-19 status of its employees, if the company can rely upon an appropriate lawful basis provided for under GDPR or applicable national law (including any emergency legislation enacted by EU Member States) to process such data and adhere to the GDPR’s fundamental principles for processing personal data, including, but not limited to, proportionality and data minimization (e.g., limiting collection and disclosure to the minimum amount necessary proportionate during the emergency period);
  • With additional employees working remotely (and some for the first time), has the company reviewed and provided its telecommuting policies as well as confirmed that company equipment should be used only for company activities and that proprietary/confidential materials should be handled in a manner that preserves non-disclosure (including the use of encryption and VPN access);
  • With a heightened risk of cybersecurity challenges (e.g., breaches, hacks, phishing incidents, ransomware, etc.) has the company reviewed with employees the need to be aware of such risks and offered renewed training;
  • Has the company installed and/or updated all software and security patches and reviewed its incident response plan;
  • If the company retains logistical and geographical location information, have privacy considerations been taken into account when/if such information is requested by governmental entities for the disclosure of such information; and
  • Has the company ensured that its CCPA compliance program is on track if the company is subject to CCPA.

In summary, it is critical that companies operating within the current remote work environment actively assess the privacy and cybersecurity risks to their enterprise; monitor existing and emerging regulatory and enforcement guidance as the situation evolves around the COVID-19 outbreak; weigh these factors against their policies, procedures, and practices currently in place; and make the necessary adjustments to maintain compliance with applicable laws. For more information about recommended steps, please contact your Foley relationship partner or one of the firm’s core privacy and cybersecurity partners. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization.

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.