Updated as of May 11, 2020:
As industry continues to adapt to the evolving realities of shelter-in-place orders, companies face challenges in supporting an unprecedented remote workforce while balancing compliance with a variety of regulatory agencies. The following alert highlights key areas to consider in the privacy and cybersecurity field, including regulatory and enforcement guidance from or related to:
Foley’s team of privacy and cybersecurity attorneys will continue to actively monitor for new and revised regulatory and enforcement guidance in these areas and others, and will update this alert accordingly.
On March 19, 2020, the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB made it clear that while the EU’s General Data Protection Regulation (GDPR) should not hinder measures taken in the fight against the current coronavirus pandemic, businesses are not exempt from complying with the GDPR and ensuring the protection of individuals’ personal data “even in these exceptional times.” Specifically, the EDPB explained that any measure taken in this context should comply with general principles of law, adding that “emergency is a legal condition which may legitimize restrictions to freedom provided these restrictions are proportionate and limited to the emergency period.” However, though the EDPB provided answers to some questions about the processing of data in the employment context, it failed to offer any concrete recommendations and limited its answers primarily to restating the general data protection rules (such as proportionality and data minimization principles) and relevant national laws.
Countries having issued emergency laws that will allow companies to use this last basis of public health to process sensitive personal data include:
To provide much needed clarity, the data protection authorities (DPAs) of nearly all EU Member States have issued specific guidance on how to collect and process personal data related to COVID-19. For further insight into this and the core principles emerging from the guidance, please see our discussion posted here.
The California Attorney General (AG), Xavier Becerra, has commented that the state is not currently considering delaying enforcement of the California Consumer Privacy Act (CCPA). This comment comes after an open letter sent by a coalition of industry groups to the AG, urging Becerra to temporarily delay enforcement of the CCPA until January 2, 2021, to give industry more time to understand and operationalize the regulations once finalized as well as to respond to the unprecedented challenges and economic considerations faced by industry while it recovers from the pandemic. It remains to be seen whether the AG’s response will change if other regulators begin relaxing enforcement in light of the pandemic.
The AG’s office also emphasized data security in light of the pandemic, highlighting certain risks that companies are potentially exposed to while attempting to safeguard their workforces. In particular, companies should consider if their data security procedures are sufficient to cover any change in the sensitivity of the data held by the business in response to COVID-19. For example, companies should review if they are receiving any new types of information from employees during this pandemic such as health information. Under the CCPA, employee health information received by an employer is personal information regulated by the CCPA that is not available for an exclusion as health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or from an employee’s private right of action for failure to maintain reasonable security practices in the event of a security incident. For companies that are collecting such health information, further security measures may be necessary.
The federal government has issued various guidance on how organizations in the health care space may operate to efficiently and effectively combat the COVID-19 pandemic, including updates to how health information may be used and disclosed in response to the pandemic to relieve immediate privacy concerns and ease enforcement in certain areas — at least on a temporary basis. These updates are helpful to understand the government’s current position on regulation governing the health care space, especially privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), which governs the use and disclosure of protected health information (PHI) by health care providers, health plans, health care clearinghouses, and business associates, and 42 C.F.R. Part 2 (Part 2), which governs the confidentiality of substance use disorder records.
For ease of reference, below we have consolidated some of the most important, recent regulatory updates into high-level categories that reflect relevant issues affecting the health care industry and linked to further information online:
1. Waivers announced by the Secretary of the U.S. Department of Health & Human Services (HHS), Alex Azar, including a limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency as well as a waiver or modification of requirements under Section 1135 of the Social Security Act
2. Guidance from the HHS’ Office for Civil Rights (OCR) on HIPAA requirements and related enforcement discretion regarding:
a. General requirements: The OCR has a main web page with all COVID-19-related notifications, guidance, and bulletins issued by the agency.
b. Community-based testing sites: On April 9, 2020, the OCR announced notification that, retroactively effective to March 13, 2020, it will exercise its enforcement discretion and will not impose penalties for violations of HIPAA against covered entities or business associates in connection with the good faith participation in the operation of community-based testing sites (CBTS), which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
c. Telehealth remote communications: On March 17, 2020, the OCR announced notification that, effective immediately, it will exercise its enforcement discretion for telehealth remote communications and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. The OCR issued further guidance and FAQs regarding telehealth remote communications.
d. How first responders and others can receive PHI about individuals who are exposed to COVID-19: The OCR issued guidance regarding the disclosure to law enforcement, paramedics, other first responders, and public health authorities of the name or other identifying information of an individual who has been infected with or exposed to the virus without that individual’s authorization.
e. How HIPAA applies in an emergency: In February, the OCR issued a bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The OCR has since highlighted guidance regarding the release of PHI for planning or response activities in emergency situations, such as during the COVID-19 national emergency. The agency also provides a decision tool to aid in determining how the Privacy Rule applies to a particular disclosure in question. For more background regarding exceptions to the authorization requirement that may be relevant to HIPAA-covered entities treating patients with COVID-19, please see our discussion posted here.
f. How business associates can share PHI for public health and health care operations purposes: On April 2, 2020, the OCR announced notification of enforcement discretion to allow uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. For a more detailed summary of HIPAA’s exceptions for the use and disclosure of PHI by business associates for public health and health oversight activities, please see our discussion posted here.
g. Media and film crew access to PHI: On May 5, 2020, the OCR issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where PHI will be accessible without the patients’ prior authorization. Among other points, the guidance clarifies that even during the current COVID-19 public health emergency, covered health care providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI — simply masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient.
For additional information, the OCR hosted a webinar for health IT stakeholders on April 24, 2020, that addressed HIPAA privacy and security issues related to COVID-19 as well as recent OCR actions related to the pandemic. A recording of this webinar is now available on YouTube and the presentation slides may be viewed here.
3. Revisions to Part 2 of the CARES Act: The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) recently enacted into law on March 27, 2020, overhauls the federal substance use disorder privacy law, 42 C.F.R. Part 2, dramatically easing the ability of health care providers to disclose protected substance use disorder records with patient consent and generally aligning Part 2 to be more consistent with HIPAA.
4. Request by CMS for COVID-19 test result reporting: On March 29, 2020, the HHS’ Centers for Medicare & Medicaid Services (CMS) issued a letter to U.S. hospitals on behalf of Vice President Pence requesting that they report data in connection with their efforts to combat COVID-19 that is critical for epidemiological surveillance and public health decision-making.
5. Guidance from the Federal Communications Commission (FCC) on the Telephone Consumer Protection Act (TCPA) and its application to health and safety communications: On March 20, 2020, the FCC issued a Declaratory Ruling confirming that COVID-19 constitutes an “emergency” under the “emergency purpose” exception to the TCPA, making it lawful for hospitals, health care providers, state and local health officials, and those acting on their behalf to make certain automated calls and SMS text messages related to the COVID-19 pandemic without prior written consent.
The Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) have been working to gather information regarding the measures that financial institutions, financial servicers, and vendors are taking to protect consumers’ non-public personal information (NPPI) during a time with unprecedented rates of remote-workers. The new remote workforce includes workers who have never before been approved to work remotely due to their ability to access NPPI and other sensitive information. A large number of businesses scrambled to provide workers with access to company-issued laptops and/or security software to allow them to work remotely due to short notice of shelter-in-place orders in various locations across the country. There appears to be some concern among regulators as to whether appropriate protections have been instituted.
However, we do not expect that the CFPB and FTC will agree to relax security standards such as those found in the Safeguards Rule, the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA). But, we do expect in the near future to see guidance for businesses that assists them in ensuring the security standards are met while utilizing a remote workforce. For those functions that simply cannot be done remotely, the CFPB and FTC may also consider extending regulatory deadlines to allow the reduced workforce time to meet the demand.
No safe harbors related to the COVID-19 pandemic have been announced to date. However, Foley’s privacy and cybersecurity team is monitoring the situation closely and will update this alert should one be announced.
The unprecedented circumstances of the COVID-19 pandemic bring forth a variety of unique privacy and cybersecurity risks to which prudent companies should remain alert. In addition to heightened uncertainty surrounding whether and how to collect and disclose employee health information under applicable privacy laws during the current outbreak, COVID-19-related email scams, phishing attempts, malware, and other malicious cyber activities are also on the rise as cybercriminals look to exploit security vulnerabilities within a company’s systems and among its personnel due to the surge in teleworking.
On April 8, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert containing detailed information on exploitation by cybercriminal and advanced persistent threat groups of the current COVID-19 global pandemic. The alert provides an overview of COVID-19-related malicious cyber activity and a non-exhaustive list of indicators of compromise for detection based on analysis from CISA, NCSC, and industry, as well as offers practical mitigation advice and guidance that individuals and organizations can follow to reduce the risk of being impacted.
In addition to following the CISA and NCSC advice set out in their joint alert, the following practical risk assessments should also be considered by all companies, including those deemed to be “essential businesses” under shelter-in-place orders:
In summary, it is critical that companies operating within the current remote work environment actively assess the privacy and cybersecurity risks to their enterprise; monitor existing and emerging regulatory and enforcement guidance as the situation evolves around the COVID-19 outbreak; weigh these factors against their policies, procedures, and practices currently in place; and make the necessary adjustments to maintain compliance with applicable laws. For more information about recommended steps, please contact your Foley relationship partner or one of the firm’s core privacy and cybersecurity partners. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.