[Updated May 8, 2020] Summary of Federal Privacy Guidance, Waivers, and Enforcement Discretion for Health Information Professionals

[Updated May 8, 2020] Summary of Federal Privacy Guidance, Waivers, and Enforcement Discretion for Health Information Professionals

By Lauren Riplinger, JD

[NEW] Advanced Persistent Threat (APT) Groups Target Healthcare and Essential Services

The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert regarding APT groups targeting healthcare and essential services. CISA and NCSC continue to see indications that APT groups are exploiting the COVID-19 pandemic as part of their cyber operations.

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then “spray” the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL). The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.

Mitigations. CISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:

CISA encourages US users and organizations to contribute any additional information that may relate to this threat by emailing CISAServiceDesk@cisa.dhs.gov.

[NEW] Guidance on Covered Healthcare Providers and Restrictions on Media Access to Protected Health Information About Individuals in Facilities

During the current COVID-19 public health emergency, covered healthcare providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI. Masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access. Reasonable safeguards should be used to protect the privacy of patients whenever the media is granted access to facilities including: installing computer monitor privacy screens to prevent the film crew from viewing PHI on computers, and setting up opaque barriers to block the film crew’s access to the PHI of patients who did not sign an authorization. OCR’s entire guidance may be found here.

Enforcement Discretion Regarding COIVD-19 Community-Based Testing Sites (CBTS)1

During the COVID-19 national emergency, certain covered health care providers, including large pharmacy chains, and their business associates may choose to participate in the operation of COVID-19 specimen collection and testing sites (Community-Based Testing Sites, or CBTS). A CBTS includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.

Effective March 13, 2020, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and will not impose penalties for noncompliance with HIPAA against all covered providers and their business associates in connection with good faith participation in the operation of a CBTS during the COVID-19 nationwide PHE. The operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.

Covered providers participating in good faith operation of a CBTS are encouraged to implement reasonable safeguards to protect the privacy and security of individuals’ PHI. Reasonable safeguards include the following:

  • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
  • Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.).
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
  • Using secure technology at a CBTS to record and transmit electronic PHI.
  • Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

Covered providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, however, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS.

This notification does not apply to health plans or healthcare clearinghouses when they are performing health plan and clearinghouse functions. If an entity performs both plan and provider functions, the notification applies to the entity only in its role as a covered health care provider and only to the extent that it participates in a CBTS. The notification also does not apply to covered providers or their business associates when such entities are performing non-CBTS related activities, including the handling of PHI outside of the operation of a CBTS. Potential HIPAA penalties still apply to all other HIPAA-covered operations of the covered provider or business associate, unless otherwise stated by OCR.

For example:

  • A pharmacy that participates in the operation of a CBTS in the parking lot of its retail facility could be subject to a civil money penalty for HIPAA violations that occur inside its retail facility at that location that are unrelated to the CBTS.
  • A covered clinical laboratory that has workforce members working on site at a CBTS could be subject to a civil money penalty for HIPAA violations that occur at the laboratory itself.
  • A covered provider that experiences a breach of PHI in its existing electronic health record system, which includes PHI gathered from the operation of a CBTS, could be subject to a civil money penalty for violations of the HIPAA Breach Notification Rule if it fails to notify all individuals affected by the breach (including individuals whose PHI was created or received from the operation of a CBTS).

The notification will remain in effect until the Secretary of HHS declares that the public health emergency (PHE) no longer exists or upon the expiration date of the declared PHE, including any extensions, whichever occurs first.

FBI Guidance on Defending Against VTC Hijacking and Zoom-bombing2

The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:

  • Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  • Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  • Ensure VTC software is up to date. See Understanding Patches and Software Updates.

CISA also recommends the following VTC cybersecurity resources:

Individual Posing as OCR Investigator

It has come to OCR’s attention that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.

HIPAA covered entities and business associates should alert their workforce members and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI).  The FBI issued a public service announcement about COVID-19 fraud schemes.

HHS OCR Enforcement Discretion for uses and disclosures of PHI by Business Associated for Public Health and Health Oversight Activities3

Effective April 2, 2020, OCR will exercise its enforcement discretion and will not impose potential penalties against covered healthcare providers or their business associate under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) provided:

  • The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); and
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time.)

This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. Nor does this notification address the federal or state laws (including breach of contract claims) that might apply to the uses and disclosures of this information.

Examples of good faith uses or disclosures covered by this notification can be found here.

HHS OCR Guidance Regarding PHI of Individuals Exposed to COVID-194

The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities5 without the individual’s HIPAA authorization, in certain circumstances, including the following6:

  • When disclosure is needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2).
  • When such notification is required by law. For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. 45 CFR 164.512(a).
  • To notify a public health authority in order to prevent or control spread of disease. For example, HIPAA permits a covered entity to disclose PHI to a public health authority (such as the Centers for Disease Control and Prevention (CDC), or state, tribal, local, and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. 45 CFR 164.512(b)(1)(i); see also 45 CFR 164.501 (providing the definition of “public health authority”).
  • When first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).
  • When disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. 45 CFR 164.512(j)(1).
  • When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, if the facility or official represents that the PHI is needed for:
    • providing health care to the individual;
    • the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
    • law enforcement on the premises of the correctional institution; or
    • the administration and maintenance of the safety, security, and good order of the correctional institution. For example, HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility. 45 CFR 164.512(k)(5).

General Considerations: Except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to limit the information used or disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose for the disclosure. 45 CFR 164.502(b).

In some cases, more than one provision of the HIPAA Privacy Rule may apply to permit a particular use or disclosure of PHI by a covered entity. Additional examples related to this guidance can be found here.

HHS OCR Enforcement Discretion for Telehealth Remote Communications7

OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.

A covered healthcare provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

Under the notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Under the notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered healthcare providers.

Covered healthcare providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.  The list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Under the notice OCR will not impose penalties against covered healthcare providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

An OCR FAQ on telehealth and HIPAA during the COVID-19 public health emergency can be found here.

HHS OCR Waiver of Sanctions and Penalties8

In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar’s earlier declaration of a public health emergency on January 31, 2020, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b)
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a)
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

SAMHSA COVID-19 Public Health Emergency Response and 42 CFR Part 2 Guidance9

In accordance with the Centers for Disease Control and Prevention guidelines on social distancing, as well as state or local government-issued bans or guidelines on gatherings of multiple people, many substance use disorder treatment provider offices are closed, or patients are not able to present for treatment services in person. Therefore, there has been an increased need for telehealth services, and in some areas without adequate telehealth technology, providers are offering telephonic consultations to patients. In such instances, providers may not be able to obtain written patient consent for disclosure of substance use disorder records.

The prohibitions on use and disclosure of patient identifying information under 42 CFR Part 2 would not apply in these situations to the extent that, as determined by the provider(s), a medical emergency exists. Under 42 U.S.C §290dd-2(b)(2)(A) and 42 CFR §2.51, patient identifying information may be disclosed by a part 2 program or other lawful holder to medical personnel, without patient consent, to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained. Information disclosed to the medical personnel who are treating such a medical emergency may be re-disclosed by such personnel for treatment purposes as needed. SAMHSA notes that Part 2 requires programs to document certain information in their records after a disclosure is made pursuant to the medical emergency exception. SAMHSA emphasizes that, under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients.10

 

Lauren Riplinger, JD, (Lauren.Riplinger@ahima.org) is Vice President, Policy & Government Affairs, at AHIMA.

 

Notes
  1. HHS. Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS)
    During the COVID-19 Nationwide Public Health Emergency. www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf.
  2. Department of Homeland Security. CISA. FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing. us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom.
  3. Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf.
  4. Office of Civil Rights. COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities. www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.
  5. Under HIPAA, “public health authority” means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. 45 CFR 164.501 (definition of “public health authority”).
  6. The HIPAA Privacy Rule limitations only apply if the entity or individual that is disclosing protected health information meets the definition of a HIPAA covered entity or business associate. This guidance provides examples of disclosures from certain types of entities, some of which are covered by HIPAA, and others that may not be. While the entities in the examples are covered under HIPAA, the examples are not intended to imply that all public health authorities, 911 call centers, or prison doctors, for example, are covered by HIPAA and are required to comply with the HIPAA Rules.
  7. Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
  8. COVID-19 & HIPAA Bulletin limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency. www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
  9. COVID-19 public health emergency response and 42 CFR Part 2 guidance. www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2-guidance-03192020.pdf.
  10. Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act enacted on March 27, 2020 will require an initial, affirmative, written consent from patients. Once the initial written consent of the patient has been obtained, a patient’s substance use health information may be used, disclosed or redisclosed by a covered entity, business associate or a Part 2 program for purposes of treatment, payment or healthcare operations as permitted under HIPAA. No later than 1 year after date of enactment of the CARES Act, shall HHS make the necessary revisions to the 42 CFR Part 2 regulation.
Bookmark AHIMA’s COVID-19 Resources
  • Journal of AHIMA—COVID-19. An authoritative source for healthcare-relevant news and perspectives on the global response to the COVID-19 pandemic. Click here.
  • AHIMA.org COVID-19 Index. Continuously updated with resources, AHIMA news, and navigable links to public health and professional organizations. Click here.
  • AHIMA Engage—COVID-19 Community. A digital networking page to exchange ideas, information, and perspectives. Click here.
Leave a comment

1 Comment

  1. Individuals ( YouTubers) are filming the testing sites claiming 1st amendment rights. Is these going against the patients privacy rights or HIPAA?. Personally I think these individuals are invading a person’s privacy and something needs to be done. They are only harassing people for clicks, views and revenue. Please have something done if possible. Thank you

Send a Comment

Your email address will not be published. Required fields are marked *