OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.
Continue reading

Healthcare Privacy Practices Notice Must Include Nondiscrimination Notice

By Margaret Young Levi and Kathie McDonald-McClureprivacy policy

Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency vested with responsibility for implementing and enforcing Section 1557. On May 16, 2016, OCR issued a Final Rule that requires entities covered by the ACA to notify beneficiaries, enrollees, applicants, or members of the public of Section 1557’s nondiscrimination prohibitions. This notice must be included in the entity’s “significant” publications and communications.

You might ask, “Why am I reading about this on a legal blog about privacy and security?”  This is because OCR determined that the Notice of Privacy Practices, which healthcare providers and health plans issue to patients and plan members, is a “significant” publication or communication. As a result, health care providers and health plans that are subject to both Section 1557 and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must add the Section 1557 nondiscrimination notices and taglines to their Notice of Privacy Practices. Health plans should add such notices and taglines to their Summary of Benefits and Coverage as well.

Continue reading

Massive malicious email campaign spoofs Google Docs to hijack Gmail accounts

A massive email phishing campaign started Wednesday afternoon.  The email attacks target Google accounts but have spread to other email accounts as people have been tricked into clicking on the link in the email and have unwittingly supplied their Google account access credentials and access to their contacts.

The reports of the malicious emails are coming from people across a range of industries. The emails contain what looks like a link to a Google Docs and appears to come from someone you know. These emails, however, are malicious and are designed to trick the recipient in a way that allows the cybercriminal to hijack email accounts or infect the user’s computer.

If you receive an email with a link to Google Docs, BEWARE!  These emails are designed to look like they come from a trusted or known source.  Do not click on any links in emails that you were not expecting.

A screen shot of one of the Google Docs phishing emails is shown below. If you receive one of these emails, delete it ASAP.  If you use Gmail or Google Inbox, consider activating the 2-factor authentication feature to secure your account.

Several major news organizations and cable networks are reporting on this story.  For the most up-to-date news on this developing story, use your favorite internet search engine to search for “google phishing email scam”.

A sample Google Docs phishing email.  The form and style of the email may vary from this sample.Sample Google Docs Phishing Email

To read Google’s Gmail Help on phishing emails, use your preferred internet search engine and search for: “Google Help and how to avoid and report phishing emails”.

If you are attacked by malware or a phishing email that compromises your organization’s privacy and security, Wyatt’s experienced Data Security Incident Response Team is ready to help.

Can blockchain technology solve healthcare IT security and interoperability challenges?

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit.  Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger.  This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading