OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

Margaret Young Levi HIPAA, Privacy & Security , ,

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.
Continue reading

Senators Propose U.S. Cybersecurity Incident Notification Law

Kathie McDonald-McClure Cyber Security and Cyber Crime , , , ,

This post was originally published on July 21, 2021. See important “Update” below.

UPDATE: On March 15, 2022, President Biden signed H.R. 2471, the Consolidated Appropriations Act of 2022, which includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“The CIRCI Act”). The CIRCI Act, which appears as Division Y in H.R. 2471, has several elements proposed by the initial Senate Bill that was the subject of this article with some variations. CISA has 24 months to issue implementing regulations.

——————————————————

In light of the escalation in ransomware and other cyber threats, a bi-partisan group of U.S. Senators has released a cybersecurity notification bill titled “Cyber Incident Notification Act of 2021.” Under the proposed bill, a “covered entity” would be required to report a “cybersecurity intrusion” or “potential cybersecurity intrusion” to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of confirmation of the intrusion.  Covered entities also would be required to submit updated cybersecurity threat information to CISA within 72 hours after the discovery of new information. The requirement for updates would continue until the incident is mitigated or any follow-up investigation is completed.

Although the term “cybersecurity intrusion” would be defined in future rulemaking with public comment, the bill provides, at a minimum, that the term include ransomware if it falls into one of six broad categories. The categories include ransomware involving a nation-state, an advanced persistent threat cyber actor, or a transnational organized crime group. The categories also include ransomware that results in or has the potential to result in harm to national security interests, the U.S. economy, or to public confidence, civil liberties, or public health and safety. In essence, it would encompass most types of ransomware.

The term “covered entity” also is to be defined by future rulemaking but, per the bill, “shall include, at a minimum, Federal contractors, owners or operators of critical infrastructure, as determined appropriate by the Director based on assessment of risks posed by compromise of critical infrastructure operation, and nongovernmental entities that provide cybersecurity incident response services.” CISA’s list of critical infrastructure sectors include: Information Technology, Communications, Healthcare and Public Health, Emergency Services, Financial, Energy, Food and Agriculture, Commercial Facilities, Critical Manufacturing, among others. For a full list of CISA’s current “critical infrastructure” sectors and a detailed description of each, click here

To incentivize compliance, the law would allow the CISA Director to assess a civil penalty up to 0.5 percent of the entity’s gross revenue from the prior year for each day it violates the requirements under the law or under rules promulgated under the law. The Director would be allowed to “take into account mitigating or aggravating factors, including the nature, circumstances, extent, and gravity of the violations and, with respect to the covered entity, the covered entity’s ability to pay, degree of culpability, and history of prior violations.”

Click here to read the full Senate Bill.

A Supreme Development in Employer Computer Protection

WyattLLP Data Privacy & Security, Health Information Technology, HITECH Law ,

By: Courtney Samfordcontributing author Blake Sims, Wyatt Summer Associate

This image has an empty alt attribute; its file name is pexels-mikhail-nilov-6930431-1024x617.jpg

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).

Continue reading

INFORMATION BLOCKING RULE EFFECTIVE APRIL 5, 2021: ARE PROVIDERS READY?

WyattLLP Cures Act and Program Interoperability, Health Information Technology , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

Continue reading

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

Kathie McDonald-McClure Data Privacy & Security, HIPAA, HITECH Law , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

Continue reading