Healthcare Law Alert: OCR Issues Additional COVID-19 Announcements
April 10, 2020 – We previously issued Healthcare Law Alerts concerning OCR COVID-19 announcements, which may be found at the Brach Eichler COVID-19 Resource Center on the Brach Eichler website. Here’s what’s new:
Early Case Resolution With Alabama After it Removes Discriminatory Ventilator Triaging Guidelines
On April 8, 2020, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), announced that it resolved a compliance review of the State of Alabama after it removed ventilator rationing guidelines that allegedly discriminated on the basis of disability and age. The OCR is a federal agency within the DHHS that, among other functions, oversees HIPAA compliance and compliance with various federal anti-discrimination laws.
This is the first OCR enforcement action following the issuance of its March 28, 2020 Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency. In that bulletin, OCR “focused on ensuring that covered entities do not unlawfully discriminate against people with disabilities when making decisions about their treatment during the COVID-19 health care emergency.” We previously issued a Healthcare Law Alert on this topic.
OCR’s compliance review, initiated after its receipt of a complaint filed by the Alabama Disabilities Advocacy Program and The ARC of the United States, included review of a 2010 Alabama document setting forth criteria for ventilator triage following a mass-casualty respiratory emergency. The document allegedly allowed the denial of ventilator services to individuals based on the presence of intellectual disabilities, including “profound mental retardation,” and “moderate to severe dementia.” The document also referenced age as a possible category for exclusion. Although Alabama had released new guidelines in February 2020, it failed to remove the old guidelines from its website and clarify that they were no longer in effect. Based on Alabama’s responsive actions in agreeing to remove the prior criteria from its website and publicly clarify that the prior guidelines are no longer in effect, the OCR closed its compliance review.
OCR Director Roger Severino stated, “Alabama and other states are free to and encouraged to adopt clear triage policies, but they must do so within the guardrails of the law. President Trump has mobilized the entire federal government to ensure that no person is left behind for lack of medical resources, but also that no one is excluded because of unlawful stereotypes or discrimination.”
Cybercriminal Exploitation of COVID-19
On April 9, 2020, OCR sent an announcement through its listserv in order to share Alert (AA20-0991), COVID-19 Exploited by Malicious Cyber Actors, a joint alert issued by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Center (NCSC).
The Alert summarizes attacks being made by cyber threat actors, who often masquerade as trusted entities, in order to effectuate schemes using coronavirus-themed phishing messages or malicious applications.
Threats observed include:
- Phishing, using the subject of coronavirus or COVID-19 as a lure;
- Malware distribution, using coronavirus- or COVID-19-themed lures;
- Registration of new domain names containing wording related to coronavirus or COVID-19, and
- Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.
Malicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:
- Click on a link or download an app that may lead to a phishing website or the downloading of malware, including ransomware. For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install “CovidLock” ransomware on their device.
- Open a file (such as an email attachment) that contains malware. For example, email subject lines contain COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency).”
The Alert contains detailed information about the types of cyber threats to be on alert for, and steps to take to mitigate the risks to individuals and organizations.
Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020, the OCR published a Notification of Enforcement Discretion announcing that it will “exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency. This exercise of enforcement discretion is effective immediately, but has a retroactive effect to March 13, 2020.”
The Notification was issued in order to support covered healthcare providers and their business associates, including some large pharmacy chains, that may participate in the operation of a COVID-19 Community-Based Testing Site (CBTS). These sites include mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public. The operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing.
OCR encourages healthcare providers participating in the “good faith operation” of a CBTS to implement reasonable safeguards to protect the privacy and security of protected health information (PHI), including:
- Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
- Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
- Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six-foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
- Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
- Using secure technology at a CBTS to record and transmit electronic PHI.
- Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.
Although covered healthcare providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for HIPAA violations that occur in connection with the “good faith operation” of a CBTS.
OCR warned, however, that the Notification does not apply to covered healthcare providers and their business associates when such entities are performing non-CBTS related activities, including the handling of PHI outside of the operation of the CBTS. By way of example, a pharmacy that participates in the operation of a CBTS in the parking lot of its retail pharmacy facility could be subject to HIPAA liability for violations that occur inside the retail pharmacy that are unrelated to the CBTS.