In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017. The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety. However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:
- Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
- Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.
The European Commission published its first annual report on the functioning of the EU-U.S. Privacy Shield, which protects the personal data transferred from the EU to companies in the U.S. for commercial purposes. The report was released on October 18, 2017.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU law. The framework is based on a certification system by which U.S. companies commit to adhere to a set of Privacy Shield Principles. To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Principles. A company’s failure to comply with the Principles is enforceable under Section 5 of the FTC Act, which prohibits unfair or deceptive acts. The key requirements for participating companies include:
- Informing individuals about data processing
- Providing free and accessible dispute resolution
- Cooperating with the Department of Commerce
- Maintaining data integrity and purpose limitations
- Ensuring accountability for data transferred to third parties
- Transparency related to enforcement actions
- Ensuring commitments are kept as long as data is held
In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.
The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Continue reading
Acknowledging that schools have “long been targets for cyber thieves,” the Federal Student Aid Office (FSA) of the U.S. Department of Education (ED) posted an alert on October 16, warning school districts and other educational institutions of criminal extortion schemes threatening to release sensitive student data. Recent, similar cyberattacks in Montana and Iowa are being investigated by the FBI.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule to carry out specific purposes and under certain circumstances.
For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose. Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.
The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.
Over the course of the last year, a number of U.S. technology companies and associations, including Intel, Samsung and the Information Technology Industry Council (ITIC) initiated a process dubbed “the National IOT Strategy Dialogue” the purpose of which was to develop strategic recommendations for U.S. government policymakers on the Internet of Things.
The group recently issued a white paper capturing the recommendations they advocate that the U.S. government undertake or implement. These players suggest that for the U.S. to win the global race to test, develop and deploy beneficial IOT technologies, that the U.S. government needs a strategic roadmap.