With the ever-increasing use of mobile devices in the workplace that create, receive, maintain, and transmit electronic protected health information (ePHI), the Department of Health and Human Services (HHS), Office for Civil Rights (OCR)’s latest Cybersecurity Newsletter issued an important reminder of the importance of mitigating the risks surrounding the use of mobile devices.
Mobile devices pose unique security risks because of their portability, small physical size, and capacity to store vast amounts of data. Both the Federal Trade Commission (FTC) and OCR frequently remind all organizations, but especially those entities that process ePHI, of the importance of protecting data on mobile devices.
In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017. The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety. However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:
- Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
- Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.
In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.
The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Continue reading
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule to carry out specific purposes and under certain circumstances.
For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose. Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.
The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.
A proposed ballot measure that would require businesses to provide annual disclosures to consumers on the collection or sale of personal information has been filed with the California Attorney General. If 365,880 signatures are obtained, it may appear on the November 2018 ballot.
The initiative is based on California’s “Shine the Light Law” which sets forth the procedures companies must follow in disclosing, upon request of a consumer, what information has been shared with third parties. The law also contains specific language to be included in online privacy policies.
HHS-OCR issued a limited waiver of HIPAA Sanctions and Penalties Notice for both Hurricane Harvey and Hurricane Irma. In late August and early September, Secretary Price declared Public Health Emergencies in Texas, Louisiana, Puerto Rico, the U.S. Virgin Islands, and Florida and President Trump shortly followed suit with emergency declarations for both hurricanes, as well. Since both President Trump and Secretary Price declared an emergency for Hurricane Harvey and Hurricane Irma, the Secretary of HHS may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.