Cybersecurity
Subscribe to Cybersecurity's Posts

Digital Health 101: OCR Issues Resources to Educate Patients on Telehealth, PHI

BACKGROUND

On October 18, 2023, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued two resource documents to help explain the privacy and security risks to patients’ protected health information (PHI) when using telehealth services, along with ways to reduce these risks. In a press release announcing the guidance, OCR Director Melanie Fontes Rainer stated that “[t]elehealth is a wonderful tool that can increase patients’ access to [healthcare] and improve [healthcare] outcomes. [Healthcare] providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices, so patients are confident that their health information remains private.”

These new resources exemplify the trend of increased scrutiny in the digital health environment, aimed at ensuring that patient data is protected, secured and confidential (including with respect to pixel technology disclosures, artificial intelligence usage guidelines, state-level data privacy laws and medical board guidelines).

IN DEPTH

Resource #1: Outlining the Risks of Telehealth

With the release of this educational resource, developed on a recommendation from the Government Accountability Office (GAO) in a September 2022 report, OCR intends to help healthcare providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications for telehealth.

OCR notes that the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules (HIPAA Rules) do not require covered healthcare providers to educate patients about privacy and security risks. However, the OCR’s educational resource is intended to assist providers who would like to 1) explain the privacy and security risks to patients’ PHI when using telehealth services and 2) share ways to reduce these risks. This information may also be helpful to a patient’s family or personal representative. HHS encourages and reminds providers to be mindful of inclusionary mechanisms when communicating with individuals with disabilities (e.g., providing auxiliary resources, using language assistance services or providing written translations of materials).

The educational resource provides suggestions for discussing the following:

  • What telehealth is, and which technologies will be used during the telehealth encounter
  • The importance of PHI privacy and security
  • Risks and mitigation strategies when PHI is shared, stored or transferred using remote communication technologies
  • Which communication technology vendors are used in delivering the services and how to view their privacy and security policies
  • The right to file a privacy complaint with OCR under HIPAA

Resource #2: PHI Security Tips for Patients

OCR’s patient tips resource provides recommendations that patients can implement to protect their privacy, security and confidentiality when interacting via telehealth technologies, including the following:

  • Conducting the telehealth appointment in a private location (e.g., a private room or a parked car), wearing headphones and avoiding using a speakerphone
  • Turning off nearby electronic devices that may overhear or record information
  • Avoiding using a [...]

    Continue Reading



read more

Top Takeaways | Cybersecurity & Insurance Coverage in the Age of Telehealth: Understanding and Mitigating Your Risk

With more frequent and more severe ransomware attacks against health care platforms and vendors and the increasing use of telemedicine, it is critical to understand how to proactively defend your organization using robust legal, regulatory and cyber-coverage strategies. In this webinar, McDermott partners Dale Van Demark and Edward Zacharias joined Brett Buchanan of Marsh & McLennan Agency and Larry Hansard of Gallagher USA to explore the intersection of telemedicine and cybersecurity. Our panelists offered attendees a road map for navigating this rapidly changing space, including practical strategies for shoring up their defenses and addressing potential risks to their businesses.

  1. Providers engaging in telemedicine should consider three critical areas of insurance coverage: medical professional liability, technology errors and omissions, and cyber/privacy liability. “Several carriers have packaged these three important coverages into a one-policy format, referred to as a virtual health program,” Hansard said.
  2. A medical professional liability program should include incident reporting, punitive damages, and sexual abuse and molestation. The latter may seem surprising in a telemedicine context, but is important given reports of inappropriate patient behavior during telemedicine encounters, Hansard said.
  3. New telehealth technologies, such as AI chatbots for patient intake, create new and more complex bodily injury exposures, Buchanan said. “Working with an insurance underwriter that understands these nuances is absolutely key,” he said. In addition to bodily injury, coverage should include technology errors and omissions, cyber liability and general liability.

Click here for the full list of highlights.
Click here to view the full webinar.




read more

California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to [...]

    Continue Reading



read more

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.
  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.
Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 [...]

Continue Reading




read more

OFAC Advisory Warns of Civil Penalties for Ransomware Payments

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory alert that serves as a warning to entities who have been or will be the victim of a ransomware attack. As such, the crucial decision of whether to pay a ransom now comes with the additional risk of legal scrutiny by a powerful federal agency and the possibility of steep fines.

Access the article.




read more

Brazil’s LGPD Takes Effect—With Early Enforcement

Brazil represents over half of all IT spend in Latin America, has the largest regional market for software outsourcing, employs a sizable IT workforce, manufactures consumer goods (including commercial airplanes and cars) and has an active consumer market of social media operated by global data aggregators. At a time when data privacy is becoming increasingly important to consumers, it seems only fitting that Brazil would adopt comprehensive privacy legislation to protect data privacy rights.

The General Data Protection Law, the first law of its kind in Brazil, is now in effect, and we are already seeing enforcement. Streamlining the legal framework on data protection, the law sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers.

Access the article.




read more

Uber Criminal Complaint Raises the Stakes for Breach Response

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence.

At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.

Contemporaneous with the filing of the complaint, the Department of Justice (DOJ) submitted a press release quoting US Attorney for the Northern District of California David L. Anderson:

“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

The press release also quoted Federal Bureau of Investigation (FBI) Deputy Special Agent in Charge Craig Fair:

“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Collectively, the case and statements from the DOJ are probably a unicorn based on, if the facts as alleged are true, a case involving a deliberate cover-up of a data breach in the course of an active FTC investigation. However, many of the statements from the DOJ and the specific allegations in the complaint appear to have potentially far-reaching implications (for companies, their executives and cybersecurity professionals) that breach response counsel must seriously consider in future incidents.

A common question when responding to a ransomware or other cyberattack is whether and when to inform law enforcement. The criminal complaint has the potential to make this an even more difficult decision for future cyberattack victims. Further, while the alleged conduct at issue may seem particularly egregious, the DOJ’s statements could cause a blurring of the lines between what the government may contend is illegal concealment of a security incident and activities generally thought to be legitimate security incident risk and exposure mitigation. We explore these and other key takeaways from the criminal complaint in more detail below.

[...]

Continue Reading



read more

Schrems II Special Report: What Does the CJEU’s Decision Mean for Transfers From the EEA to the US?

For our Schrems II Practical Guidance special report, members of McDermott’s internationally recognized Global Privacy & Cybersecurity group have outlined practical guidance and next steps to ensure your business is prepared for what’s next following the final ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems.

As your organization navigates the post-Schrems II landscape following the CJEU’s recent decision, consider McDermott your first point of call. We have deep experience advising global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals.

Practical Guidance for Businesses (US Edition)

Practical Guidance for Businesses (Global – EEA/UK Edition)




read more

NYDFS—First Enforcement Action under Cybersecurity Regulation

On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under 23 NYCRR 500 (the “Cybersecurity Regulation”) against a large title insurance provider. Covered entities should closely monitor this enforcement action.

Access the article.




read more

Future Forward: Data Arrangements During and After COVID-19

The need for speedy and more complete access to data is instrumental for healthcare providers, researchers, pharmaceutical, biotech and device companies and public health authorities as they work to quickly identify infection rates, disease trends, outcomes, including antibodies, and opportunities for treatments and vaccines for COVID-19.

A variety of data sharing and collaborations have emerged in the wake of this crisis, such as:

  • Requests and mandates by public health authorities, either directly or via providers’ business associates requesting real time information on infections and bed and equipment availability
  • Data sharing collaborations among providers for planning, anticipating and tracking COVID-19 caseloads
  • Data sharing among providers, professional societies and pharmaceutical, biotech and medical device companies in search of testing options, treatment and vaccine solutions, and evaluation of co-morbidities

CLICK HERE TO VIEW THE FULL INFOGRAPHIC.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law