Guidance to First Responders in COVID-19

first responders

The Office for Civil Rights, which is the HIPAA enforcement arm of U.S Department of Health and Human Services (HHS), issued guidance today on how entities subject to HIPAA (covered entities) may disclose protected health information (PHI) about an individual who has been exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the HIPAA Privacy Rule.

In its guidance, OCR explains the circumstances under which a covered entity may disclose PHI, such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:

· When needed to provide treatment;

· When required by law;

· When first responders may be at risk for an infection; and

· When disclosure is necessary to prevent or lessen a serious and imminent threat.

Today, OCR clarified the regulatory permissions that a covered entity may use to disclose PHI to first responders and others so they take the necessary precautions or use personal protective equipment. OCR is also careful to remind all covered entities to take reasonable steps to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure, which is frankly a good recommendation for all PHI related disclosures, pandemic or not. Even though these are extraordinary times, we must be sure to protect one another’s privacy while also striving to protect the health of our first responders during this crisis. OCR is careful to strike that balance in today’s guidance. 

Clients and friends can find the guidance here

Stay safe and healthy!


If you need further information, contact us here.

Is Ohio Getting It’s Cybersecurity Act Together?

computer with code

When state senators Bob Hackett and Kevin Bacon introduced Senate Bill 220, I for one felt a sense of relief that, at last, Ohio would finally take much-needed action on the issue of cybersecurity. The bill is far from perfect, but it is finally a START of what will hopefully result in meaningful comprehensive cybersecurity legislation.

What does the bill accomplish? It incentivizes Ohio companies to adopt a risk-based framework by providing a “safe harbor”, which is an “affirmative defense”, to tort claims arising out data breaches caused by third-party malefactors.  The bill indicates that all covered entities (any Ohio business that “…accesses, maintains, communicates, or handles personal information”, or, essentially all Ohio companies), may  seek a safe harbor under the law provided the company has a “written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information that complies with the NIST cybersecurity framework or other industry cybersecurity frameworks (such as Center of Internet Security Critical Security Controls, ISO 27000).

For health care entities complying with the Health Insurance Portability and Accountability Act (HIPAA), banks and other financial institutions complying with the Gramm-Leach-Bliley Act (GLBA) and government contractors complying with the Federal Information Security Modernization Act (FISMA), the bill allows for a safe harbor for those entities who have developed their own frameworks to comply with industry regulations.

The bill requires that covered entities seeking safe harbor must have written cybersecurity programs must be designed to do the following:

(1) Protect the security and confidentiality of personal information;

(2) Protect against any anticipated threats or hazards to the security or integrity of personal information;

(3) Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates.

The bill takes into consideration that not all entities have the same security challenges.  The bill acknowledges that the cybersecurity program of covered entities may take into account the following:

(1) The size and complexity of the covered entity;

(2) The nature and scope of the activities of the covered entity;

(3) The sensitivity of the personal information to be protected;

(4) The cost and availability of tools to improve information security and reduce  vulnerabilities;

(5) The resources available to the covered entity.

Now for the rub.

For a covered entity to successfully assert the affirmative defense afforded by the bill, it must demonstrate “substantial compliance” with its chosen risk-based framework or HIPAA, GLBA or whatever regulatory rubric applies to the covered entity.  To a lawyer, the term “substantial compliance” automatically means “litigable issue.” What does “substantial” mean?  It is wholly subjective and it will take years in Ohio courts, if ever, to create a case law definition.  From a cybersecurity standpoint, we do not have years to shore up Ohio’s networks.

I guess what I’m really driving at is that Ohio needs law with more teeth in it. How about a law that simply mandates that you have a written cybersecurity program and follow a risk-based framework if you maintain sensitive personal information as part of your business?  Operators in health care, banking and any publically traded company understand such a mandate. Entities who do not obey the law will be held accountable on the basis of negligence per se in the event they sustain a breach without a risk-based framework in place. Litigation will result either way.  A clear mandate would bring more clarity to questions of liability and presumably more businesses would adopt a risk-based framework in the face of a mandate.

In the end, isn’t more about security than liability?