Security, Privacy and Information Governance

HHS Declares Public Health Emergency in California – HIPAA Waivers Apply


In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.

The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

HHS has waived sanctions and penalties for the following provisions of the HIPAA Privacy Rule:

  • Requirements to obtain a patient’s consent to speak with family, friends or any other individual identified by the patient and involved in the patient’s care. 45 C.F.R. §164.510(b).
  • Requirement to honor a request to opt out of the facility directory. 45 C.F.R. §164.510(a)(2).
  • Requirement to distribute a notice of privacy practices. 45 C.F.R. §164.520(a)(1).
  • Patient’s right to request privacy restrictions. 45 C.F.R. §164.522(a)(1).
  • Patient’s right to request confidential communications. 45 C.F.R. §164.522(b).

When either HHS’s or President Trump’s declaration terminates, a hospital must resume compliance with the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since the implementation of its disaster protocol.

Even without a waiver, the HIPAA Privacy Rule allows patient information to be shared for various reasons, including those outlined in our recent blog post regarding disclosures to family, friends, and others involved in a patient’s care and for notification purposes.

If you have any questions about these uses and disclosures or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team or Information, Privacy, Security and Governance Team.

Department of Education Posts CyberAdvisory on Extortion and Student Data Threats


Acknowledging that schools have “long been targets for cyber thieves,” the Federal Student Aid Office (FSA) of the U.S. Department of Education (ED) posted an alert on October 16, warning school districts and other educational institutions of criminal extortion schemes threatening to release sensitive student data. Recent, similar cyberattacks in Montana and Iowa are being investigated by the FBI.

Continue reading

OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts


The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule  to carry out specific purposes and under certain circumstances.

For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose.  Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.

Continue reading

Tech Companies Issue White Paper Recommending a National IOT Strategy


Over the course of the last year, a number of U.S. technology companies and associations, including Intel, Samsung and the Information Technology Industry Council (ITIC) initiated a process dubbed “the National IOT Strategy Dialogue” the purpose of which was to develop strategic recommendations for U.S. government policymakers on the Internet of Things.

The group recently issued a white paper capturing the recommendations they advocate that the U.S. government undertake or implement.  These players suggest that for the U.S. to win the global race to test, develop and deploy beneficial IOT technologies, that the U.S. government needs a strategic roadmap.

Continue reading

FTC and Department of Education to Co-Host Workshop and Webcast on Privacy Issues in Education Technology


The Federal Trade Commission (FTC) and the U.S. Department of Education (ED) will co-host a live workshop on December 1, 2017 highlighting two intersecting regulatory regimes: the FTC’s rules implementing the Children’s Online Privacy Protection Act (COPPA), which applies to K-12 schools and to children under the age of 13, and the simultaneous application of the Family Education Rights and Privacy Act (FERPA), which also applies to schools and is administered by ED.

Continue reading

Legislative Spotlight: Self-Driving Cars Part 1


The House of Representatives passed H.R. 3388, the “Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act” or the “SELF DRIVE Act” last month. The bill would remove regulatory barriers to develop self-driving or autonomous cars by giving the National Highway Traffic Safety Administration (NHSTA) authority to establish federal safety, design, and performance standards for automated cars, excluding commercial vehicles, such as trucks and buses. States would still be responsible for the vehicle registration, driver’s licensing, insurance, and safety and emissions inspections. The bill would also allow states to impose stricter performance requirements than those set by NHTSA.

We have outlined the privacy and cybersecurity provisions of this bill, as well as the NHTSA’s voluntary security standards for self-driving cars.

Continue reading

« Older posts

© 2017 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy