April 10, 2020

This Insight highlights two new updates issued by the U.S. Department of Homeland Security (“DHS”) and the U.S. Department of Health and Human Service (“HHS”) in regard to cybersecurity and privacy matters that address matters pertaining to the ongoing COVID-19 / Coronavirus outbreak.  

1.    DHS Alert: COVID-19 Exploited by Malicious Cyber Actors

This Insight details a number of ways (e.g., phishing, social engineering, malware attacks and attacks exploiting non-secure remote access) cyber criminals are preying on individuals and various health care and other businesses under the guise of COVID-19.   Suggest you share this information with your IT and cybersecurity teams and others responsible for information security matters.  

https://www.us-cert.gov/ncas/alerts/aa20-099a

2.    HHS Office of Civil Rights (“OCR”) Notification of Enforcement Discretion re: COVID-19 Testing Sites

The HHS Notice provides certain relief from OCR enforcement in regard to compliance with HIPAA for health care providers and business associates participating in the operation of COVID-19 Community Based Testing Sites (“CBTS”).  Note the relief is generally available only to healthcare providers and business associates (and not health plans and clearinghouses) that implement certain reasonable safeguards at their CBTS, as set forth in Section III of the Notice (see pp. 4-5).  Moreover, health care providers and business associates may still be subject to OCR enforcement in regard to non-CBTS operations, as set forth in Section IV of the Notice (see pp. 5-6), potentially including operation conducted simultaneously with to a CBTS (e.g., the non-CBTS operations of a pharmacy that operates a CBTS in its parking lot).  

https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf

In addition to the above, OCR has established a dedicated website where hospitals and other HIPAA covered entities and their business associates can track ongoing updates and guidance regarding privacy and security issues during the COVID-19 crisis.  

Please feel free to contact me regarding any information in this insight or other privacy or security issues. 

Likewise, please continue to follow my firm’s website for updates regarding the CARES Act and other legal matters pertaining to COVID-19.
   
PLEASE BE ADVISED: This Insight is intended only to provide an overview of the matters addressed herein and does not constitute legal advice.  If you have questions regarding a specific arrangement with a physician or other health care provider, please seek appropriate legal counsel.