Updated as of April 9, 2020:
As industry continues to adapt to the evolving realities of shelter-in-place orders, companies face challenges in supporting an unprecedented remote workforce while balancing compliance with a variety of regulatory agencies. The following alert highlights key areas to consider in the privacy and cybersecurity field, including regulatory and enforcement guidance from or related to:
Foley’s team of privacy and cybersecurity attorneys will continue to actively monitor for new and revised regulatory and enforcement guidance in these areas and others, and will update this alert accordingly.
General Data Protection Regulation
On March 19, 2020, the European Data Protection Board (EDPB) adopted a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB made it clear that while the EU’s General Data Protection Regulation (GDPR) should not hinder measures taken in the fight against the current coronavirus pandemic, businesses are not exempt from complying with the GDPR and ensuring the protection of individuals’ personal data “even in these exceptional times.” Specifically, the EDPB explained that any measure taken in this context should comply with general principles of law, adding that “emergency is a legal condition which may legitimize restrictions to freedom provided these restrictions are proportionate and limited to the emergency period.” However, though the EDPB provided answers to some questions about the processing of data in the employment context, it failed to offer any concrete recommendations and limited its answers primarily to restating the general data protection rules (such as proportionality and data minimization principles) and relevant national laws.
Countries having issued emergency laws that will allow companies to use this last basis of public health to process sensitive personal data include:
- France: Les Agences régionales de santé (ARS) has issued an information notice.
- Germany: The Infection Protection Act (IfSG) and the Hygiene Regulations of the German Federal States regulate the processing of healthcare information in these circumstances.
- Italy: The Italian Civil Protection Department has adopted a Civil Protection Ordinance.
To provide much needed clarity, the data protection authorities (DPAs) of nearly all EU Member States have issued specific guidance on how to collect and process personal data related to COVID-19. For further insight into this and the core principles emerging from the guidance, please see our discussion posted here.
California Consumer Privacy Act
The California Attorney General (AG), Xavier Becerra, has commented that the state is not currently considering delaying enforcement of the California Consumer Privacy Act (CCPA). This comment comes after an open letter sent by a coalition of industry groups to the AG, urging Becerra to temporarily delay enforcement of the CCPA until January 2, 2021, to give industry more time to understand and operationalize the regulations once finalized as well as to respond to the unprecedented challenges and economic considerations faced by industry while it recovers from the pandemic. It remains to be seen whether the AG’s response will change if other regulators begin relaxing enforcement in light of the pandemic.
The AG’s office also emphasized data security in light of the pandemic, highlighting certain risks that companies are potentially exposed to while attempting to safeguard their workforces. In particular, companies should consider if their data security procedures are sufficient to cover any change in the sensitivity of the data held by the business in response to COVID-19. For example, companies should review if they are receiving any new types of information from employees during this pandemic such as health information. Under the CCPA, employee health information received by an employer is personal information regulated by the CCPA that is not available for an exclusion as health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or from an employee’s private right of action for failure to maintain reasonable security practices in the event of a security incident. For companies that are collecting such health information, further security measures may be necessary.
The federal government has issued various updates on how health information may be used and disclosed in response to the COVID-19 pandemic to relieve immediate privacy concerns and ease enforcement in certain areas — at least on a temporary basis. These updates are helpful to understand the government’s current position on health care privacy laws, especially the Health Insurance Portability and Accountability Act (HIPAA), which governs the use and disclosure of protected health information (PHI) by health care providers, health plans, health care clearinghouses, and business associates, and 42 C.F.R. Part 2 (Part 2), which governs the confidentiality of substance use disorder records.
For ease of reference, below we have consolidated some of the most important, recent privacy updates into high-level categories that reflect relevant issues affecting the health care industry and linked to further information online:
1. Waivers announced by the Secretary of the U.S. Department of Health & Human Services (HHS), Alex Azar, including a limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency as well as a waiver or modification of requirements under Section 1135 of the Social Security Act
2. Guidance from the HHS’ Office for Civil Rights (OCR) on HIPAA requirements and related enforcement discretion regarding:
a. General requirements: The OCR has a main web page with all COVID-19-related notifications, guidance, and bulletins issued by the agency.
b. Telehealth remote communications: On March 17, 2020, the OCR announced notification that, effective immediately, it will exercise its enforcement discretion for telehealth remote communications and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. The OCR issued further guidance and FAQs regarding telehealth remote communications.
c. How first responders and others can receive PHI about individuals who are exposed to COVID-19: The OCR issued guidance regarding the disclosure to law enforcement, paramedics, other first responders, and public health authorities of the name or other identifying information of an individual who has been infected with or exposed to the virus without that individual’s authorization.
d. How HIPAA applies in an emergency: In February, the OCR issued a bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The OCR has since highlighted guidance regarding the release of PHI for planning or response activities in emergency situations, such as during the COVID-19 national emergency. The agency also provides a decision tool to aid in determining how the Privacy Rule applies to a particular disclosure in question. For more background regarding exceptions to the authorization requirement that may be relevant to HIPAA-covered entities treating patients with COVID-19, please see our discussion posted here.
e. How business associates can share PHI for public health and health care operations purposes: On April 2, 2020, the OCR announced notification of enforcement discretion to allow uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. For a more detailed summary of HIPAA’s exceptions for the use and disclosure of PHI by business associates for public health and health oversight activities, please see our discussion posted here.
3. Revisions to Part 2 of the CARES Act: The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) recently enacted into law on March 27, 2020, overhauls the federal substance use disorder privacy law, 42 C.F.R. Part 2, dramatically easing the ability of health care providers to disclose protected substance use disorder records with patient consent and generally aligning Part 2 to be more consistent with HIPAA.
4. Request by CMS for COVID-19 test result reporting: On March 29, 2020, the HHS’ Centers for Medicare & Medicaid Services (CMS) issued a letter to U.S. hospitals on behalf of Vice President Pence requesting that they report data in connection with their efforts to combat COVID-19 that is critical for epidemiological surveillance and public health decision-making.
Consumer Financial Services
The Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) have been working to gather information regarding the measures that financial institutions, financial servicers, and vendors are taking to protect consumers’ non-public personal information (NPPI) during a time with unprecedented rates of remote-workers. The new remote workforce includes workers who have never before been approved to work remotely due to their ability to access NPPI and other sensitive information. A large number of businesses scrambled to provide workers with access to company-issued laptops and/or security software to allow them to work remotely due to short notice of shelter-in-place orders in various locations across the country. There appears to be some concern among regulators as to whether appropriate protections have been instituted.
However, we do not expect that the CFPB and FTC will agree to relax security standards such as those found in the Safeguards Rule, the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA). But, we do expect in the near future to see guidance for businesses that assists them in ensuring the security standards are met while utilizing a remote workforce. For those functions that simply cannot be done remotely, the CFPB and FTC may also consider extending regulatory deadlines to allow the reduced workforce time to meet the demand.
- CFPB: The CFPB has announced that it is “committed to providing consumers with up-to-date information and resources to protect and manage their finances during this difficult time as the [coronavirus (COVID-19) pandemic] situation evolves.” As part of that commitment, the CFPB has teamed up with the FTC to make consumers aware of scammers that are taking advantage of the COVID-19 pandemic to con people into giving up their money or NPPI. Please visit the CFPB’s COVID-19 Resource Page for up-to-date announcements and guidance from the agency.
- FTC: The FTC’s Information Security and Financial Institutions Workshop to Examine the Safeguards Rule is currently still scheduled to be held in Washington, D.C. on May 13, 2020, beginning at 9:00 a.m. ET. Given the president’s announcement that the government’s social distancing protocol will stay in place through at least May 1, the workshop may have to be postponed.
Safe Harbor Enactments
No safe harbors related to the COVID-19 pandemic have been announced to date. However, Foley’s privacy and cybersecurity team is monitoring the situation closely and will update this alert should one be announced.
General Privacy Considerations and Risk Awareness
The unprecedented circumstances of the COVID-19 pandemic also bring forth a variety of unique privacy and cybersecurity risks that prudent companies should consider. The following practical risk assessments should be considered by all companies (including those deemed to be “essential businesses” under shelter-in-place orders:
- When gathering medical information regarding your employees, is the company doing what it can to keep individual medical information private to the extent possible (e.g., if notified of potential COVID-19 exposure, is the company preserving the employee’s privacy while also narrowing notice procedures to the appropriate individuals under the more lax HIPAA standards issued due to the COVID-19 pandemic);
- If the company is subject to GDPR, the company may collect and disclose certain personal data, including sensitive personal data, relating to the COVID-19 status of its employees, if the company can rely upon an appropriate lawful basis provided for under GDPR or applicable national law (including any emergency legislation enacted by EU Member States) to process such data and adhere to the GDPR’s fundamental principles for processing personal data, including, but not limited to, proportionality and data minimization (e.g., limiting collection and disclosure to the minimum amount necessary proportionate during the emergency period);
- With additional employees working remotely (and some for the first time), has the company reviewed and provided its telecommuting policies as well as confirmed that company equipment should be used only for company activities and that proprietary/confidential materials should be handled in a manner that preserves non-disclosure (including the use of encryption and VPN access);
- With a heightened risk of cybersecurity challenges (e.g., breaches, hacks, phishing incidents, ransomware, etc.) has the company reviewed with employees the need to be aware of such risks and offered renewed training;
- Has the company installed and/or updated all software and security patches and reviewed its incident response plan;
- If the company retains logistical and geographical location information, have privacy considerations been taken into account when/if such information is requested by governmental entities for the disclosure of such information; and
- Has the company ensured that its CCPA compliance program is on track if the company is subject to CCPA.
In summary, it is critical that companies operating within the current remote work environment actively assess the privacy and cybersecurity risks to their enterprise; monitor existing and emerging regulatory and enforcement guidance as the situation evolves around the COVID-19 outbreak; weigh these factors against their policies, procedures, and practices currently in place; and make the necessary adjustments to maintain compliance with applicable laws. For more information about recommended steps, please contact your Foley relationship partner or one of the firm’s core privacy and cybersecurity partners. For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the CDC and the World Health Organization.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.