House Energy and Commerce Committee members Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) introduced the HHS Cybersecurity Modernization Act earlier this month in a bipartisan effort to address cybersecurity threats to the Department of Health and Human Services (HHS). Representatives Long and Matsui have both described the bill, H.R. 4191, as a stepping-stone towards improving cybersecurity at HHS and the health care industry at large. However, the bill does not authorize any additional appropriations to do so.
With the ever-increasing use of mobile devices in the workplace that create, receive, maintain, and transmit electronic protected health information (ePHI), the Department of Health and Human Services (HHS), Office for Civil Rights (OCR)’s latest Cybersecurity Newsletter issued an important reminder of the importance of mitigating the risks surrounding the use of mobile devices.
Mobile devices pose unique security risks because of their portability, small physical size, and capacity to store vast amounts of data. Both the Federal Trade Commission (FTC) and OCR frequently remind all organizations, but especially those entities that process ePHI, of the importance of protecting data on mobile devices.
In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017. The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety. However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:
- Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
- Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule to carry out specific purposes and under certain circumstances.
For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose. Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.
The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.
HHS-OCR issued a limited waiver of HIPAA Sanctions and Penalties Notice for both Hurricane Harvey and Hurricane Irma. In late August and early September, Secretary Price declared Public Health Emergencies in Texas, Louisiana, Puerto Rico, the U.S. Virgin Islands, and Florida and President Trump shortly followed suit with emergency declarations for both hurricanes, as well. Since both President Trump and Secretary Price declared an emergency for Hurricane Harvey and Hurricane Irma, the Secretary of HHS may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.
After recent WannaCry ransomware and Petya/notPetya malware attacks exposed the data security vulnerabilities of health care organizations and pharmaceutical companies globally, the Department of Health and Human Services and Office for Civil Rights have rolled out resources to prevent future attacks. The OCR’s resources, such as its Quick-Response Checklist, infographic and informational newsletter, are meant to support health care organizations every step of the way, from planning and contingency plans to response and mitigation procedures.