United States: Cybersecurity And Health Information Privacy During The COVID-19 Pandemic

In following CDC guidelines to effectively navigate the spread of COVID-19, many employers are closing their doors for a period of time and requiring or encouraging employees to work remotely. But cyberattackers, who (strangely) don't care much for CDC guidelines, are working around the clock to hack into vulnerable computer systems during the current pandemic.

For example, attackers reportedly launched a malicious online map appearing as a credible source showing the viral outbreak of COVID-19 across the globe. The map has the ability to steal payment card information, credentials and sensitive internet browser data. The malware takes screenshots and gathers information about the victim's operating system, architecture, username and hostname. 

Even the Department of Health and Human Services suffered a recent system compromise aimed at slowing down or completely paralyzing the Department's critical functions. Other government officials are also on high alert that attackers are capitalizing on general uncertainty during the pandemic.

Companies should take this time to assess their security posture closely. The assessment should include, at minimum, the following:

• Maximizing the use of multifactor authentication;
• Ensuring that sensitive information is encrypted at rest and in transit where possible (e.g., requiring the use of VPN tunnels for remote workers);
• Using strong passwords for remote access and changing those passwords regularly;
• Paying heightened attention to phishing attempts and implementing a process by which an employee can verify with IT whether a specific email is legitimate before opening it;
• Ensuring that companies are securely backing up all important data in case of a ransomware attack (i.e., the data is backed up in a separate, off-site system that is less likely to be impacted by a ransomware attack);
• Reviewing and updating an incident response plan; and
• Ensuring that an organization has insurance coverage for business interruption, theft/ransom and first- and third-party costs suffered as a result of an attack.
   

For more useful tips, check out Shook's Privacy & Data Security Alerts for an array of topics that will assist organizations in keeping critical data safe. 

What Can Employers Ask and Share Relating to Employee Health Information?

COVID-19 has also presented privacy concerns for employers, including those covered by HIPAA. Common questions that in-house legal departments may have about employee privacy during the COVID-19 pandemic include:

Can we make our own diagnosis regarding whether an employee is experiencing COVID-19 in our workplace?

CDC advises that employers should refrain from diagnosing employees with COVID-19 on their own. Employers should use CDC's guidance to determine the risk of COVID-19. They should not make determinations of risk based on race or country of origin and should maintain the confidentiality of employees with confirmed cases of COVID-19.

Although the Americans with Disabilities Act generally prohibits employers from asking health-related questions, the EEOC makes clear in  published guidance for employers on COVID-19 that the ADA allows employers to measure employee body temperatures because of the acknowledged spread of the coronavirus. Employers should note that not everyone with COVID-19 will have a fever.

What health information can we gather from an employee who has been diagnosed with COVID-19?

Aside from measuring body temperatures, the ADA allows employers to inquire about cold-like symptoms such as coughing, chills, shortness of breath or sore throat.

What health information can we share with other employees or third parties about an employee who is diagnosed with COVID-19?

Pursuant to the ADA and CDC, confidentiality relating to medical information is a must in the workplace, and employers should not disclose the name of any employee who has or is suspected of having COVID-19. CDC's guidance provides the following: "If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act (ADA)." 

What health information should we refrain from gathering from all employees whether or not they've been diagnosed with COVID-19?

The ADA prohibits any disability-related inquiries. If employees are not showing any symptoms of the coronavirus like those listed above, employers may not inquire as to whether the employee has contracted COVID-19 or any other medical condition.

What can we instruct employees to do if they've been in close contact with someone affected by COVID-19?

Employers should keep employees updated about any confirmed cases of COVID-19. CDC also recommends encouraging employees to conduct risk assessments to determine their own level of exposure.

HIPAA's Application to COVID-19

The same obligations imposed on covered entities and business associates before COVID-19 apply now. Aside from adhering to HIPAA's Minimum Necessary Rule and continuing to safeguard protected health information, covered entities should reaffirm their compliance strategy with HIPAA's Privacy, Security and Breach Notification Rules.

The Office for Civil Rights (OCR) has released a bulletin that provides guidance on which disclosures of protected health information in a public-health crisis require individual authorizations and which do not.

During a public-health crisis, circumstances may arise where health information must be disclosed without an individual's authorization. OCR's bulletin reminds covered entities that the HIPAA Privacy Rule permits such disclosures without an individual authorization in at least the following instances:

• To a public-health authority, like CDC, that is responsible for public-health matters as part of its official mandate;
• At the direction of a public-health authority to a foreign government agency; 
• To persons at risk of contracting or spreading the disease or condition, as long as state and local laws authorize notification to such persons; and 
• To prevent a serious and imminent threat—taking other federal, state and local law into consideration, covered entities may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
   

Disclosures to family, friends and others involved in the individual's case and disclosures to the media or others not involved in the patient's care would require individual authorizations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.