Rip off the Band-Aid: Time to Scrap the FTC’s Health Breach Notification Rule

The Federal Trade Commission’s Health Breach Notification Rule (HBNR) is a perfect example of a narrowly tailored regulation that only contributes to the cumbersome patchwork of privacy rules in this country without providing any real benefit. In this blog post, I explore the problems with the HBNR and why we should focus instead on creating meaningful, comprehensive privacy legislation.

Telehealth by Telephone in Connecticut: A Provider’s Guide

Until recently, telehealth was not commonplace here in CT. Not only has the public health emergency forced widespread adoption of telehealth, but it also triggered a flurry of piecemeal rules and executive orders in rapid-fire succession causing substantial confusion. The most confusing of those rules relate to the delivery of telehealth services via telephone.

OCR Issues Guidance Regarding Media Access to Patient Care Areas

It’s now a familiar scene. News coverage regularly includes video footage capturing exhausted healthcare workers, lifeless bodies in hospital beds and COVID-19 treatment areas. OCR reminds healthcare providers that allowing media access to patient care areas without patient authorization violates HIPAA, regardless of the COVID-19 public health emergency. In the past, hospitals have paid millions of dollars in settlements for permitting access without proper authorization and increased enforcement on this issue may be on the horizon.

My Public Service Announcement on Video Conferencing

While preparing for a Connecticut Bar Association webinar this week on privacy and security basics for video conferencing, I found myself making a list of video conferencing pet peeves. Here’s a summary: no one wants to look up your nose or at the side of your head; find the mute button and learn how to use it; everyone can read your pop-up messages when you are sharing your screen; and despite what you think, you are not good at multi-tasking.

OCR Announces HIPAA Enforcement Discretion for Make-Shift COVID-19 Testing Sites

In line with its other Notices of Enforcement Discretion, OCR announced today that it will not enforce HIPAA rules against healthcare providers and their business associates for HIPAA violations that occur during the good faith operation of a community-based COVID-19 specimen collection and testing site, such as a mobile, drive-through or walk-up site.

CARES Act Makes Long-Awaited Changes to 42 CFR Part 2’s Information Sharing Rules

The CARES Act made important changes to 42 CFR Part 2 rules by aligning use and disclosure rules more closely with HIPAA. This is an important development and will require some operational tweaks by Part 2 Providers such as obtaining initial consent and ensuring the use of a Notice of Privacy Practices.

CT Public Health Commissioner Suspends State Licensure Requirements for Out-of-State Providers

Yesterday, Connecticut’s Commissioner of Public Health issued an order suspending licensure requirements for certain healthcare providers licensed in other states for a period of 60 days. This order continues to expand access to telehealth opportunities as out of state providers can now provide telehealth services to Connecticut residents.

OCR Issues FAQs on Relaxed HIPAA Enforcement for Telehealth

Late Friday, the Office for Civil Rights (OCR) issued FAQs on telehealth and HIPAA as a follow up to DHHS’ announcement that OCR would use “enforcement discretion” for HIPAA non-compliance related to the good faith roll out of telehealth services during the COVID-19 emergency. The FAQs provide useful information about the types of applications that can be used for telehealth as well as examples of bad faith conduct.

Businesses Seeking Delay of CCPA Enforcement

Earlier this week, more than 30 businesses sent a letter to California’s Attorney General requesting a temporary deferral in enforcement of the California Consumer Privacy Act (CCPA) until January 1, 2021 due to the COVID-19 pandemic and the lack of final regulations. CCPA enforcement is set to begin on July 1, 2020. But regulations directing the implementation of the CCPA remain incomplete and continue to change substantively. The regulations are not likely to be finalized for several weeks, which, under normal conditions, would leave businesses scrambling to comply before the enforcement deadline. But there is nothing normal about current conditions.