This webinar provides insight into some of the most challenging issues regarding the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') compliance and cybersecurity. In particular, the webinar discusses a number of topics including key HIPAA concepts and challenges during the COVID-19 ('Coronavirus') pandemic.

Key takeaways

Key HIPAA Concepts

HIPAA is the most comprehensive privacy and data security law governing the use and disclosure of protected health information ('PHI'). The HIPAA Rules apply to covered entities and business associates and require covered entities and business associates to protect PHI by imposing requirements on the use and disclosure of PHI, providing individual rights with respect to PHI and requiring administrative, technical, and physical safeguards with respect to PHI. Covered entities are health plans which includes employer Group Health Plans such as medical, dental, RX and importantly, it does not include life insurance, disability, workers’ compensation, or leave of absence information. Health care providers also must comply with HIPAA, having to transmit health information in electronic form in connection with a HIPAA standard transaction and nonetheless, health care clearinghouses must comply and are entities who translate electronic data in HIPAA standard transactions. Business associates and subcontractors must comply with HIPAA but not every person or entity that a covered entity does business with is a business associate.

HIPAA breach notification requirements

Improper access, use or disclosure of PHI is presumed to be a breach unless an exception applies or the covered entity (or business associate, if permitted under the business associate agreement) determines there has been a low probability of compromise based on a risk assessment involving various factors. Our speakers note that breach ‘exclusions’ are very limited in these cases. If there is a breach, the covered entity must provide the required written notice to affected individuals within 60 days of date of discovery of the breach, to the Department of Health and Human Services within 60 days of date of discovery of breach if there are 500 or more affected individuals or in the reporting period after the end of the year if there are less than 500 affected individuals and also to the prominent media outlet in the state or jurisdiction within 60 days of date of discovery of breach if more than 500 residents are affected in the state or jurisdiction. The HIPAA Privacy and Security Officer will also notify affected individuals of a breach and provide them with detail of regarding the breach.

HIPAA and COVID-19

Our speakers discuss the various considerations to be taken regarding permitted and non-permitted disclosures. Companies are encouraged to follow the Centers for Disease Control and Prevention or state/local health guidelines about what employers should do during COVID-19. Employers can, among other things, measure employee temperature and retain a log which must be kept confidential, disclose the name of an employee with COVID-19 to a public health agency, and ask employees if they have or may have COVID-19. The COVID-19 and Employee Privacy Occupational Safety and Health Administration ('OSHA') guidance has also been issued in the light of the pandemic. Our speakers note that compliance with OSHA standards may be difficult due the pandemic and its extent. During an inspection, OSHA officers will assess an employer’s efforts to comply with OSHA standards, and will take corrective actions as soon as normal activities resume.

GDPR and COVID-19

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is not suspended while fighting COVID-19. Our speakers highlight that, even in these exceptional times, data controllers and processors must ensure the protection of the personal data of data subjects. The core principles such as data minimisation, transparency, and adequate security are important in the fight against the pandemic and the employers must ensure they comply with the same. Employers are encouraged to collect health data only if permitted by law, process health data only if legally required and inform staff about COVID-19 cases and take protective measures. In addition, many data protection authorities ('DPAs') have issued guidance for employers in Europe. In Germany, employers are encouraged not to collect temperature at the entrance, whilst the French DPA has issued guidance amidst the pandemic stating that employers should not communicate more information than necessary and disclosure of data of an employee that has the virus to their colleagues is not allowed.

How OneTrust DataGuidance Helps

OneTrust DataGuidance™ is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 500 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.

OneTrust DataGuidance provides daily updates and analysis of relevant global regulatory developments, including in relation to COVID-19. By leveraging customized email alerts and newsletters, and creating dedicated spaces for projects, jurisdictions and topics, you can stay on top of developments as they happen.

OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.