HIPAA Survival Guide April 2020 Newsletter

April 2020 Webinar Title:
 
COVID-19 and HIPAA-What you need to know!
 
Description:
This webinar will discuss HHS' guidelines at the intersection of COVID-19 and HIPAA, as well as other impacts that the virus is having on HIPAA writ large.
 
Date and Time:
Thu, April 16, 2020 2:00 PM - 3:30 PM EDT
 
Click here to Register for the Free April Webinar!


 

COVID-19 ("C-19") and Ransomware

Introduction

We are not aware of any massive ransomware attacks on the U.S. healthcare industry attempting to capitalize on the COVID-19 (“C-19”) panic. This article from Forbes suggests that the bad guys have gone on C-19 holiday—but if that’s the case, it’s probably out of their own self-interest. Further, it is likely only the big, publicly prominent criminal gangs are on holiday from attacking the U.S. healthcare system when it is most vulnerable. However, our readers would be naïve to believe that this holiday will extend, or that the thousands of smaller, yet equally effective, criminal ransomware gangs are joining the moratorium. You would be well served to review our Ransomware Resilience webinar to get up to speed on what you are likely to face.

Attacks are Here to Stay

Attacks are coming sooner rather than later. The bad guys have families to feed. This is not a hobby for them. Ransomware is what they do for a living. The healthcare industry, writ large, is far too vulnerable for the moratorium (if there is one) to last more than a few weeks. All of us now live on Internet time, where days are weeks, weeks are months, and months are years—our 24/7 365 non-stop always on work environment is the “new, new, normal.” That said, there is nothing inherently new about the “new normal,” it has been “normal” for us for well over a decade. Our office exists “on the wires.” All we need is an Internet connection to plug in. We may not have been “born digital” but we emigrated many moons ago. We have written newsletters, conducted webinars, and continued to develop our Subscription Plan and Expresso from the beaches of the world.

C-19 Guidance from HHS
 
HHS has provided the following guidance pursuant to C-19:
 
  • OCR’s Notice of Enforcement Discretion allowing providers to serve patients where they are through commonly used apps like FaceTime, Skype, and Zoom to provide telehealth remote communications:

https://www.hhs.gov/about/news/2020/03/20/ocr-issues-guidance-on-telehealth-remote-communications-following-its-notification-of-enforcement-discretion.html

  • Guidance that empowers first responders and others who receive protected health information about individuals who have tested positive or been exposed to COVID-19 to help keep both first responders and the public safe.

https://www.hhs.gov/about/news/2020/03/24/ocr-issues-guidance-to-help-ensure-first-responders-and-others-receive-protected-health-information-about-individuals-exposed-to-covid-19.html

  • Guidance on how health care providers can share information with the CDC, family members of patients, and others, to help address the COVID-19 emergency.

https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus - PDF

 
This guidance from HHS is often “clear as mud”—although we commend the agency for trying to get in front of this evolving disaster. During the next few months, if you need HIPAA clarification pursuant to C-19, then you can use the Digital Business Law Group’s 1-800-Ask-DBLG service for $25.00 per 45-minute session, instead of the customary $250.00 fee.
 
Summary
 
Be vigilant. The bad guys will be back with a vengeance. You don’t want your health records locked, or your electricity disrupted when you have patients on ventilators. We did not predict C-19, but we did predict that 2020 would be the year when patients die because of ransomware. Trust us. You don’t want this to be your organization. Hope for the best and prepare for the worst.