Puerto Rico coronavirus chaos catches Washington’s attention

National Guard members check passengers for the coronavirus as they arrive at Puerto Rico’s Luis Muñoz Marín airport on March 17, 2020. APSan Juan, Puerto Rico

The chaos, cabinet changes and questionable contracts that have plagued Puerto Rico’s response to the coronavirus have caught Washington’s attention.

On Monday, the chairman of the Senate Finance Committee, Chuck Grassley, sent Gov. Wanda Vázquez a five-page letter and a laundry list of questions.

Among the answers that Grassley’s powerful committee is seeking is why Health Secretary Concepción Quiñones de Longo and the island’s chief epidemiologist, Carmen Deseda, resigned last month. In addition, the committee wants information about $40 million worth of contracts to buy coronavirus test kits. 

But the committee’s concerns go beyond just the current crisis. In the letter, Grassley is asking Vázquez to turn over investigations into “possible malfeasance by the government” that cover the last four years. Among the reports the committee is seeking are investigations into contracts awarded after Hurricane Maria in 2017, the previous governor’s acquisition of a $245,000 sports utility vehicle, the alleged politicization of Puerto Rico’s Institute of Statistics, and a lawsuit surrounding lack of public death data following recent hurricanes.

Read the full letter here

“Unfortunately, there have been recent troubling revelations regarding instability of leadership in Puerto Rico’s health system, as well as a clear lack of accountability regarding government procurement and contracting,” Grassley said, citing articles in the Miami Herald and other outlets. “These revelations are the latest in a steady stream of evidence demonstrating similar faults in the government of Puerto Rico’s rebuilding efforts following the largest municipal debt default in U.S. history and a string of devastating natural disasters.”

The letter comes as Puerto Rico, a U.S. territory of 3.2 million people, is stumbling in its response to the coronavirus. Despite winning praise for shutting down non-essential businesses and imposing a curfew on March 16, it has struggled to ramp up testing and roll out a viable contact-tracing program.

As of Monday, the island had reported 1,252 cases of the coronavirus and 63 deaths. But the data is problematic. Last week, Health Secretary Lorenzo González acknowledged that some patients were being double or triple-counted in the statistics. His office has said it intends to produce accurate figures soon. 

Even so, the island has tested fewer than 12,000 people, giving it the lowest per-capita testing rate compared to any U.S. state. For the last several nights, the capital has erupted with the sound of banging of pots and pans as locals demand more testing. 

González took the reins of the health department last month after Quiñones de Longo resigned after holding the job for less than two weeks. When she stepped down she said she was troubled by the way some contracts were awarded, in particular a $38 million deal to buy rapid test kits with a small construction firm called Apex.

Puerto Rico’s legislature is conducting its own investigation into how the company won the deal to provide the tests, even as the purchase has been canceled due to delivery delays and because the tests did not have FDA approval. 

González has uncovered other problems as well, including millions of dollars worth of medicine that expired as it languished in government warehouses. 

Profile Image of Jim Wyss

Jim Wyss covers Latin America for the Miami Herald and was part of the team that won the 2017 Pulitzer Prize for its work on the “Panama Papers.” He and his Herald colleagues were also named Pulitzer finalists in 2019 for the series “Dirty Gold, Clean Cash.” He joined the Herald in 2005.

This section highlights OSHA standards and directives (instructions for compliance officers) and other related information that may apply to worker exposure to novel coronavirus, COVID-19.

There is no specific OSHA standard covering COVID-19. However, some OSHA requirements may apply to preventing occupational exposure to COVID-19. Among the most relevant are:
(READ)

Privacy, HIPAA, Security and GDPR– COVID-19 Considerations
Thursday, March 12, 2020

Introduction

Privacy, HIPAA, Security and GDPR

The introduction and spread of COVID-19 to communities across the globe has created numerous privacy and security compliance questions and challenges. Below, we address several frequently asked privacy and security questions, including those related to: (1) health care providers, health plans and health care clearinghouses in the United States (“Covered Entities”) and their services providers (“Business Associates”) that are subject to HIPAA; (2) businesses that are not subject to HIPAA, but who collect information that could be useful in reducing the spread of COVID-19; (3) cybersecurity considerations; and (4) businesses that process data concerning individuals in the European Economic Area (EEA) and are subject to the General Data Protection Regulation (GDPR).

HIPAA FAQs (For Covered Entities and Business Associates)

ARE THERE ANY INFORMATION SECURITY RISKS THAT WE SHOULD BE ADDRESSING IN OUR RESPONSE TO COVID-19?

Access Controls

As the number of states and localities affected by exposure to COVID-19 grows, there is increasing interest in patients and plan members who test positive for COVID-19, or who are deemed “persons under investigation.” As a result, there is an increased risk that health care provider and health plan personnel who have access to electronic health records (EHRs) and plan administration resources could inappropriately access patient records to find out who may have contracted COVID-19 within their communities. Under the HIPAA Security Rule, Covered Entities must implement reasonable and appropriate administrative and technical access controls to protect the confidentiality of protected health information (PHI).

Health care providers and health plans should consider taking steps to ensure proper access to patient records by:

Reminding their workforce members of the difference between appropriate and inappropriate access;

Putting in place extra protections for COVID-19 patient records (e.g., “VIP” or “break the glass” status, which automatically notifies appropriate personnel when access to the patient record occurs);

Regularly reviewing audit logs for inappropriate access by personnel; and

Taking appropriate action if a violation occurs.

Remote Performance of Essential System Functions and Redundancy

If COVID-19 impacts the workforce members of a health care provider or health plan, the provider or plan’s information technology and security personnel could be among those infected with COVID-19 or subject to self-quarantine. In these circumstances, the health care provider or plan might need to rely on personnel working remotely or outside contractor support to perform essential information security responsibilities, such as incident response or necessary security updates to information systems.

Health care providers and health plans should review their emergency mode operation plans to ensure that:

Information technology and security personnel can remotely perform essential system functions in a secure manner; and

The health care provider or plan has sufficient redundancy to ensure that personnel or contractor support staff are available to perform essential security functions in the event that personnel are unavailable due to COVID-19 infection or quarantine.

Heightened Susceptibility to Phishing Attacks and Scams

According to the US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA), malicious actors are using COVID-19 as a pretext to send emails with attachments or links to fraudulent websites to trick victims into downloading malware, revealing sensitive information or donating to fraudulent charities or causes.

Health care providers, health plans and their business associates should consider sending a security reminder or bulletin to personnel to remain vigilant against potential cyber-attacks and scams by:

Not clicking on links or opening attachments contained in unsolicited emails;

Using only trusted sources, such as government websites, to obtain up-to-date, fact-based information about COVID-19; and

Not responding to solicitations by email to reveal personal or financial information.

WHAT TYPES OF DISCLOSURES ARE WE PERMITTED UNDER HIPAA TO MAKE TO LOCAL, STATE, FEDERAL AND INTERNATIONAL PUBLIC HEALTH AGENCIES?

The Office for Civil Rights of the US Department of Health and Human Services, which enforces HIPAA, has released helpful guidance on COVID-19-related uses and disclosures, and our responses are reflective of this guidance.

Under HIPAA, Covered Entity health care providers may disclose PHI about individuals who are suspected of having contracted COVID-19 to public health authorities that are authorized by law to receive such information for preventing or controlling the spread of disease. “Public health authorities” include agencies or authorities of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency.

Under HIPAA, health care providers may also, at the direction of a public health authority, disclose PHI to a foreign government agency. Some states have mandatory legal requirements to report infectious disease cases, such as COVID-19, to state or local public health authorities.

Health care providers may report COVID-19 cases to federal, state and local public health authorities that are tasked with tracking COVID-19 case and performing COVID-19 testing. Such disclosures should be limited to the “minimum necessary” information needed by the public health authority to conduct activities to control the spread of COVID-19. In addition, Covered Entity health care providers must keep records of disclosures made to public health authorities in order to be able to accommodate requests from individuals for an accounting of disclosures.

MAY WE DISCLOSE INFORMATION ABOUT A PATIENT OR PLAN MEMBER’S COVID-19 DIAGNOSIS TO OTHER PERSONS WHO MAY HAVE BEEN IN CONTACT WITH THE PATIENT OR PLAN MEMBER?

Covered Entity health care providers and health plans may, without first obtaining a patient’s consent, disclose information about a patient’s or plan member’s COVID-19 status to persons at risk of contracting COVID-19 if state law authorizes the health care provider or public health agency to notify such persons in conducting a public health intervention or investigation. Regardless of the applicable state law, the Covered Entity health care provider or health plan should communicate with the affected patient or plan member first, if possible, and explain the public health benefits of notifying individuals who the affected patient or plan member may have exposed to the virus.

In all cases, even when the patient or plan member affirmatively approves such disclosures, Covered Entity health care providers and health plans should limit these disclosures to the minimum necessary to allow the individual to be aware of their exposure and seek medical attention if appropriate.

MAY WE SHARE A PATIENT OR PLAN MEMBER’S COVID-19 DIAGNOSIS WITH THE PATIENT OR PLAN MEMBER’S EMPLOYER IN ORDER TO ALLOW THE EMPLOYER TO TAKE PRECAUTIONS AGAINST FURTHER INFECTION?

HIPAA generally does not permit Covered Entities to disclose PHI to a patient’s employer without the patient’s written authorization. The potential presence of COVID-19 at a patient or plan member’s workplace does not in itself provide an exception for the health care provider or health plan to notify the patient’s employer. Covered Entities may communicate concerns about potential workplace spread to public health authorities, identifying the employer. Public health authorities may then work with the patient’s employer to react appropriately to limit the spread of the virus. As noted above, health care providers may in some states notify individual employees of potential exposure to a patient with COVID-19.

To the extent that an employer conducts workplace surveillance of COVID-19 exposure (e.g., testing all or a portion of employees for disease status) as a result of federal, state or local workplace safety requirements, health care providers or labs working with the employer to conduct testing would be permitted under HIPAA to reveal test results directly to the employer who has requested the testing.

HOW DO WE RESPOND TO REQUESTS FROM THE NEWS MEDIA ABOUT THE COVID-19 CASES WE ARE TREATING?

HIPAA does not permit Covered Entities to disclose PHI—including basic demographic information such as names, addresses or dates of birth—to the media without the individual’s authorization. As a result, Covered Entities must be careful when discussing the status of specific COVID-19 cases with the media.

Hospitals and other health care facilities may disclose aggregate information to the media about the number of patients they are treating with confirmed or suspected COVID-19, but should be careful about revealing information about how the patient was exposed to COVID-19 or general information about where the patient lives, as this may allow the media to identify the patient through publicly available sources. Information must exclude all the following identifiers to avoid classification as PHI under HIPAA:

Names;

All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code in certain circumstances;

All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age;

Telephone numbers;

Fax numbers;

Electronic mail addresses;

Social security numbers;

Medical record numbers;

Health plan beneficiary numbers;

Account numbers;

Certificate/license numbers;

Vehicle identifiers and serial numbers, including license plate numbers;

Device identifiers and serial numbers;

Web Universal Resource Locators (URLs);

Internet Protocol (IP) address numbers;

Biometric identifiers, including finger and voice prints;

Full face photographic images and any comparable images;

Any other unique identifying number, characteristic or code; and

Any other information that the Covered Entity knows could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the difficulty in discussing an individual’s patient’s status without revealing information about the dates of their care or where they live, Covered Entities may elect to limit disclosures to the media to aggregate counts of patients or plan members that are currently receiving care for COVID-19.

AS A BUSINESS ASSOCIATE OF MULTIPLE COVERED ENTITIES, WE HOLD HEALTH DATA THAT WE COULD ANALYZE TO PROVIDE INSIGHT ON COVID-19 EXPOSURE, SPREAD PATTERNS AND MORTALITY. DOES HIPAA ALLOW US TO LEVERAGE HEALTH DATA IN THIS MANNER?

Many companies in the healthcare industry are looking to do whatever they can to combat the spread of the virus and identify disease trends. In particular, companies that have access to large data stores may be considering different analytical products they could create to provide additional insight on exposure and spread patterns, and trends in disease morbidity and mortality.

Companies seeking to perform such data analytics on PHI or to de-identify PHI in their possession to perform analytics must consider the following before doing so:

To the extent the company needs to perform such analytics on PHI, the company must evaluate whether the activity would be considered “research” under HIPAA; and
Regardless of whether the data is PHI or de-identified, the company must ensure that it has permission from the Covered Entities that provided the data to use the data for such analytics.
Under HIPAA, “research” means a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. To the extent that analytics will be performed on PHI, the company will need to evaluate in coordination with its Covered Entity customers whether the results of the analysis will be used to inform the public at large about conclusions related to COVID-19. If yes, the company may first need to seek a waiver of the HIPAA authorization requirement from an institutional review board before conducting the analysis.

Even if the data is de-identified and not subject to HIPAA authorization requirements, the company would need to ensure that it has obtained adequate permissions in its agreements with Covered Entities to create de-identified data from PHI, and use the de-identified data to conduct the analyses.

Companies should consult legal counsel and review their agreements with Covered Entities before using their access to PHI to conduct COVID-19-related analytics.

PERSONAL INFORMATION FAQS (FOR ALL BUSINESSES)

IF WE INTEND TO COLLECT PERSONAL INFORMATION LIKELY TO BE OF INTEREST TO OTHERS, INCLUDING GOVERNMENT AGENCIES OR THE MEDIA, IN OUR RESPONSE TO COVID-19, SUCH AS INFORMATION RELATED TO EMPLOYEE, GUEST OR CUSTOMER TRAVEL OR GEOLOCATION, WHAT DO WE NEED TO CONSIDER BEFORE COLLECTING, USING OR SHARING THIS INFORMATION?

Companies should review their existing privacy policies and notices to determine whether they sufficiently cover the personal information the company intends to collect, and how it intends to use and share that personal information. This may require review of multiple policies (e.g., employee privacy policy, external-facing website privacy policy).

Where the existing privacy policy does not sufficiently describe the personal information that the company intends to collect and how it intends to use and share such information, the company should consider updating its privacy policy prior to collecting the personal information or provide a supplemental privacy policy or notice at the time of collection to cover any new information that the company intends to collect, especially related to COVID-19.

WHAT IF OUR PRIVACY POLICY SUFFICIENTLY DESCRIBES THE TYPES OF PERSONAL INFORMATION WE ARE COLLECTING, BUT OUR INTENDED USE OR SHARING OF THE PERSONAL INFORMATION IN RESPONSE TO COVID-19, INCLUDING WITH GOVERNMENT AGENCIES, WILL BE NOVEL OR UNEXPECTED TO OUR GUESTS OR CONSUMERS?

Some companies’ privacy policies may already address the types of personal information that government agencies are interested in collecting to stop the spread of COVID-19. For example, airlines, car rental companies, hotels, travel insurance providers and other companies that offer loyalty programs track the timing and location of purchases. They and some participants in the interest-based advertising industry who receive geolocation data from cookies, pixels or apps may record where an individual has traveled. This information has often been collected from or provided by the guest or consumer to obtain discounts or perks on future services, without contemplation of its possible use for public health purposes.

Companies will need to review their existing privacy policies to ensure that the policies cover the disclosure of the personal information to a governmental agency for the requested purpose.

Privacy policies typically provide that personal information can be shared to protect the health or safety of individuals, or in response to valid legal process or a lawful obligation. Companies will also want to consider whether the personal information collected may be used for a novel or unexpected purpose that is not covered by the privacy policy, and amend their privacy policies accordingly, as noted above. This may also require updated internal instructions to employees, review of escalation procedures and perhaps revised disclosure standards for those assigned to make these types of decisions.

Companies should also consider whether a novel use of personal information or an underlying product or service changes the company’s role under applicable data protection law (e.g., “business”/”service provider” under the California Consumer Privacy Act).

IF WE LEARN THAT AN EMPLOYEE, GUEST OR CUSTOMER HAS TESTED POSITIVE FOR COVID-19, WHAT INFORMATION MAY WE DISCLOSE?

If a company learns that its employee, guest or customer has tested positive for COVID-19, the information the company may disclose depends on the intended recipient of the disclosure. If the company is making the disclosure at the request of a federal, state or local government agency, the company may provide information responsive to such agency’s requests.

If the company chooses to inform its employees, guests or customers about another employee, guest or customer who has tested positive, it should only share the minimal amount of personal information necessary to enable individuals to assess their own personal health and potential exposure. The minimal amount of personal information necessary is context-specific and may change depending on the circumstances. The personal information that a company can provide may be different, for instance, if the company employs 10 people as compared to 1,000 people, or if the individual who tests positive is a customer as opposed to an employee. Some information, such as the location where the affected individual may have come into contact with other individuals, will likely be important, shareable information in most cases.

A company should not share the individual’s name, and should seek to avoid sharing other personally identifiable information. Given the unprecedented nature of this situation, there undoubtedly will be novel disclosure questions that arise, in which case companies should be prepared to escalate questions to the proper individuals within the company, and consult experienced privacy counsel where necessary.

IF A GOVERNMENT AGENCY REQUESTS INFORMATION ABOUT OUR EMPLOYEES, GUESTS OR CUSTOMERS, WHAT DO WE NEED TO CONSIDER FROM A PRIVACY PERSPECTIVE IN COMPLYING WITH SUCH A REQUEST?

Responding to a request from a governmental agency for personal information about an employee, guest or customer will implicate a number of privacy considerations:

Geography

Because COVID-19 is spreading to countries around the globe, multinational companies need to be cognizant of their privacy obligations under federal, state and international data protection laws, which can vary widely. Information that can—or must—be freely shared in one jurisdiction may be subject to a stricter regulation in another. Absent a legal requirement (as discussed below), companies should be careful about providing personal information about the individuals with whom they interact to governmental entities in response to informal requests, particularly where the mere fact that an individual is a customer of, or otherwise associated with, a company could disclose personal information about the individual. Even where a legal obligation exists, companies need to be thoughtful in their responses to governmental requests to minimize potential harm to employees, guests or customers. Information that may be relevant to fighting the spread of COVID-19—such as precise geolocation data, travel data and information about contacts—may also be of interest to government entities for other purposes.

Valid Process/Legal Obligation

If applicable law requires companies to provide certain personal information to a governmental entity, many of the questions companies may have about disclosure will be resolved. Even in these instances, however, companies should be mindful while complying with lawful requests to ascertain the appropriate scope of the request; minimize any unnecessary harm to employees, guests or customers; and only provide information that is required. Where the government agency makes only an informal request for information, without providing legal process, companies should consider requesting an explanation of the legal basis for the request, or if necessary, legal process such as an order, subpoena or warrant prior to providing personal information. Factors that may weigh into this calculus include the nature of a company’s business, the jurisdiction of the government requesting the information and public relations considerations (discussed below).

Reputational Issues

If a company chooses initially not to comply with an informal request from the government to provide personal information of its employees, guests or customers, it could face objections or even a public relations backlash if the government then paints it as uncooperative in stopping the spread of COVID-19. However, companies that have built their brands and reputations around protecting privacy may need to insist on their rights to obtain legal process before complying, and weigh the short-term public relations response against the long-term impact on guest or customer trust.

IF WE DISCLOSE INFORMATION TO A GOVERNMENT AGENCY ABOUT OUR EMPLOYEES, GUESTS OR CUSTOMERS IN RELATION TO COVID-19, DO WE NEED TO INFORM THE INDIVIDUALS THAT WE SHARED THIS INFORMATION?

If a US company discloses personal information to a federal, state or local government agency, the company only has a legal obligation to inform the affected individuals that their information was shared with the governmental agency in a limited number of circumstances. One potential circumstance is if a company subject to the California Consumer Privacy Act (CCPA) receives a data subject request from a California resident. Provided that no exceptions under the CCPA apply, the company would be required to provide the California resident with information about the categories of personal information that the company shared, and the types of third parties with whom it shared the personal information in the last 12 months, including governmental agencies. Notably, HIPAA-Covered Entities and Business Associates are exempt from CCPA with respect to their handling of health information.

Even though a US company may only have a legal obligation to inform individuals that it shared their personal information under a limited number of circumstances, the company should consider whether it would voluntarily disclose to individuals that their personal information was shared.

Similar to other disclosure questions related to COVID-19, companies should weigh public relations considerations, the nature of the company’s business and the types of information that they share in making a determination as to whether to inform affected individuals.

CYBERSECURITY CONSIDERATIONS AND FAQS (FOR ALL BUSINESSES)

HOW CAN COMPANIES PREPARE THEIR EMPLOYEES, CONTRACTORS AND OTHERS TO IDENTIFY AND AVOID THE UNIQUE CYBERSECURITY THREATS RELATED TO ONLINE COMMUNICATIONS ABOUT COVID-19?

According to the US Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA), malicious actors are using COVID-19 as a pretext to send emails with attachments or links to fraudulent websites to trick victims into downloading malware, revealing sensitive information or donating to fraudulent charities or causes.

Companies should consider sending a security reminder or bulletin to personnel to remain vigilant against potential cyber-attacks and scams by:

Not clicking on links or opening attachments contained in unsolicited emails;

Using trusted sources, such as hospitals and government websites, to obtain up-to-date, fact-based information about COVID-19; and

Not providing personal or financial information when responding to online solicitations.

Employees like others may be susceptible to targeted phishing, fraud and other cybercriminal actions based on their interest or concern about COVID-19. While messaging used to entice individuals to click malicious links may be COVID-19 related, methods to execute these attacks will remain largely the same. Companies may effectively use this attention to COVID-19 for security awareness by alerting employees, contractors or others to these risks.

To drive the point home, companies may consider conducting a phishing simulation with a faux phishing email related to COVID-19. Companies could use the results of the phishing simulation to provide supplemental training to those employees who fell victim to the simulated phish.

To minimize the success rate of potential attacks of this sort, companies should consider providing consistent updates about COVID-19 and creating an internal resource center that employees and others can use to receive current and accurate information. These may include a trusted email address, known trusted subject line or known trusted websites (CDC, CISA or otherwise) that can be checked for up-to-date COVID-19 information.

WHAT ARE THE CYBERSECURITY ISSUES OR RISKS IN INCREASING REMOTE WORK?

As companies begin encouraging more of their employees to work remotely, their businesses may experience bandwidth issues, increased exfiltration of data to employees’ personal devices, and greater security exposure due to larger numbers of remote workers, including new or inexperienced ones.

Companies may need to test (including load testing) their remote connectivity capacity—whether VPN, virtual desktop infrastructure (VDI) interfaces, or other remote facilities—to ensure that they can support the expected increase of remote logins, especially if offices are partially or completely closed.

This will differ depending on the remote access solution a company uses. For example, some companies may only need to verify the bandwidth and processing power connected to the VPN concentrator.

Other companies with VDI solutions may need to check server capacity and concurrent license requirements to accommodate an increased remote workforce. Additionally, prompt, continuous and up-to-date security patches on remote access components and devices is critical.

Companies should pay special attention to workers with no or limited history of remote work. These workers may not adequately understand the security necessary to safely work remotely, and may benefit from additional training on these topics. They may also need to be issued multi-factor devices, or have the appropriate software or certificates installed on their work or personal devices.

Although the majority of employees will heed the public concern and work from home, companies may consider cautioning its employees about the risks of connecting to unsecure networks in public locations (i.e., public libraries, cafes or even airports, for those determined to travel). Security awareness messages emphasizing current remote work security protocol should also be reiterated to the workforce generally.

Companies should be clear about the requirements and expectations of their remote access policy and acceptable use policy, including potential disciplinary actions to be taken if either policy is violated. Companies should clearly indicate whether company data is allowed on personal devices. Companies may consider attaching these policies to emails as a reminder, including when announcing office closures. Companies may also consider emphasizing the appropriate security hygiene employees should follow when working remotely, such as avoiding co-mingling company data with personal emails or avoiding “split tunneling,” which is when the device communicates with a secure network, like the company’s VPN, and an insecure network at the same time.

WHAT ADDITIONAL CYBERSECURITY CONCERNS OR RISKS SHOULD COMPANIES BE AWARE OF IN THESE CIRCUMSTANCES?

As the workforce shifts to more remote work, security monitoring solutions (SIEM) and other risk avoidance solutions may experience a higher number of false positives as workers who typically access the network from the office start to access it from home. Companies may need additional security operations personnel to handle alerts and filter the false positives from actual positives. Additionally, attackers may use the disruption in normal work patterns to hide intrusion activities, so additional caution is needed.

Companies can take precautions to ensure they are prepared to respond to a data security crisis with a potential skeleton crew. Now is a crucial time to take a fresh look at the company’s incident response plan, disaster recovery plan and other security monitoring plans to ensure the company is adept at responding to a data security incident while managing business interruption affecting personnel.

Regardless of the strength of these existing policies, companies may consider updating them for pandemic preparedness. The company may also want to consider holding a tabletop exercise to practice for a potential data security incident to simulate its response capabilities when multiple members of the incident response team or others are out of the office and working remotely. At a minimum, a training refresher in the form of a meeting with security personnel inside the company emphasizing current policies and plans for response should be considered. Also consider whether existing cyber insurance coverage is adequate to cover the risks that may be possible during the pandemic.

Companies should also ensure that they comply with relevant security rules and frameworks (such as the HIPAA or GLBA security rules, PCI DSS standards, and internal policy requirements, as applicable) regarding the transmission and storage of sensitive information concerning COVID-19 (such as PHI, consumer data or other company classified data).

The cybersecurity rules that were applicable prior to the COVID-19 are still in effect now. Cybersecurity laws, regulations and procedures have not been lessened as a result of this, and there is no indication that enforcement, at least in the United States, will be lax or suspended at this time. The appropriate response to the COVID-19 from a cybersecurity perspective is to continue to enforce basic good cyber hygiene.

GDPR FAQS (FOR BUSINESSES SUBJECT TO THE EU GENERAL DATA PROTECTION REGULATION)

ARE THERE GDPR CONSIDERATIONS WHEN DEALING WITH THE COVID-19 CRISIS?

Yes. Any information about an individual resident in the EEA who has or is suspected to be infected with COVID-19 will be considered to be a “special category of personal data” (or “sensitive personal data”) under the GDPR and is subject to additional controls.

The practical impact for a company is that its GDPR data privacy notices, whether they are published on its website or provided internally to employees, should be checked to see that they cover this sort of personal data, and the way in which the company needs to use that information.

This is particularly the case where the company needs to provide COVID-19 information to additional third parties or government agencies.

Secondly, if a company or a subsidiary to it is subject to the GDPR, then it should be keeping “records of processing” of personal data (Art. 30).

These records of processing may need to be expanded to deal with any additional processing that is necessitated by dealing with COVID-19 information.

Thirdly, companies may start to receive data subject requests (DSRs) from employees, customers or contacts about COVID-19 concerns. For example, a passenger on a plane could ask the airline if any of the other passengers on that plane are infected, or are suspected to be infected, with COVID-19. Companies should check that they have a process in place to deal with these sorts of DSR requests.

Remember that the GDPR covers individuals whether or not they are named, and so if a company could identify the suspected individual with information in its possession or other publicly available information, the GDPR can apply.

ARE THERE SPECIAL RULES IN THE GDPR ABOUT HOW TO HANDLE INFORMATION ABOUT COVID-19?

Yes. The COVID-19 status of individuals would qualify as part of the “special categories of personal data,” as noted above. The GDPR requires that this category of personal data may only be processed if:

The data subject has given consent;

The processing is necessary for the functions of an employer;

The processing is necessary to protect the vital interests of the data subject and where they are physically or legally incapable of giving consent;

The processing relates to personal data manifestly made public by the data subject;

The processing is necessary for reasons of substantial public interest;

The processing is necessary for the purposes of preventative or occupational medicine, the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services; or

The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health.

A number of European countries have now issued emergency laws that will allow companies to use this last basis of public health to process sensitive personal data.

France: Les Agences régionales de santé (ARS) has issued an information notice.

Germany: The Infection Protection Act (IfSG) and the Hygiene Regulations of the German Federal States regulate the processing of healthcare information in these circumstances.

Italy: The Italian Civil Protection Department has adopted a Civil Protection Ordinance.

It is important that you have a valid basis for processing sensitive personal data.

ARE THERE ANY SPECIAL RULES TO CONSIDER WHEN TRANSFERRING SENSITIVE PERSONAL DATA TO A CONTROLLER OUTSIDE OF THE EEA?

Yes.

If using the standard contractual clauses, companies should check whether there are further restrictions in the clauses that relate to sensitive personal data.

For example, the standard contractual clauses contain a provision that requires that any onward transfer of the sensitive personal data is not permitted without the consent of the individual.

Care should be taken when transferring sensitive personal data received from Europe to any third parties that the terms and conditions of any standard contractual clauses are complied with.

For this reason, using the Privacy Shield self-certification or Binding Corporate Rules, if applicable, are often superior mechanisms to legitimize the international transfer of personal data.

Harvard study estimates thousands died in Puerto Rico due to Hurricane Maria

Hurricane Maria caused widespread damage to Puerto Rico. Drone footage captured the scene in San Juan and Canóvanas on Sept. 21. (Hector Santos Guia/The Washington Post)

At least 4,645 people died as a result of Hurricane Maria and its devastation across Puerto Rico last year, according to a new Harvard study released Tuesday, an estimate that far exceeds the official government death toll, which stands at 64.

The study, published in the New England Journal of Medicine, found that health-care disruption for the elderly and the loss of basic utility services for the chronically ill had significant impacts across the U.S. territory, which was thrown into chaos after the September hurricane wiped out the electrical grid and had widespread impacts on infrastructure. Some communities were entirely cut off for weeks amid road closures and communications failures.

Researchers in the United States and Puerto Rico, led by scientists at the Harvard T.H. Chan School of Public Health and Beth Israel Deaconess Medical Center, calculated the number of deaths by surveying nearly 3,300 randomly chosen households across the island and comparing the estimated post-hurricane death rate to the mortality rate for the year before. Their surveys indicated that the mortality rate was 14.3 deaths per 1,000 residents from Sept. 20 through Dec. 31, 2017, a 62 percent increase in the mortality rate compared to 2016, or 4,645 “excess deaths.”

“Our results indicate that the official death count of 64 is a substantial underestimate of the true burden of mortality after Hurricane Maria,” the authors wrote.

The official death estimates have drawn sharp criticism from experts and local residents, and the new study criticized Puerto Rico’s methods for counting the dead — and its lack of transparency in sharing information — as detrimental to planning for future natural disasters. The authors called for patients, communities and doctors to develop contingency plans for natural disasters.

Maria caused $90 billion in damage, making it the third-costliest tropical cyclone in the United States since 1900, the researchers said. Read More →

Get it. Check it. Use it.

The Health Insurance Portability and Accountability Act, or HIPAA, gives individuals the right to see and get copies of their health information, or share it with a third party, like a family member or a mobile device application. Having easy access to their health information empowers individuals to be more in control of decisions regarding their health and well-being. Individuals can monitor chronic conditions better, understand and stay on track with treatment plans, find and fix errors, and contribute information to research if they choose.

To help explain this important right to individuals and health care providers, ONC and OCR have developed easy-to-understand educational tools in English and Spanish.

HIPAA Access Videos

A series of short educational videos to help individuals better understand their right to see and get their health information and to have that information sent to others of their choosing (including family members, caregivers, or a mobile device application).

Video 1 – Individual’s Rights under HIPAA to Access their Health Information: Video 1 provides a high-level overview of the HIPAA access rights and introduces the topics of fees, timing and sharing health information with a third party. Length 3:27

Video 2 – HIPAA Access Associated Fees and Timing: Video 2 tells the story of Hannah, who is moving across the country. At her last visit with her current doctor, Hannah asks to have a copy of her records to take with her. The video helps explain the associated fees, forms and the time it may take for Hannah to get a copy of her records. Length 5:14


Video 3 – HIPAA Access and Third Parties: Video 3 tells the story of Martin, who would like to share the health information in his medical record with a heart health application on his smartphone. The video provides information on the right to provide access to a third party, including a mobile application device. Length 3:16


To learn more about your rights, visit OCR’s Rights to Access Health Information under HIPAA Page

HIPAA Access Infographic

This infographic, titled Your Health Information, Your Rights, was created by the Office of the National Coordinator for Health Information Technology and the U. S. Department of Health and Human Services Office for Civil Rights. The infographic includes facts pertaining to an individual’s right to accessing their medical records, a demonstration of how to obtain medical records and tips for protecting health information.

To learn more about your rights, visit OCR’s Rights to Access Health Information under HIPAA Page
Download PDF of infographic [PDF – 1.8 MB]

Verifica la lista de los medicamentos que dejará de cubrir el programa Mi Salud.

La directora ejecutiva de la Administración de Seguros de Salud (ASES), Ángela Ávila, indicó que se eliminarán 61 fármacos de la Lista de Medicamentos Preferidos, que son los que cubre Plan de Salud del Gobierno (PSG), a partir del 1 de julio.

Según Ávila, el propósito de la medida es reducir costos durante el próximo año fiscal. La funcionaria aseguró que ahora van con el medicamento genérico mandatario y que antes habían de 4 a 6 opciones de medicamentos y ahora se reducirán a dos en cada una de las 65 categorías terapéuticas que ofrece Mi Salud.

Si usted o algún familiar tiene el plan “Mi Salud”, aquí la lista de los medicamentos que ya no cubrirá. Read More →