• More of our health information is becoming digital every day, as new technology companies enter the health care and wellness markets.
  • Many companies that hold a wealth of consumer health information are not covered by HIPAA.
  • Many consumers may not realize that their health information only is protected and they only have certain rights with respect to that information when it is held by certain entities, but not when it is held by others.
  • The private sector should work with regulators to develop a common sense, appropriate framework for use of health information by non-HIPAA covered entities.

As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.

Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.

At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data. Continue Reading Closing the Health Information Privacy Divide

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.

If you are a technology company developing products for the health market, you have probably heard about and maybe even been “warned” about HIPAA (the Health Insurance Portability and Accountability Act). If you are asking, “How can I avoid complying with HIPAA?” you might be asking the wrong question. Health care is almost 20 percent of the U.S. economy and craving the kind of innovation that technology companies can bring. Leaders in the health care space, like those at AcademyHealth, are pushing for changes to the health system to achieve better care, smarter spending, and healthier people. And they can’t do it without your help.

Compliance with HIPAA opens up new business opportunities, and, in an age of data breaches and privacy concerns, it can set you apart as a company that cares about protecting the information you have about your customers and the patients/clients of those you work with.

Recently, AcademyHealth facilitated a Health Data Innovator Privacy and Security Workshop supported by the California Health Care Foundation. As a featured speaker at the workshop, I’ve pulled out some of the key insights around when and how HIPAA might apply to those working in digital health.

Does HIPAA Apply to My Work?

Maybe.  HIPAA does not apply to all health data.  It depends on who collects or maintains the data and the relationships with HIPAA covered entities or business associates.

Generally, HIPAA applies to health data collected or maintained by those in the traditional health care space, including health plans and most health care providers (such as doctors, hospitals, pharmacies, and labs) and those doing business on behalf of these entities (such as a billing company or a cloud storage provider (CSP)).  However, if the same data is held by the consumer or by a product or company that has a relationship only with the consumer, then it is not covered by HIPAA, although other federal laws may apply. Typically, technology companies will be business associates working with clients that are covered health care providers or health plans. Continue Reading Bringing Innovative Technology to Healthcare…What about HIPAA?

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading Blocking Access to Health Information May Violate HIPAA

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

To read more about the announcement, please click here.

On July 19th, the Office of the National Coordinator for Health Information Technology (“ONC”) released a report expressing concerns about major gaps in policies and oversight surrounding the access to, security, and privacy of health information held by certain mobile health (“mHealth”) technology companies and health social media.  While the report frames the issue well, it largely punts to the private sector to develop solutions.  For recommendations on how to address the oversight gaps identified by ONC, see our recent article in Bloomberg BNA’s Health Care Policy Report.

 

In late June, Crowell & Moring partnered with Accenture to host a comprehensive one-day conference on legal issues affecting the digital health landscape. The program covered a wide range of topics, some of which you can read more about via the following links: Developing Digital Health Platforms; the Health Care Economy’s Internet of Things; and New Payment Models and Data. More information on the June 23rd “Fostering Innovative Digital Health Strategies Conference” can be found on Crowell.com.

One session touched upon privacy and cybersecurity issues regarding the usage of products and data in the digital health realm. This panel was moderated by Fauzia Zaman-Malik, Accenture’s Global Legal Lead for Health Industry Offerings and North America Legal Lead for Health and Public Services Operating Group; and featured Evan Wolff, partner at Crowell & Moring; Cora Han, FTC senior attorney, Division of Privacy and Identity Protection; and Hilary Weckstein, chief privacy officer at Inovalon, Inc.

This panel focused on methods and benefits of de-identification, HIPAA requirements, the FTC’s role in regulating big data and digital health technologies, and data breach preparation and response.  Keep reading for four key takeaways from this session; the full panel session can also be accessed by video at this link.

Continue Reading Digital Health, Big Data, Cybersecurity, and Privacy – Four Key Takeaways from C&M’s Digital Health Strategies Conference

Crowell & Moring and Accenture co-hosted a conference, “Fostering Innovative Digital Health Strategies,” in late-June. The program aimed to provide a broad analysis of the business and legal issues that must be addressed as health care organizations and technology companies consider innovative strategies to use digital health technologies.

The first session of the conference, “Trends in the Health Care Economy’s Internet of Things,” featured the following distinguished panelists: Zane Burke (president, Cerner); Jodi Daniel (partner, Crowell & Moring); Cheryl Falvey (partner, Crowell & Moring); Melissa Goldstein (assistant director, Bioethics and Privacy Office of Science and Technology Policy, Executive Office of the President); and Kaveh Safavi (senior managing director, Global Health Industry Lead, Accenture).

A series of five videos from the session can be watched below:

Here are key health care Internet of Things (IoT) trends discussed in Session 1:

Continue Reading 6 Trends in the Health Care Economy’s Internet of Things

On February 25, President Obama addressed a small audience at the White House, identifying the need for patient participation in health care and the importance of individualizing treatments for a particular patient. Obama said that precision medicine can lead to reduced costs, better care, and a more efficient health care system.  He stated “the health care system is actually more of a disease-care system in which the patient is passive, you wait until you get sick, a bunch of experts then help you solve it,” and that precision medicine is about “empowering individuals to monitor and take a more active role in their own health.” His remarks were quite genuine and showed his personal interest in precision medicine as he seemed to talk “off script” with his panelists.

A year ago the President launched the Precision Medicine Initiative (PMI) to accelerate medicine that delivers the right treatment at the right time to the right person, taking into account individuals’ health history, genes, environments, and lifestyles. This includes efforts by the NIH to build a 1 million-person voluntary national research cohort who will partner with researchers, share data, and engage in research to transform our understanding of health and disease through precision medicine.  It also includes efforts by the Department of Veterans Affairs (VA), which has enrolled over 450,000 Veterans in the Million Veteran Program (MVP), a participant-driven research cohort.Vice President Biden’s cancer moonshot initiative builds on this initiative.

Continue Reading President Obama Addresses Precision Medicine, Health IT, Data Access, and Security

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules set forth in 42 C.F.R. Part 2.  The proposed updates seek to address longstanding complaints from providers and Health Information Exchanges (“HIE”) that the highly stringent confidentiality rules often stymie patient care by limiting information sharing.  In addition to updating definitions, the changes would lessen some of the burdens associated with obtaining patient consent and disclosing data for research purposes, though would also provide patients with new rights to an accounting of disclosures.   The rules will likely make it easier for providers with direct treatment relationships to better engage in integrated care efforts, though the rules do little to address how other “lawful holders” of substance abuse information, such as health plans or HIEs, can use or disclose it. 

Comments on the proposed changes will be accepted until April 11, 2016.