If you are a technology company developing products for the health market, you have probably heard about and maybe even been “warned” about HIPAA (the Health Insurance Portability and Accountability Act). If you are asking, “How can I avoid complying with HIPAA?” you might be asking the wrong question. Health care is almost 20 percent of the U.S. economy and craving the kind of innovation that technology companies can bring. Leaders in the health care space, like those at AcademyHealth, are pushing for changes to the health system to achieve better care, smarter spending, and healthier people. And they can’t do it without your help.

Compliance with HIPAA opens up new business opportunities, and, in an age of data breaches and privacy concerns, it can set you apart as a company that cares about protecting the information you have about your customers and the patients/clients of those you work with.

Recently, AcademyHealth facilitated a Health Data Innovator Privacy and Security Workshop supported by the California Health Care Foundation. As a featured speaker at the workshop, I’ve pulled out some of the key insights around when and how HIPAA might apply to those working in digital health.

Does HIPAA Apply to My Work?

Maybe.  HIPAA does not apply to all health data.  It depends on who collects or maintains the data and the relationships with HIPAA covered entities or business associates.

Generally, HIPAA applies to health data collected or maintained by those in the traditional health care space, including health plans and most health care providers (such as doctors, hospitals, pharmacies, and labs) and those doing business on behalf of these entities (such as a billing company or a cloud storage provider (CSP)).  However, if the same data is held by the consumer or by a product or company that has a relationship only with the consumer, then it is not covered by HIPAA, although other federal laws may apply. Typically, technology companies will be business associates working with clients that are covered health care providers or health plans.
Continue Reading Bringing Innovative Technology to Healthcare…What about HIPAA?

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.


Continue Reading Blocking Access to Health Information May Violate HIPAA

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes,

On July 19th, the Office of the National Coordinator for Health Information Technology (“ONC”) released a report expressing concerns about major gaps in policies and oversight surrounding the access to, security, and privacy of health information held by certain mobile health (“mHealth”) technology companies and health social media.  While the report frames the

In late June, Crowell & Moring partnered with Accenture to host a comprehensive one-day conference on legal issues affecting the digital health landscape. The program covered a wide range of topics, some of which you can read more about via the following links: Developing Digital Health Platforms; the Health Care Economy’s Internet of Things; and New Payment Models and Data. More information on the June 23rd “Fostering Innovative Digital Health Strategies Conference” can be found on Crowell.com.

One session touched upon privacy and cybersecurity issues regarding the usage of products and data in the digital health realm. This panel was moderated by Fauzia Zaman-Malik, Accenture’s Global Legal Lead for Health Industry Offerings and North America Legal Lead for Health and Public Services Operating Group; and featured Evan Wolff, partner at Crowell & Moring; Cora Han, FTC senior attorney, Division of Privacy and Identity Protection; and Hilary Weckstein, chief privacy officer at Inovalon, Inc.

This panel focused on methods and benefits of de-identification, HIPAA requirements, the FTC’s role in regulating big data and digital health technologies, and data breach preparation and response.  Keep reading for four key takeaways from this session; the full panel session can also be accessed by video at this link.


Continue Reading Digital Health, Big Data, Cybersecurity, and Privacy – Four Key Takeaways from C&M’s Digital Health Strategies Conference

Crowell & Moring and Accenture co-hosted a conference, “Fostering Innovative Digital Health Strategies,” in late-June. The program aimed to provide a broad analysis of the business and legal issues that must be addressed as health care organizations and technology companies consider innovative strategies to use digital health technologies.

The first session of the conference, “Trends in the Health Care Economy’s Internet of Things,” featured the following distinguished panelists: Zane Burke (president, Cerner); Jodi Daniel (partner, Crowell & Moring); Cheryl Falvey (partner, Crowell & Moring); Melissa Goldstein (assistant director, Bioethics and Privacy Office of Science and Technology Policy, Executive Office of the President); and Kaveh Safavi (senior managing director, Global Health Industry Lead, Accenture).

A series of five videos from the session can be watched below:

Here are key health care Internet of Things (IoT) trends discussed in Session 1:


Continue Reading 6 Trends in the Health Care Economy’s Internet of Things

On February 25, President Obama addressed a small audience at the White House, identifying the need for patient participation in health care and the importance of individualizing treatments for a particular patient. Obama said that precision medicine can lead to reduced costs, better care, and a more efficient health care system.  He stated “the health care system is actually more of a disease-care system in which the patient is passive, you wait until you get sick, a bunch of experts then help you solve it,” and that precision medicine is about “empowering individuals to monitor and take a more active role in their own health.” His remarks were quite genuine and showed his personal interest in precision medicine as he seemed to talk “off script” with his panelists.

A year ago the President launched the Precision Medicine Initiative (PMI) to accelerate medicine that delivers the right treatment at the right time to the right person, taking into account individuals’ health history, genes, environments, and lifestyles. This includes efforts by the NIH to build a 1 million-person voluntary national research cohort who will partner with researchers, share data, and engage in research to transform our understanding of health and disease through precision medicine.  It also includes efforts by the Department of Veterans Affairs (VA), which has enrolled over 450,000 Veterans in the Million Veteran Program (MVP), a participant-driven research cohort.Vice President Biden’s cancer moonshot initiative builds on this initiative.


Continue Reading President Obama Addresses Precision Medicine, Health IT, Data Access, and Security

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules set forth in 42 C.F.R. Part 2.  The proposed updates seek to address longstanding complaints from providers and Health Information Exchanges (“HIE”) that the highly stringent confidentiality rules often stymie patient care by limiting

A key event in Congress affecting health information technology occurred last week when two members of the Senate HELP Committee issued a discussion draft of their bipartisan legislation on health information technology (health IT).  This ambitious bill addresses many of the same areas as other recent bills, including information blocking, transparency, a star rating system

On January 7, 2016, the HHS Office for Civil Rights released guidance on individuals’ right to access health information under the HIPAA Privacy Rule. The guidance clarifies areas of confusion and non-compliance by covered entities and business associates, particularly in light of the proliferation of electronic health records and electronic health information. Areas of emphasis