• More of our health information is becoming digital every day, as new technology companies enter the health care and wellness markets.
  • Many companies that hold a wealth of consumer health information are not covered by HIPAA.
  • Many consumers may not realize that their health information only is protected and they only have certain rights with respect to that information when it is held by certain entities, but not when it is held by others.
  • The private sector should work with regulators to develop a common sense, appropriate framework for use of health information by non-HIPAA covered entities.

As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.

Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.

At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data. Continue Reading Closing the Health Information Privacy Divide

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.

Continue Reading Blocking Access to Health Information May Violate HIPAA

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

To read more about the announcement, please click here.

On February 25, President Obama addressed a small audience at the White House, identifying the need for patient participation in health care and the importance of individualizing treatments for a particular patient. Obama said that precision medicine can lead to reduced costs, better care, and a more efficient health care system.  He stated “the health care system is actually more of a disease-care system in which the patient is passive, you wait until you get sick, a bunch of experts then help you solve it,” and that precision medicine is about “empowering individuals to monitor and take a more active role in their own health.” His remarks were quite genuine and showed his personal interest in precision medicine as he seemed to talk “off script” with his panelists.

A year ago the President launched the Precision Medicine Initiative (PMI) to accelerate medicine that delivers the right treatment at the right time to the right person, taking into account individuals’ health history, genes, environments, and lifestyles. This includes efforts by the NIH to build a 1 million-person voluntary national research cohort who will partner with researchers, share data, and engage in research to transform our understanding of health and disease through precision medicine.  It also includes efforts by the Department of Veterans Affairs (VA), which has enrolled over 450,000 Veterans in the Million Veteran Program (MVP), a participant-driven research cohort.Vice President Biden’s cancer moonshot initiative builds on this initiative.

Continue Reading President Obama Addresses Precision Medicine, Health IT, Data Access, and Security

A key event in Congress affecting health information technology occurred last week when two members of the Senate HELP Committee issued a discussion draft of their bipartisan legislation on health information technology (health IT).  This ambitious bill addresses many of the same areas as other recent bills, including information blocking, transparency, a star rating system for electronic health records (EHRs), usability, and interoperability. It also contains provisions on governance of health information exchange, safety, and patient access to data. If it passes, the bill will impact both users and producers of health IT and EHRs, including providers and technology companies.  To learn more, click here.

Featured Industry: Health Care
Spotlight on Best Practices, Litigation, Antitrust, and Tax for Health Care Companies

Crowell & Moring LLP is pleased to release its “2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year.” The reports examine the trends and developments that will impact health care companies and other corporations in the coming year—from the last year of the Obama administration to how corporate litigation strategy is transforming from the inside out. This year will bring remarkable change for companies, as market disruptions and the speed of innovation transform industries like never before, and the litigation and regulatory environments in which they operate are keeping pace.

Continue Reading Crowell & Moring’s 2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year

On January 7, 2016, the HHS Office for Civil Rights released guidance on individuals’ right to access health information under the HIPAA Privacy Rule. The guidance clarifies areas of confusion and non-compliance by covered entities and business associates, particularly in light of the proliferation of electronic health records and electronic health information. Areas of emphasis include: the provision of protected health information (PHI) in electronic form and format, use of mail and email, eliminating barriers to access including inappropriate fees, and distinctions between the requirements of the HIPAA Privacy Rule and the CMS Electronic Health Records Incentive program. Covered entities should review their HIPAA compliance practices in light of this guidance, particularly to ensure compliance with the 2013 HIPAA modifications. Click here for a more detailed analysis of key takeaways from our client alert.

 

Our colleagues at Data Law Insights have written about the HHS Office of Civil Rights’ $750,000 settlement with the University of Washington Medicine (“UWM”) announced this week.  This third settlement in as many weeks confirms that the security risk analysis continues to be a linchpin of OCR enforcement under the HIPAA Security Rule.  Indeed, the focus on risk assessments is not unique to OCR – a security risk analysis is also a CMS requirement under the Medicare/Medicaid EHR Incentive Programs.  Throughout 2015, there appeared to be an increasing trend of regulators (such as OIG, OCR, and others) conducting audit and enforcement activities related to IT security.  To prevent future scrutiny for violations, health care entities should commit to performing and strengthening their security risk analyses in 2016.