In order to move health care organizations towards consistency in mitigating important cybersecurity threats to the health care sector, the Department of Health & Human Services (HHS) published multiple guidance documents on best practices for health care organizations to reduce cybersecurity risks (“HHS Cyber Guidance”). The HHS Cyber Guidance is the result of HHS’ public-private partnership with more than 150 cybersecurity and health care experts. While compliance is voluntary, this guidance serves as direction to health care entities on important practices that should be considered and implemented to reduce risk.

Why HHS has published this guidance

Continue Reading HHS Releases Voluntary Cybersecurity Practices Guidance

 

  • More of our health information is becoming digital every day, as new technology companies enter the health care and wellness markets.
  • Many companies that hold a wealth of consumer health information are not covered by HIPAA.
  • Many consumers may not realize that their health information only is protected and they only have certain rights with respect to that information when it is held by certain entities, but not when it is held by others.
  • The private sector should work with regulators to develop a common sense, appropriate framework for use of health information by non-HIPAA covered entities.

As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.

Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.

At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data. Continue Reading Closing the Health Information Privacy Divide

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes, it is often only through investigations following a reported breach that OCR uncovers more widespread HIPAA compliance issues, and it is those additional issues that often lead to monetary settlements or fines. Particularly given this increased enforcement initiative, covered entities and business associates should continue to evaluate and, where appropriate, strengthen their HIPAA compliance efforts.

To read more about the announcement, please click here.

The National Telecommunications and Information Administration (NTIA) is looking for input on federal policy related to the Internet of Things (IoT).  On April 5, NTIA published a request for comment on federal efforts to promote IoT efforts and foster innovation.  The Department of Commerce will use the comments to develop a “green paper” identifying key issues affecting deployment of IoT technologies, potential challenges and opportunities, and possible roles for the federal government.  A “green paper” is typically used as a first step before policy changes are advanced.

Given the breadth of industries affected by IoT, including health care, transportation, and energy, and the vast number of issues that industry and government are grappling with, it is important to ensure that NTIA hears from a variety of sectors and experts on the impacts of IoT and where government can be helpful or interfere with innovation.  The NTIA poses 28 questions for comment including questions about technology, policy, infrastructure, economic impact, and international engagement.  The deadline for filing comments is May 23, 2016.  Crowell & Moring is available to assist in preparing comments.

On February 25, President Obama addressed a small audience at the White House, identifying the need for patient participation in health care and the importance of individualizing treatments for a particular patient. Obama said that precision medicine can lead to reduced costs, better care, and a more efficient health care system.  He stated “the health care system is actually more of a disease-care system in which the patient is passive, you wait until you get sick, a bunch of experts then help you solve it,” and that precision medicine is about “empowering individuals to monitor and take a more active role in their own health.” His remarks were quite genuine and showed his personal interest in precision medicine as he seemed to talk “off script” with his panelists.

A year ago the President launched the Precision Medicine Initiative (PMI) to accelerate medicine that delivers the right treatment at the right time to the right person, taking into account individuals’ health history, genes, environments, and lifestyles. This includes efforts by the NIH to build a 1 million-person voluntary national research cohort who will partner with researchers, share data, and engage in research to transform our understanding of health and disease through precision medicine.  It also includes efforts by the Department of Veterans Affairs (VA), which has enrolled over 450,000 Veterans in the Million Veteran Program (MVP), a participant-driven research cohort.Vice President Biden’s cancer moonshot initiative builds on this initiative.

Continue Reading President Obama Addresses Precision Medicine, Health IT, Data Access, and Security

The U.S. Department of Health and Human Services (“HHS”) announced a proposed rule to modernize the federal substance abuse confidentiality rules set forth in 42 C.F.R. Part 2.  The proposed updates seek to address longstanding complaints from providers and Health Information Exchanges (“HIE”) that the highly stringent confidentiality rules often stymie patient care by limiting information sharing.  In addition to updating definitions, the changes would lessen some of the burdens associated with obtaining patient consent and disclosing data for research purposes, though would also provide patients with new rights to an accounting of disclosures.   The rules will likely make it easier for providers with direct treatment relationships to better engage in integrated care efforts, though the rules do little to address how other “lawful holders” of substance abuse information, such as health plans or HIEs, can use or disclose it. 

Comments on the proposed changes will be accepted until April 11, 2016.

 

A key event in Congress affecting health information technology occurred last week when two members of the Senate HELP Committee issued a discussion draft of their bipartisan legislation on health information technology (health IT).  This ambitious bill addresses many of the same areas as other recent bills, including information blocking, transparency, a star rating system for electronic health records (EHRs), usability, and interoperability. It also contains provisions on governance of health information exchange, safety, and patient access to data. If it passes, the bill will impact both users and producers of health IT and EHRs, including providers and technology companies.  To learn more, click here.

On October 2, 2014, the FDA released a set of comprehensive guidelines governing the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The guidelines are intended to provide direction for manufacturers of medical devices on how to appropriately safeguard devices from a potential security breach; particularly in light of the sensitive medical information such devices may store or transmit. The FDA passed down recommendations from identifying vulnerabilities at the manufacturing stage to protecting against unauthorized access, as well as suggestions on outfitting devices with appropriate incident response mechanisms. The guidelines placed significant emphasis on maintaining device functionality despite increased security, which may present a unique challenge to manufacturers.

Please read the full alert analyzing the guidelines here.