In response to several high-profile cybersecurity incidents affecting hospitals and other health care providers, including the Change Healthcare breach, new federal legislation was recently introduced by Senators Ron Wyden (D-OR) and Mark Warner (R-VA). The health care industry has received intense criticism for perceived weaknesses in cybersecurity protections. As stated in a summary of HISAA prepared by the Senate Finance Committee:
According to the FBI, the health care sector is now the #1 target of ransomware. These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners. Cybersecurity failures have delayed and disrupted patient care, and have harmed patient health and privacy, as well as national security. Despite these high stakes, health care has some of the weakest cybersecurity rules of any federally regulated industry.
The new legislation, the Health Infrastructure Security and Accountability Act (HISAA), would create significant new security requirements applicable to HIPAA Covered Entities and Business Associates designed to address cybersecurity risks, require ongoing risk assessments and audits related cybersecurity practices, establish new penalties for noncompliance with these requirements and remove HIPAA statutory caps on such penalties, and create funding incentives and Medicare payment reduction disincentives for entities subject to these requirements.
On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).
Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts. Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.
Over the next year, the following laws will become effective:
- Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
- Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
- Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
- Nebraska Data Privacy Act (effective Jan. 1, 2025)
- New Hampshire Privacy Act (effective Jan. 1, 2025)
- New Jersey Data Privacy Act (effective Jan. 15, 2025)
- Tennessee Information Protection Act (effective July 1, 2025)
- Minnesota Consumer Data Privacy Act (effective July 31, 2025)
- Maryland Online Data Privacy Act (effective Oct. 1, 2025)
These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here. All nine laws listed above contain the following familiar requirements:
On May 17, 2024, Colorado Governor Jared Polis signed into law SB 24-205—concerning consumer protections in interactions with artificial intelligence systems—after the Senate passed the bill on May 3. The law adds a new part 17, “Artificial Intelligence,” to Article I, Title 6 of the Colorado Consumer Protection Act, to take effect on February 1, 2026. This makes Colorado “among the first in the country to attempt to regulate the burgeoning artificial intelligence industry on such a scale,” Polis said in a letter to the Colorado General Assembly.
The new law will ...
On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...
New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council. The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements:
- Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
- Develop a response plan for potential cybersecurity ...
On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.
On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan for termination of the existing notifications of enforcement discretion related to the expiration of the COVID-19 public health emergency (PHE) on May 11, 2023.
In this episode of the Diagnosing Health Care Podcast: The U.S. Food and Drug Administration (FDA) recently issued a final guidance document clarifying how the agency intends to regulate clinical decision support (CDS) software.
How has this document caused confusion for industry? How can companies respond?
On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement.
On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.
From the Diagnosing Health Care Podcast: How have complaints of information blocking been submitted to the Office of the National Coordinator (ONC), and by whom? What does government enforcement action really look like?
In this episode of our special series on interoperability, hear from ONC attorneys Cassie Weaver and Rachel Nelson.
On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]
Featured on the Diagnosing Health Care Podcast: How is openEHR transforming the way health data is managed and stored across Europe? Will it soon disrupt the U.S. marketplace?
In this episode of our special series on interoperability, hear from Alastair Allen, CTO of Better.
In this episode of the Diagnosing Health Care Podcast: In the past decade, certified electronic health records (EHRs) have been instrumental in transforming medical records from paper to digital formats.
What obstacles are currently preventing providers from sharing patient data with each other or patients from sharing health information from their personal devices with their providers? In this episode of our special series on interoperability, hear from Tomaž Gornik, founder and CEO of Better.
The U.S. Supreme Court is expected to imminently issue its opinion in the case Dobbs v. Jackson Women’s Health Organization (“Dobbs”). If the Court rules in a manner to overturn Roe v. Wade, states will have discretion in determining how to regulate abortion services.[1] Such a ruling would overturn nearly 50 years of precedent, leaving patients, reproductive health providers, health plans, pharmacies, and may other stakeholders to navigate a host of uncharted legal issues. Specifically, stakeholders will likely need to untangle the web of cross-state legal issues that may emerge.
On April 11, 2022, the Drug Enforcement Administration (DEA) released a final rule which amends DEA regulations to now require all applications for DEA registrations, and renewal of those registrations, to be submitted online. The final rule is effective May 11, 2022.
On January 7, 2021, DEA published a notice of proposed rulemaking (NPRM) that proposed requiring that all applications for DEA registrations, and renewal of those registrations, be submitted online. DEA is promulgating this rule as proposed in the NPRM with one exception: DEA is clarifying that Automated Clearing House (ACH) fund transfers will be accepted as payment for registrations and renewals.
The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.
On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.
In this episode of the Diagnosing Health Care Podcast: The interoperability and information-blocking rules have imposed new regulations and requirements on health information exchanges (HIEs). How are HIEs responding to these new regulations in a space they have been in for decades? In this episode of our special series on interoperability, hear from Dan Paoletti, CEO of the Ohio Health Information Partnership.
New from the Diagnosing Health Care Podcast: One of the long-term goals of the interoperability and information-blocking rules is to give health care providers a much more comprehensive view of a patient’s entire continuum of care.
On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and ...
Our colleagues Alaap Shah and Stuart Gerson of Epstein Becker Green have written an Expert Analysis on Law360 that will be of interest to our readers: "Health Cos. Must Prepare for Growing Ransomware Threat."
The following is an excerpt (see below to download the full version in PDF format):
Ransomware attacks have become big business, and they are on the rise. And entities in the health care and life sciences space have become primary targets of opportunity for attackers.
As the recent Colonial Pipeline Co. ransomware event illustrates, a small group of black hat hackers, living in ...
Only a few days remain before the enforcement delay that the Centers for Medicare & Medicaid Services (CMS) exercised due to COVID-19 will end and the agency will require certain payors to publish a Patient Access application programming interface (“API”) and a Provider Directory API under the requirements of the CMS Interoperability and Patient Access Final Rule. Starting on July 1, 2021, all health plans that offer Medicare Advantage, Medicaid and Children’s Health Insurance Program (CHIP) and most Qualified Health Plans offered through the Federally-facilitated ...
The roll out of the Office of the National Coordinator’s (ONC) 21st Century Cures Act Interoperability and Information Blocking Rules is reminiscent of the way HIPAA has rolled out over the course of the past 25 years. As of May 1, 2021, Actors have been required to comply with the Information Blocking rules. However, it will take some time before all Actors know who they are and for complaints of Information Blocking to be determined to be actual instances of Information Blocking, by which time the penalties that have not yet been finalized may also need to be adjusted.
While ONC defined ...
Medical providers are often asked, or feel obligated, to disclose confidential information about patients. This blog post discusses when disclosures of confidential medical information involve law enforcement, but the general principles discussed herein are instructive in any scenario. To protect patient confidentiality and avoid costly civil liability arising from improper disclosures, it is imperative that providers ask questions to assess the urgency of any request and to understand for what purpose the information is sought by authorities. Knowing what questions to ask at the outset prepares providers to make informed decisions about disclosing confidential information in a manner that balances the obligation to maintain patient confidentiality and trust with legitimate law enforcement requests for information aimed at protecting the public.
The application of artificial intelligence technologies to health care delivery, coding and population management may profoundly alter the manner in which clinicians and others interact with patients, and seek reimbursement. While on one hand, AI may promote better treatment decisions and streamline onerous coding and claims submission, there are risks associated with unintended bias that may be lurking in the algorithms. AI is trained on data. To the extent that data encodes historical bias, that bias may cause unintended errors when applied to new patients. This can result in ...
After a Congressional override of a Presidential veto, the National Defense Authorization Act became law on January 1, 2021 (NDAA). Notably, the NDAA not only provides appropriations for military and defense purposes but, under Division E, it also includes the most significant U.S. legislation concerning artificial intelligence (AI) to date: The National Artificial Intelligence Initiative Act of 2020 (NAIIA).
The NAIIA sets forth a multi-pronged national strategy and funding approach to spur AI research, development and innovation within the U.S., train and prepare an ...
As consumerism in healthcare increases, companies and the individuals they serve are increasingly sharing data with third-party application developers that provide innovative ways to manage health and wellness, among numerous other products that leverage individuals’ identifiable health data. As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective. Navigating this policy ‘tug of war’ will be critical for organizations to comply with the rules, but also maintain consumer confidence.
On March 9, 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) and the Center for Medicare and Medicaid Services (“CMS”) published their long-awaited final rules that seeks to promote interoperability. Market participants waited longer than usual for this rule due to the Department of Health and Human Services (“HHS”) extending the comment period at the request of a variety of stakeholders.
The ONC’s rule (the “Final Rule”) supports interoperability by prohibiting “information blocking”. Affected organizations (see below) will want to be considering the impact on contracts and developing compliance policies that reflect the requirements of the Final Rule. One aspect of needed compliance relates to the Final Rule’s exceptions to information blocking including a newly-added “content and manner” exception.
Generally, information blocking is defined as an action by an actor interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information[1] (“EHI”). Actors include health care providers, health IT developers, health information exchanges, or health information network. In the proposed rule, the ONC proposed seven exceptions to conduct that might otherwise be deemed information blocking. However, in the Final Rule, ONC created eight exceptions. Further, the ONC defined two categories of exceptions: (1) Exceptions that involve not fulfilling requests to access, exchange, or use EHI and (2) Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. Each of the eight enumerated exceptions are categorized as follows:
In a recent blog post, colleagues in our Employment, Labor & Workforce Management practice addressed the legal framework pertaining to coronavirus (COVID-19) risks in the workplace. As the number of cases continues to the climb in the U.S., it is imperative that HIPAA covered entities and their business associates are aware of their privacy and security responsibilities in the midst of this public health emergency. EBG provides this guidance on how to effectively respond to the coronavirus public health crisis while navigating patient privacy issues.
As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019. A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019. The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.
On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).
As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties. In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.
Based on their extensive experience advising health care industry clients, Epstein Becker Green attorneys and strategic advisors from EBG Advisors are predicting the “hot” health care sectors for investment, growth, and consolidation in 2020. These predictions for 2020 are largely based on the increasing confluence of the following three key “drivers” of health industry transformation that is substantially underway:
- The ongoing national imperative of reducing the cost of health care, via disease prevention and detection, and cost-effective, quality treatment, including more efficient care in ambulatory and retail settings;
- Extraordinary advances in technologies which enhance disease prevention, detection and cost-effective treatment (e.g., artificial intelligence (AI)-driven diagnosis and treatment, virtual care, electronic medical record (EMR) systems, medical devices, gene therapy, and precision medicine); and
- The aging baby-boomer population, with tens of millions of Americans entering into their 70s, 80s, and above.
On September 10, 2019, the Office of Inspector General of the Department of Health and Human Services (“OIG”) published Advisory Opinion 19-04. In this favorable opinion, OIG approved a technology company’s proposal to make its online healthcare directory search results visible to federal healthcare beneficiaries in locations where the company charges the healthcare professionals a per-click or per-booking fee to be included in the directory. It also approved the company’s proposal to make sponsored advertisements that appear on its online healthcare directory and ...
The market for direct-to-consumer (“DTC”) genetic testing has increased dramatically over recent years as more people are using at-home DNA tests. The global market for this industry is projected to hit $2.5 billion by 2024. Many consumers subscribe to DTC genetic testing because they can provide insights into genetic backgrounds and ancestry. However, as more consumers’ genetic data becomes available and is shared, legal experts are growing concerned that safeguards implemented by U.S. companies are not enough to protect consumers from privacy risks.
Some states vary ...
When we think about the top players in the medical device development space, we often see device company sponsors, clinicians, scientists, and FDA regulators as the ones driving the process. But what about the patient perspective? Does that get factored in?
On May 3, 2019, FDA established a docket to collect public input on a proposed list of patient preference-sensitive areas for medical device review, and posed certain related questions (comments are due July 2, 2019). By identifying these key areas (which it committed to as part of the reauthorization of the Medical Device User Fee ...
The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people. However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.
AI cybersecurity tools can enable organizations to improve data security by detecting and thwarting potential threats through automated systems that continuously monitor network behavior and identify network abnormalities. For example, AI may offer assistance in breach prevention by proactively ...
Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship. Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws. In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.
Yet, California continues to push the envelope further. Recently, California State Senator Jackson and Attorney ...
The Office of Inspector General (“OIG”) for the Department of Health and Human Services recently issued an Advisory Opinion that provides insight into how the agency evaluates arrangements that deal with the integration of technology, medicine, and patient monitoring under the federal Anti-Kickback Statute (“AKS”). In Advisory Opinion No. 19-02, OIG evaluated whether a pharmaceutical manufacturer could temporarily loan a limited-functionality smartphone to financially needy patients enrolled in federal health care programs. OIG concluded that the proposed ...
One well-recognized way to protect patient privacy is to de-identify health data. However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models. While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.
Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify ...
On February 11th, blockchain advocates, digital health enthusiasts, and patients received positive news from the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) regarding patient data sharing. These rules, taken together, seek to make data more liquid, which can promote patient access, continuity of care, research, collaboration across the industry and several other activities that previously faced challenges within a health care system built on data silos.
First, CMS ...
GenomeDx Biosciences Corp., which markets a genomic test (Decipher®) intended to assess the aggressiveness of prostate cancer, has agreed to pay $1.99 million to the U.S. Department of Justice to resolve allegations that it violated the False Claims Act (31 U.S.C. §§ 3729 et seq.)(“FCA”) by submitting claims to Medicare for tests conducted to evaluate treatment options for men after prostate surgery.
The government and a whistleblower alleged that between September 2015 and June 2017, GenomeDx knowingly submitted Medicare reimbursement claims for the Decipher® test ...
The telehealth industry has experienced constant developments in the regulatory landscape at both the federal and state level over the past several years, and we are confident these changes will continue into 2019 as the utilization of telehealth services continues to evolve and mature. A notable area of activity is how regulators, are approaching the telehealth industry, in particular remote prescribing applications of this platform.
On the federal level, we should expect to see promulgation of regulations by the U.S. Drug Enforcement Administration outlining the special ...
There is a new kid on the block . . . the Chief Data Officer (CDO). There is no surprise in our data-driven world that such a role would exist. Yet, many organizations struggle with defining the role and value of the CDO. Effective implementation of a CDO may be informed by other historical evolutions in the C-Suite.
Examining the rise of the Chief Compliance Officer (CCO) in the 2000’s mirrors some of the same frustrations that organizations faced when implementing the CCO role. While organizations were accustomed to having legal, HR, and internal audit departments working together to ...
Data is king! A robust privacy, security and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time. To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.” This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 ...
Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices. As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:
- Examining current cybersecurity threats affecting the healthcare and public health sector;
- Identifying specific weaknesses that make healthcare and public health organizations more vulnerable to cybersecurity threats; and
- Providing certain practices that cybersecurity experts rank as most effective ...
On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.” OCR is seeking comments for a series of 54 different specific questions (many with additional subparts ...
In the tech world, blockchain technology appears to be the panacea to all problems. As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow ...
The Ryan Haight Act Online Pharmacy Consumer Protection Act of 2008 (21 U.S.C. § 802(54)) (the “Ryan Haight Act” or “Act”) expanded the federal Controlled Substances Act to define appropriate internet usage in the dispensing and prescribing of schedule drugs, and in doing so effectively banned the issuance of prescriptions via telemedicine services for any controlled substances unless the ordering physician has conducted at least one in-person evaluation of the patient. The Act includes multiple exceptions that permit prescribing of controlled substances ...
The Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services issued Advisory Opinion No. 18-03 in support of an arrangement where a federally qualified health center look-alike (the “Provider”) would donate free information technology-related equipment and services to a county health clinic (the “County Clinic”) to facilitate telemedicine encounters with the County Clinic’s patients (the “Proposed Arrangement”). The OIG concluded that although the Proposed Arrangement could potentially generate prohibited ...
The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices. NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related ...
Our colleague The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”
at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “Following is an excerpt:
The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space ...
On January 5, 2018, consistent with the 21st Century Cures Act’s focus on creating interoperability and correspondingly a Trusted Exchange, the Office of the National Coordinator for Health Information Technology (“ONC”) released its “Draft Trusted Exchange Framework” (“Draft Framework”). The Draft Framework is intended to streamline the exchange of Electronic Health Information (“EHI”) so that both health care providers and patients have better access to health information, thus improving communication and quality health care. EHI includes ...
The 21st Century Cures Act (“Cures Act”) was enacted in December of 2016. Among other things, the Cures Act includes provisions to encourage the interoperability of electronic health records. Specifically, the Cures Act provides for civil penalties for those who engage in “information blocking.” The Cures Act defines “information blocking” broadly as a “practice that . . . is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information” if that practice is known by a developer, exchange, network, or ...
Throughout the campaign season and the first months of Donald Trump’s presidency, the current Administration has voiced a commitment to furthering telehealth advancement. For example, during the campaign, then-candidate Trump emphasized the importance of telehealth tools in reforming the U.S. Department of Veterans Affairs ("VA"). More recently, both U.S. Department of Health and Human Services Secretary Tom Price and Centers for Medicare and Medicaid Services Administrator Seema Verma stated in their confirmation hearings that they were interested in promoting the ...
As requested by Congress as part of an appropriations bill signed into law late last year, this month, the Department of Health and Human Services (HHS) released a report highlighting its e-health and telemedicine efforts. The report makes for interesting reading, and while there are no significant surprises in the report, it offers a clear snapshot of some of the agency’s thinking regarding virtual care.
The first thing I noted in the report is the agency’s view that “telehealth holds promise as a means of increasing access to care and improving health outcomes.” This is ...
On July 7, 2016, the Centers for Medicare and Medicaid Services ("CMS") imposed several administrative penalties on Theranos, a clinical laboratory company that proposed to revolutionize the clinical laboratory business by performing multiple blood tests using a few drops of blood drawn from a finger rather than from a traditional blood draw that relies on needles and tubes. However, after inspecting the laboratory, CMS concluded that the company failed to comply with federal law and regulations governing clinical laboratories and it posed an immediate jeopardy to patient ...
On May 17, 2016, FDA issued Draft Guidance for Industry on Use of Electronic Health Record Data in Clinical Investigations ("Draft Guidance"). This Draft Guidance builds on prior FDA guidance on Computerized Systems Used in Clinical Investigations and Electronic Source Data in Clinical Investigations, and provides information on FDA's expectations for the use of Electronic Health Record ("EHR") data to clinical investigators, research institutions and sponsors of clinical research on drugs, biologics, medical devices and combination products conducted under an ...
As 2015 winds down, I think it is safe to say that it has been a whirlwind year in telehealth. According to the National Conference of State Legislatures (NCSL), over 200 telehealth-related bills were introduced in 42 states. The Federation of State Medical Boards (FSMB) has launched an interstate physician licensure compact that creates a new pathway to expedite physician licensure in multiple states. Twelve states (with Wisconsin being the latest) have so far enacted the licensure compact. Many states such as Colorado, Iowa, and Louisiana released regulations or policies that in ...
One of the issues with which we often grapple in the telehealth space is the relative lack of availability of studies and data when compared to other areas of the health care sector. Telehealth is relatively young and therefore has not had the time to build a voluminous body of data and evidence. But things are changing. Many stakeholders are doing exemplary work in telehealth research, and stakeholders like the Department of Veterans Affairs have longstanding evidence regarding the efficacy of telehealth. However, it’s a more recent document that has caught my attention.
A ...
A recent survey conducted by the Robert Graham Center, the American Academy of Family Physicians, and Anthem caught my attention. The survey was conducted to gauge the attitudes of primary care physicians regarding telehealth. And the results make for interesting reading— providing great insight into how certain providers view and use telehealth. What struck me most is that while great progress has been made in the rate of telehealth adoption among providers, we still have a way to go. According to the survey report, state legal and regulatory issues, reimbursement, and provider ...
Telemental health seems to be emerging, even booming. Also referred to as telebehaviorial health, e-counseling, e-therapy, online therapy, cybercounseling, or online counseling, for purposes of this post, I will define telemental health as the provision of remote mental health care services (usually via an audio/video secure platform) by psychiatrists, psychologists, social workers, counselors, and marriage and family therapists. Most services involve assessment, therapy, and/or diagnosis. Over the last few years, I have seen a wider variety of care models—from ...
As telehealth legal and regulatory issues continue to evolve, stakeholders need to stay current on trending issues. With that in mind, we are offering a complimentary “crash course” webinar series in which we will discuss a number of significant legal and regulatory issues implicated by telehealth including reimbursement, state issues, and employers.
How Do I Get Paid?
During this first installment of EBG’s Telehealth Crash Course series, we will discuss the current reimbursement landscape, including distinctions between various payer models and the growing impact of ...
Joshua A. Stein, a Member of the Firm in the Labor and Employment practice at Epstein Becker Green, has a Hospitality Labor and Employment Law blog post that will be of interest to many of our readers: "DOJ Further Delays Release of Highly Anticipated Proposed Website Accessibility Regulations for Public Accommodations."
Following is an excerpt:
For those who have been eagerly anticipating the release of the U.S. Department of Justice's proposed website accessibility regulations for public accommodations under Title III of the ADA (the "Public Accommodation Website ...
Tuesday, March 24, 2015 at 12:00 p.m. – 1:00 p.m. EDT
The past year has demonstrated that no organization is immune to security incidents that could affect its employees, customers, and reputation. Understanding the complex legal framework governing data privacy and developing a plan to mitigate risk can be the difference between an incident and a disaster.
Join Epstein Becker Green's Privacy & Security Practice for a comprehensive overview of data breach priorities impacting organizations that deal in electronic data. Presenters will identify strategies to prepare for and ...
Epstein Becker Green's recent issue of its Take 5 newsletter focuses on the 25th Anniversary of the ADA and recent developments and future trends under Title III of the ADA.
- Website Accessibility
- Accessible Point-of-Sale Devices and Other Touchscreen Technology
- Movie Theater Captioning & Audio (Narrative) Description
- The Availability of Sign Language Interpreters at Health Care Facilities
- "Drive By" Design/Construction Lawsuits
Providers, take note: the Chronic Care Management (CCM) CPT Code 99490 is now payable by the Centers for Medicare & Medicaid Services (CMS). Effective January 1, 2015, the Medicare program began making payments under the Physician Fee Schedule (PFS) for certain non-face-to-face management and care coordination services provided to beneficiaries covered under the traditional Medicare fee-for-service program. CCM services include, but are not limited to, development and maintenance of a plan of care, communication with other treating health care professionals, and ...
As so many of you know, the barriers to the wider adoption of telemedicine are numerous. In listening to various stakeholders in the telemedicine space over the years, I consistently hear the same barriers being discussed:
-
Multistate licensure for physicians and other health professionals;
-
Data privacy and security;
-
Credentialing and privileging; and
-
Corporate practice of medicine
One issue, however, that gets short shrift in my view is the issue of online prescribing—an issue that presents as formidable a barrier to the wider adoption of ...
Our colleague Mollie K. O'Brien at Epstein Becker Green wrote an advisory on a new law that will increase the protection of personal information under HIPPA by mandating encryption on all computerized data collected by health insurance carriers: "Beyond HIPAA: New Jersey Law Requires Encryption of Personal Data by Health Insurance Carriers." Following is an excerpt:
In response to data breaches that have occurred across the United States, several of which involved the theft of laptop computers, beginning August 1, 2015, health insurance carriers in New Jersey will be obligated ...
On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature ...
The State of the Union Address, scheduled for January 20, 2015, will contain new initiatives related to privacy, White House officials say. The known initiatives are the introduction of a data breach reporting bill, a bill restricting the sale of student information, and a Consumer Privacy Bill of Rights.
SETTING A NATIONAL DATA BREACH REPORTING STANDARD
President Obama is planning on introducing a data breach bill that would standardize the reporting period nationwide at 30 days. The proposed Personal Data Notification and Protection Act would require ...
By Adam Solander, Ali Lakhani and Wenxi Li
The increasing prevalence of mobile technology in the healthcare sector continues to create compliance concerns for physician practices and other health care entities. While the Office of Civil Rights (OCR) of the Department of Health and Human Services, has traditionally focused on technology breaches within larger health systems, smaller physician practices and health care entities must also ensure that their policies and practices related to mobile technology do not foster non-compliance and create institutional risk.
On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.
Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of ...
By Patricia Wagner, Ali Lakhani and Jonathan Hoerner
On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency's Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 ("Breach Report"). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.
Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services ...
Epstein Becker Green and EBG Advisors announce the eighth webinar in a series focusing on emerging trends in population health. The next session—entitled "How Will 'Big Data' and 'IT Integration' Impact Population Health Management?"—will examine the rise of big data and other innovative computational methods. The speakers will explain how these tools and applications are being leveraged to promote better clinical and financial outcomes for patients, providers, and payors.
To register for this must-attend event, scheduled for June 24, 2014, at 12:00 p.m. ET, click here.
By Brandon Ge and Alaap Shah
The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been ...
By Marshall Jackson and Alaap Shah
If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.
There is no doubt that a primary concern raised by these data breaches is risk ...
By: Alaap Shah and Ali Lakhani
Why is data breach such a rampant problem within the health care industry?
As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially. To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards. Health care companies also have resources to assist them with managing this risk. Specifically ...
By: Alaap Shah and Marshall Jackson
Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered. It seems to be business as usual, as your health care organization continues to digitize its operations. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive ...
By: Alaap Shah and Ali Lakhani
The Good:
“Hey Doc, just shoot me a text . . .”
The business case supporting text messaging in a health care environment is compelling - it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery. As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI ...
Below is a re-print of an article that we recently wrote for the Advisory Board Company’s 2013 third quarter General Counsel Agenda. To view the original publication in the General Counsel Agenda, click here.
For hospitals, the promise of telehealth has spurred innovation across multiple service lines and led to the emergence of a number of new delivery models such as telestroke, teleradiology, telepsychiatry, telepathology, teleICU and remote patient monitoring. While many of these programs are leading to significant improvements in access to health care services, quality ...
Telehealth creates unique health information management challenges for various reasons, including: aggregating large data sets (i.e. remote monitoring); using and storing numerous file formats (video, audio, text, digital images, film); establishing safeguards for sharing data with virtual providers and distant sites; determining the appropriate location for data storage (if more than one provider or entity is involved); and more. All of these challenges create issues relating to medical record management, maintenance, ownership, and storage.
In the past, it was easier ...
Christine Kearsley contributed to this article.
In Durham, North Carolina, the child psychiatrist comes to the classroom. By telehealth. For the past eight years, Duke University Medical Center has teamed up with Durham Public Schools to export child psychiatry to where the kids are. Duke fellows in child psychiatry travel to three elementary schools and one upper-school site to offer in-person mental health services to children with diagnosed mental health disorders. To supervise the fellows, the attending physician conferences in. As Dr. Richard D’Alli, the leader of the ...
Before initiating treatment, health care providers must generally obtain their patients’ informed consent. The purpose of the informed consent process is two-fold. First, it allows patients to gain an understanding of the risks and benefits of the proposed treatment, and alternative courses of action. Second, it helps shield providers from legal exposure.
A formal informed consent process is particularly critical for procedures that carry a high risk of patient injury. When considering such “high-risk” procedures, neurosurgery or radiation therapy may come to mind ...
We all know that telehealth is going mainstream. The numbers speak for themselves. A leading research firm predicts that 2.8 million patients worldwide used home-based remote monitoring devices in 2012—expected to increase to 9.4 million connections globally by 2017. Another firm projects that the number of patients using telehealth services in the United States will grow to 1.3 million in 2017, up from 227,000 in 2012. Even less rosy projections predict growth to 2 million patients worldwide by 2017. The news is even better in subspecialties like telepsychiatry that are ...
In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws. However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA. Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s ...
Telehealth is going mainstream. Once limited to rural or remote communities, the use of telehealth is increasingly being used to address critical shortages within many medical specialties (such as dermatology, neurology, radiology, critical care and mental health), and as a more efficient means to provide health care services. Many leading nationally-recognized health care providers, health plans and others have significant telehealth initiatives underway often in partnership with telecommunications vendors and government entities. And developments in this space tend ...
As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI). To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures. From locks, to security guards, to alarm systems ...
Too often, companies try to re-invent the wheel. This is especially true in the telehealth sector where new models of care are constantly being tried and tested. Fortunately for U.S. hospitals, health systems, and companies, however, we have great examples of telehealth models from around the world that have built successful business models in telehealth.
Take the example of Calydial, a company based in Lyon, France, that specializes in remote dialysis. Launched in 2006, Calydial started with 25 patients with renal impairment who needed remote treatment and monitoring. Today ...
The recent discovery of a security flaw that allows Skype accounts to essentially be hijacked has again raised the issue of the security of web-based platforms—and whether providers can meet their HIPAA obligations when using these communication tools. The issue of Skype and similar platforms and HIPAA compliance is one that I am often asked about. In a previous post, I addressed the issue and concluded that providers who wish to use Skype or similar platforms proceed with great caution. I noted that the use of web-based platforms, especially those that are proprietary, may make it ...
By Ross K. Friedberg and Ophir Stemmer
This year we’ve seen a continuation of the trend toward heightened regulation and enforcement of the privacy and security requirements under the Health Information Portability andAccountability Act (“HIPAA”) and under other state and federal health privacy laws. Although there have not been any significant changes to federal health privacy laws this year, federal enforcement activity continues to be strong.
This post provides a summary of the developments in privacy and security law throughout the past year; discusses the ...
With a new era of active enforcement of the HIPAA privacy and security laws upon us, companies need to figure out early-on whether they are regulated under HIPAA, either as covered entities or business associates. However, determining whether a company is subject to the HIPAA privacy and security requirements is not always straightforward, especially for companies in the health technology space. There are two ways in which a company can become subject to HIPAA: (1) it functions as a health plan, health care provider or health care clearinghouse which could potentially make it a HIPAA ...
There are myriad opportunities right now for new businesses and talented entrepreneurs targeting healthcare, particularly in the IT sector. It’s an exciting time for people and companies looking to harness the promise of innovation and the power of technology to improve health care delivery, empower patients and lower costs.
However, even the best ideas usually require money to get off the ground. Sometimes they require more capital than the founders or management, or their family and friends, have available. While there are many individuals and ...
Mobile application (“app”) development is the new boon for technology companies of all sizes, and the phrase “There’s an app for that” tells the story of just how much this market has grown and matured. Most of the early app development focused on low risk opportunities—those involving free or low-cost social media or gaming apps. While protecting privacy and security of personally-identifiable information is generally important, privacy and security concerns typically do not rank as high priorities in decision-making when developing these types of apps.
By ...
Imagine there are two hospitals (or two physician groups). One is highly specialized and has developed a telemedicine program for treating stroke patients; the other is a community hospital or physician practice that would like to take part in this telemedicine program but does not want to pay for the technology needed to virtually connect with the program’s specialists. Can the telemedicine provider buy this technology for the receiving hospital or physician group, or rent it out at a deep discount, without violating the law?
This turns out to be a hard question. Under federal law ...
The following may surprise some: FDA approval or clearance is never enough. Not if manufacturers want a commercially successful product. There is no doubt that addressing FDA issues is critical. But without data to show effectiveness, payers will not reimburse a particular product or technology—and even the most promising product will languish in the market without the appropriate coverage and reimbursement.
The use of remote monitoring devices has increased significantly over the last few years. I think it is fair to say that many manufacturers of these devices worry ...
I’m sure most of you know about BYOB, but do you know about BYOD (Bring Your Own Device). This is the term used when a company chooses to forgo issuing company-owned mobile computing devices (think smartphones and tablets), and encourages its employees to use their own personal mobile devices for business purposes. And in the healthcare context, BYOD has important implications.
For better or for worse, many companies have opted to institute a BYOD policy for a number of reasons. Here are just a few rationales for BYOD:
- Employees likely already have a smartphone or tablet or both.
Blog Editors
Recent Updates
- Supreme Court of Ohio Decides on a Peer-Review Privilege Issue in Stull v. Summa
- Unpacking Averages: Exploring Data on FDA’s Breakthrough Device Program Obtained Through FOIA
- Importance of Negotiating the Letter of Intent for Health Care Leases
- Importance of Negotiating Default Provisions in Health Care Leases
- Podcast: Health Policy Update: Impact of the 2024 U.S. Elections – Diagnosing Health Care