Health Law Advisor

The Food and Drug Administration ("FDA") recently announced that it will be hosting a public workshop on October 21 and 22, 2014, in Arlington, Virginia, entitled "Collaborative Approaches for Medical Device and Healthcare Cybersecurity."

Officials from FDA, the Department of Health and Human Services ("HHS"), and the Department of Homeland Security ("DHS") will bring together medical device manufacturers, insurers, cybersecurity researchers, trade organizations, government officials, and other stakeholders to discuss the numerous challenges faced in medical device ...

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of ...

By Brandon Ge and Alaap Shah

The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been ...

By Marshall Jackson and Alaap Shah

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk ...

   By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically ...

One of the European Parliament’s 20 committees, the Civil Liberties Committee (“LIBE”), voted on October, 21, 2013 on a proposed EU General Data Protection Regulation. The regulation includes an increased level of fines and new regulatory requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities). Companies should monitor these issues closely in the next couple of months. Most likely, after the plenary vote on November 18-21, the Parliament will push for rapid negotiations with the Council ...

By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered.  It seems to be business as usual, as your health care organization continues to digitize its operations.  You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices.  However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive ...

By:  Alaap Shah and Ali Lakhani

The Good: 

“Hey Doc, just shoot me a text . . .”

The business case supporting text messaging in a health care environment is compelling - it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery.  As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI ...

Below is a re-print of an article that we recently wrote for the Advisory Board Company’s 2013 third quarter General Counsel Agenda. To view the original publication in the General Counsel Agenda, click here.

For hospitals, the promise of telehealth has spurred innovation across multiple service lines and led to the emergence of a number of new delivery models such as telestroke, teleradiology, telepsychiatry, telepathology, teleICU and remote patient monitoring.  While many of these programs are leading to significant improvements in access to health care services, quality ...

Telehealth creates unique health information management challenges for various reasons, including: aggregating large data sets (i.e. remote monitoring); using and storing numerous file formats (video, audio, text, digital images, film); establishing safeguards for sharing data with virtual providers and distant sites; determining the appropriate location for data storage (if more than one provider or entity is involved); and more.  All of these challenges create issues relating to medical record management, maintenance, ownership, and storage.

In the past, it was easier ...

Christine Kearsley contributed to this article.

In Durham, North Carolina, the child psychiatrist comes to the classroom.  By telehealth. For the past eight years, Duke University Medical Center has teamed up with Durham Public Schools to export child psychiatry to where the kids are.  Duke fellows in child psychiatry travel to three elementary schools and one upper-school site to offer in-person mental health services to children with diagnosed mental health disorders.  To supervise the fellows, the attending physician conferences in.  As Dr. Richard D’Alli, the leader of the ...

Before initiating treatment, health care providers must generally obtain their patients’ informed consent. The purpose of the informed consent process is two-fold. First, it allows patients to gain an understanding of the risks and benefits of the proposed treatment, and alternative courses of action. Second, it helps shield providers from legal exposure.

A formal informed consent process is particularly critical for procedures that carry a high risk of patient injury. When considering such “high-risk” procedures, neurosurgery or radiation therapy may come to mind ...

We all know that telehealth is going mainstream.  The numbers speak for themselves.  A leading research firm predicts that 2.8 million patients worldwide used home-based remote monitoring devices in 2012—expected to increase to 9.4 million connections globally by 2017.  Another firm projects that the number of patients using telehealth services in the United States will grow to 1.3 million in 2017, up from 227,000 in 2012.  Even less rosy projections predict growth to 2 million patients worldwide by 2017.  The news is even better in subspecialties like telepsychiatry   that are ...

In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws.  However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA.  Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s ...

Telehealth is going mainstream. Once limited to rural or remote communities, the use of telehealth is increasingly being used to address critical shortages within many medical specialties (such as dermatology, neurology, radiology, critical care and mental health), and as a more efficient means to provide health care services. Many leading nationally-recognized health care providers, health plans and others have significant telehealth initiatives underway often in partnership with telecommunications vendors and government entities.  And developments in this space tend ...

As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI).  To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures.  From locks, to security guards, to alarm systems ...

While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy ...

The recent discovery of a security flaw that allows Skype accounts to essentially be hijacked has again raised the issue of the security of web-based platforms—and whether providers can meet their HIPAA obligations when using these communication tools.  The issue of Skype and similar platforms and HIPAA compliance is one that I am often asked about.  In a previous post, I addressed the issue and concluded that providers who wish to use Skype or similar platforms proceed with great caution.  I noted that the use of web-based platforms, especially those that are proprietary, may make it ...

By Ross K. Friedberg and Ophir Stemmer

This year we’ve seen a continuation of the trend toward heightened regulation and enforcement of the privacy and security requirements under the Health Information Portability andAccountability Act (“HIPAA”) and under other state and federal health privacy laws. Although there have not been any significant changes to federal health privacy laws this year, federal enforcement activity continues to be strong.

This post provides a summary of the developments in privacy and security law throughout the past year; discusses the ...

by Joel Rush and Dawn Helak

All indications are that international telemedicine is well positioned for strong growth over the next several years. The global healthcare marketplace is ripe with opportunities for U.S. based healthcare systems and providers to take advantage of the expanding use of telemonitoring systems and other telemedicine technologies to deliver top flight healthcare to patients across the globe.

However, wherever there are opportunities, there are challenges. In addition to the economic and financial barriers to launching an international telemedicine ...

With a new era of active enforcement of the HIPAA privacy and security laws upon us, companies need to figure out early-on whether they are regulated under HIPAA, either as covered entities or business associates.  However, determining whether a company is subject to the HIPAA privacy and security requirements is not always straightforward, especially for companies in the health technology space.  There are two ways in which a company can become subject to HIPAA: (1) it functions as a health plan, health care provider or health care clearinghouse which could potentially make it a HIPAA ...

Mobile application (“app”) development is the new boon for technology companies of all sizes, and the phrase “There’s an app for that” tells the story of just how much this market has grown and matured.  Most of the early app development focused on low risk opportunities—those involving free or low-cost social media or gaming apps.  While protecting privacy and security of personally-identifiable information is generally important, privacy and security concerns typically do not rank as high priorities in decision-making when developing these types of apps.

By ...

by Pamela Tyner

They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception. Texas House Bill 300 (“HB 300″) amends the Texas Medical Records Privacy Act (“Texas Act”) and takes effect on September 1, 2012. HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

Read ...

I’m sure most of you know about BYOB, but do you know about BYOD (Bring Your Own Device).  This is the term used when a company chooses to forgo issuing company-owned mobile computing devices (think smartphones and tablets), and encourages its employees to use their own personal mobile devices for business purposes.  And in the healthcare context, BYOD has important implications.

For better or for worse, many companies have opted to institute a BYOD policy for a number of reasons.  Here are just a few rationales for BYOD:

• Employees likely already have a smartphone or tablet or both.

Is Skype HIPAA-compliant? This is probably the question I get asked the most. For the sake of this post, I am using the term Skype to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology.

As with so many things, the answer is complicated. But the question itself is misleading. Many vendors and manufacturers market their technology and products using terms such as “HIPAA compliant.”

However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities ...