Tag: HIPAA

Sharing Scientific Information with HCPs on Unapproved Uses of Medical Products: Dos and Don’ts Under FDA’s New Draft Guidance

In October 2023, the FDA released draft guidance entitled “Communications From Firms to Health Care Providers Regarding Scientific Information on Unapproved Uses of Approved/Cleared Medical Products: Questions and Answers Guidance for Industry” (“2023 Draft Guidance”).[1] The 2023 Draft Guidance supersedes previous draft guidance from 2014 entitled “Distributing Scientific and Medical Publications on Unapproved New Uses–Recommended Practices” (“2014 Draft Guidance”), which was a revision of a 2009 final guidance entitled “Good Reprint Practices for the Distribution of Medical Journal Articles and Medical or Scientific Reference Publications on Unapproved New Uses of Approved Drugs and Approved or Cleared Medical Devices.”

All three of these FDA guidance documents provide recommendations for industry regarding the sharing of scientific information with Health Care Providers (“HCPs”)[2] on unapproved uses of approved or cleared drugs and medical devices, termed “SIUU communications” by the 2023 Draft Guidance. HCPs are permitted to prescribe medical products for unapproved uses when the unapproved use is determined to be medically appropriate for a given patient. However, manufacturers may not promote their products for an unapproved use. For this reason, FDA’s position (which is articulated to some extent across all of the above-mentioned guidance documents, but most clearly and emphatically in the 2023 Draft Guidance) is that firm[3] communications to HCPs regarding unapproved uses of approved or cleared products should include all of the information necessary for HCPs to evaluate the strengths, weaknesses, validity, and utility of the information about the unapproved use in order to make determinations regarding medical appropriateness.

In the 2023 Draft Guidance, FDA seeks to balance the interests of HCPs in learning, and manufacturers in sharing, truthful and non-misleading information about unapproved uses of approved medical products, with the intent to inform clinical practice decisions against the government’s interest in protecting patients from medical product uses that have not met applicable safety and effectiveness standards required under FDA’s premarket approval framework.

While the 2023 Draft Guidance reiterates many of the recommendations from the 2014 Draft Guidance, the 2023 Draft Guidance leverages a new “Q&A” format to provide firms with more detailed and specific recommendations, including hypothetical scenarios, around SIUU communications. Below, we restate the four Q&A questions included in the 2023 Draft Guidance and then highlight key aspects of the responses provided by FDA through brief commentary and recommended Dos and Don’ts.

Q1. What should firms consider when determining whether a source publication is appropriate to serve as the basis for an SIUU communication?

According to the 2023 Draft Guidance, any study or analysis described in a source publication that serves as the basis for an SIUU communication should be scientifically sound,[4] and should provide information that is relevant to HCPs engaged in making clinical practice decisions for the care of an individual patient; in other words, these sources should be clinically relevant.[5] While the 2014 Draft Guidance suggested that scientific or medical journal article reprints intended for distribution to HCPs should describe studies that are considered “scientifically sound” by appropriate experts, the 2023 Draft Guidance builds out this standard and provides greater insight into what types of source material would meet (and not meet) the standard.

Do:

  • Choose scientifically sound studies that provide clinically relevant information to support your SIUU communications
    • For human and animal drugs, randomized, double-blind, concurrently controlled superiority trials are most likely to provide both scientifically sound and clinically relevant information (though other well-designed and well-conducted studies may also be appropriate)
    • For medical devices,[6] look to well-controlled investigations, partially controlled studies, studies and objective trials without matched controls, well-documented case histories conducted by qualified experts, reports of significant human experience with a marketed device as sources of scientifically sound and clinically relevant information
  • Consider studies with real-world data and associated real-world evidence, which may meet the scientifically sound and clinically relevant threshold depending on the nature of the data and underlying analyses

Don’t:

  • Rely on studies without an adequate control group, isolated case reports, or studies that lack sufficient detail to permit scientific evaluation as the sole basis for an SIUU communication
  • Rely on studies with “unreliable” data, even if you include disclaimers noting the limitations (e.g., studies that fail to control for confounding factors or fail to clearly define study endpoints)
  • Rely on articles focused on non-clinical studies as the sole basis for an SIUU communication
  • Rely on scientific data generated in early stages of medical product development as the sole basis for an SIUU communication, as such data can produce results that are inconsistent with later studies
  • Distort studies in SIUU communications or base SIUU communications on publications that distort studies or include fraudulent data
  • Continue to share an SIUU communication that is based on a study or analysis that is no longer clinically relevant (ex: subsequent research has established the findings from the study are not reliable)

Q2. What information should firms include as part of SIUU communications?

Like the 2014 Draft Guidance, the 2023 Draft Guidance emphasizes the importance of providing certain disclosures with SIUU communications to ensure such communications are not misleading and provide all the information necessary for HCPs to interpret the strengths and weaknesses and validity and utility of the information. The recommended disclosures in the 2023 Draft Guidance are similar to those recommended in the 2014 Draft Guidance, but are more detailed and extensive.

Do:

  • Provide a disclosure statement with any SIUU communication, which should include:
    • A statement that the use described in the communication is unapproved and the safety and effectiveness of the medical product for the unapproved use(s) has not been established
    • Disclosure of the FDA approved use of the medical product, including any limitations and contraindication(s) specified by the product’s FDA-required labeling[7]
    • Disclosure of any limitations, restrictions, cautions, warnings, or contradictions described in the FDA-required labeling about the unapproved use(s)
    • Disclosure of any serious, life-threatening, or fatal risks posed by the medical product that are relevant to the unapproved use(s) (that are either in the FDA-required labeling or known by the firm and relevant to the unapproved use)
    • Disclosure of any financial relationships between the firm and any authors, editors, or other contributors to the publications in the SIUU communication
    • A copy of the most current FDA-required labeling (or a mechanism for obtaining the labeling)
    • The publication date of any referenced or included publication(s) (if not specified in the publication or citation)
  • For an SIUU communication based on a source publication that is primarily focused on a particular scientific study or studies, for each such study where the following information is not included in the publication, provide a description of:
    • All material aspects of study design, methodology, and results
    • All material limitations related to the study design, methodology, and results
    • Any conclusions from other relevant studies, when applicable, that are contrary to or cast doubt on the results shared, including citations for any such studies

Don’t:

  • Omit any risk evaluation and mitigation strategy (REMS) applicable to the medical product (firms should disclose any REMS and should describe the goal(s) of the REMS)

Q3. What presentational considerations should firms take into account for SIUU communications?

The 2023 Draft Guidance offers a number of presentation-focused recommendations to ensure that SIUU communications are conveyed in a manner that enhances and does not interfere with HCP understanding of the underlying scientific information, and to avoid such SIUU communications being confused with promotional communications about approved uses.

Do:

  • Clearly and prominently present all recommended disclosures, considering type size, font style, layout, contrast, graphic design, headlines, spacing, volume, articulation, pace, and any other techniques to achieve emphasis or notice
  • For SIUU communications with both audio and visual components, present disclosures in both the audio and in text at the same time using the same/substantially similar language
  • Keep SIUU communications (including those relayed via email) separate and distinct from promotional communications about approved uses of medical products
  • Use dedicated vehicles, channels, and venues for sharing SIUU communications that are separate from the vehicles, channels, and venues used for promotional communications about approved uses of medical products. For example –
    • Present SIUU communications on a separate web page from the web page that hosts promotional communications about approved uses
    • At conferences and similar venues, ensure that SIUU communications are clearly identified and distinct from promotional communications about approved uses (e.g., by dividing booth space to allow a dedicated space for SIUU communications)
  • Use plain language in the content developed for SIUU communications to facilitate comprehension (i.e., clear and concise language that does not include technical jargon and clearly explains any scientific or technical terms)

Don’t:

  • Use persuasive marketing techniques, such as the use of celebrity endorsements, premium offers, and gifts. According to FDA, a firm’s choice to use persuasive marketing techniques suggests an effort to convince the HCP to prescribe or use the product for the unapproved use based on elements other than the scientific content of the communication
  • Include direct links from web pages that host promotional communications about approved uses to webpages that host SIUU communications
  • Utilize platforms with character limits that do not enable the firm to include the recommended disclosures for sharing SIUU communications (however, such platforms could be used to direct an HCP to an SIUU communication, subject to certain restrictions)

Q4. What additional recommendations apply to specific types of SIUU communications?

The 2023 Draft Guidance offers additional recommendations related to certain specific types of SIUU communications including journal reprints and clinical reference resources (such as clinical practice guidelines and reference texts). Of note, the 2023 Draft Guidance provides recommendations for a category of SIUU communications that is not specifically addressed in the 2014 Draft Guidance – “firm-generated presentations of scientific information from an accompanying published reprint.”

Discussion of such firm-generated presentations in the 2023 Draft Guidance represents a departure from the 2014 Draft Guidance, which stated that reprints (as well as clinical reference resources) regarding unapproved uses (of cleared or approved medical products) should not be “marked, highlighted, summarized, or characterized” by medical product manufacturers to emphasize or promote an unapproved use. The 2023 Draft Guidance provides new flexibility in this regard, expressly acknowledging that firms may develop their own presentations of scientific information from an accompanying reprint provided such presentation is truthful, non-misleading, factual, unbiased, and provides all the information necessary for HCPs to interpret the strengths and weaknesses and validity and utility of the presented information. The 2023 Draft Guidance includes a number of recommendations for firms to follow to prepare and distribute firm-generated presentations of information from an accompanying reprint.

Do:

  • Include the full reprint with the firm-generated presentation
  • Include the disclosures outlined above in Q2, and clearly disclose what portions of the communication are firm-generated
  • Follow the presentational considerations outlined in Q3

Don’t:

  • Imply that the study, analysis, or underlying data or information from the reprint(s) represents larger or more-general experience with the medical product than it actually does
  • Present information, such as excerpts, quotes, etc., from the reprint(s) out of context, without the information necessary for HCPs to interpret the strengths and weaknesses and validity and utility of the information
  • Include representations or suggestions about the safety or effectiveness of the medical product for the unapproved use(s) that are not consistent with the reprint
  • Present any conclusions or representations about safety or effectiveness for the unapproved use without expressly attributing such statements to the reprint, and without immediately following such statements with a disclosure of any financial relationships between the firm and any authors, editors, or other contributors to the publications in the SIUU communication
  • Use statistical analyses or techniques to indicate clinical significance or validity of a finding not supported by the data or information in the reprint
  • Use tables or graphs or other presentational elements to distort or misrepresent the relationships, trends, differences, or changes among the outcomes evaluated in the reprint

Conclusion

While the 2023 Draft Guidance veers from the 2014 Draft Guidance in some respects, many of the same principles have been pulled through into the current guidance. As such, a medical product manufacturer who has already implemented the recommendations from the 2014 Draft Guidance should not face too heavy of a lift to adjust its activities to align with the 2023 Draft Guidance. While the landscape has not shifted drastically overall, firms should still closely review the additional detail and clarifications provided by the 2023 Draft Guidance to mitigate potential risk in navigating the often murky regulatory waters of engaging in off-label and pre-approval communications.

ENDNOTES

[1] Comments on the 2023 Draft Guidance are due by December 26, 2023.

[2] The 2023 Draft Guidance only applies to HCPs engaged in making clinical practice decisions for the care of an individual patient. Per the 2023 Draft Guidance, HCPs include physicians, veterinarians, dentists, physician assistants, nurse practitioners, pharmacists, or registered nurses who are licensed or otherwise authorized by law to prescribe, order, administer, or use medical products in a professional capacity. The 2014 Draft Guidance applied to “health care professionals,” but the term was not specifically defined.

[3] As defined by the 2023 Draft Guidance, firms are the “persons legally responsible for the labeling of medical products, and includes applicants, sponsors, requestors, manufacturers, packers, and distributors of medical products, and licensees of such persons, and any persons communicating on behalf of these entities.”

[4] To be “scientifically sound,” at a minimum, studies should meet generally accepted design and other methodological standards for the particular type of study performed, taking into account established scientific principles and existing scientific knowledge.

[5] Additionally, statistical robustness is generally necessary, though not sufficient, to determine if a study or analysis is appropriate for an SIUU communication. While statistical robustness factors into the rigor of the design and methodology of a study, it does not assure that the study relates to outcomes of clinical relevance to HCPs.

[6] Notably, while the 2014 Draft Guidance stated that journal articles discussing significant non-clinical research could fall within FDA’s enforcement discretion policy under the guidance, the 2023 Draft Guidance clarifies that, generally, sharing articles focused on non-clinical studies alone would not be consistent with FDA’s enforcement discretion policy as a non-clinical study alone is unlikely to provide information that is clinically relevant.

[7] “FDA-required labeling” includes, but is not necessarily limited to, the labeling reviewed and approved by FDA as part of the medical product premarket review process. For a prescription human drug (including biological products), this consists of the FDA-approved prescribing information that meets the requirements of 21 CFR 201.100. For a device, it includes the labeling approved during the review of a premarket approval application or De Novo classification.

©2023 Epstein Becker & Green, P.C. All rights reserved.
For more news on FDA Guidance on Medical Products, visit the NLR Health Law & Managed Care section.

The End of the COVID Public Health Emergency and Its Effect on Employee Benefit Plans

The COVID-19 public health emergency ends on May 11, 2023. The emergency resulted in two big changes to welfare plans: the relaxation of certain notification and timing requirements, and the requirement for plans to cover COVID testing and vaccination at no cost to plan participants. While the public health emergency ends May 11, 2023, plans have a grace period until July 11 to take certain actions and come into compliance with the normal rules.

Plan Sponsor Requirements

Before the grace period ends, plan sponsors will generally need to follow the rules that existed before COVID. Among the most important of these rules are the requirements for plan sponsors to:

  • Timely provide all notices, including those for HIPAA and COBRA.
  • Review COVID-related coverage under their employee assistance programs (EAPs) to determine if such coverage would be considered “significant medical care,” which can result in additional reporting and compliance obligations.
  • Review telehealth options to ensure they are properly integrated and provided by an entity that can comply with the post-COVID requirements. Telehealth rules were substantially relaxed during COVID. With telehealth now expected and utilized by more participants, getting telehealth right is more crucial than before.

Plan Sponsor Decisions

With the end of the public health emergency, plan sponsors must also make several important decisions with respect to their employee benefit plans:

  • Whether testing will continue free of charge or will be subject to cost sharing.
  • Whether non-preventative care vaccines for COVID will continue to be free of charge.
  • Whether costs for certain COVID-related services will continue to be posted.

As they are mostly based on what costs the plan sponsor or plan will cover going forward, these plan sponsor decisions are largely business-related. In the absence of a choice by the plan sponsor, the insurance provider will likely make a default choice. The important legal consideration is that the plan documents and employee communications should be consistent and accurately reflect the plan sponsor’s decisions.

Participant Requirements

In addition to the changes for plan sponsors, the end of the public health emergency will result in the reinstatement of a number of rules applicable to participants. Participants will need to:

Follow the HIPAA Special Enrollment timing rules.

Elect COBRA within the 60-day window for elections.

Make all COBRA payments timely.

Timely notify the plan of disabilities and qualifying events under COBRA.

Follow the timing limitations of their plans and insurance policies regarding filing claims, appeals, and external reviews.

Next Steps

First, plan sponsors should decide what COVID-related coverage will remain fully paid by the plan, if any. Some insurance companies are already starting to communicate with participants, and maintaining a consistent message will avoid unnecessary problems.

Second, plan sponsors should review their EAP and telehealth coverages for compliance with the rules that will soon be in effect. To the extent necessary, plan sponsors should update the documentation for their plans.

Finally, plan sponsors should consider a voluntary reminder communication to participants. Many rules have been relaxed over the last two years or so, and participants may be confused regarding the rules. A reminder may save stress for participants and those administering the plan, and will also serve to document the plan sponsor’s intention to properly follow the terms of the plan.

© 2023 Varnum LLP

For more healthcare legal news, click here to visit the National Law Review.

The FTC Announces First Health Breach Notification Rule Enforcement Action

On February 1, the Federal Trade Commission (“FTC”) announced enforcement action for the first time under its Health Breach Notification Rule[1]. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement, the FTC warned health apps and connected devices that they must comply with the rule.

According to the FTC’s complaint, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.  Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—such as including its users’ prescription medications and personal health conditions.

The FTC also alleges GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health and medication-specific advertisements on Facebook and Instagram.

The FTC further alleges that GoodRx:

  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for advertising: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: GoodRx must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties.  It also prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require the company to seek deletion of data: GoodRx must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
  • Implement a Mandated Privacy Program: GoodRx must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

© 2023 Dinsmore & Shohl LLP. All rights reserved.

For more Cybersecurity and Privacy Legal News, click here to visit the National Law Review

FOOTNOTES

[1] 16 CFR Part 318

Biden Administration Seeks to Clarify Patient Privacy Protections Post-Dobbs, Though Questions Remain

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

The directive bolstered efforts already underway by the Biden Administration. A week before the E.O. was signed, HHS Secretary Xavier Becerra directed the HHS Office for Civil Rights (OCR) to take steps to ensure privacy protections for patients who receive, and providers who furnish, reproductive health care services, including abortions.[3] The following day, OCR issued two guidance documents to carry out this order, which are described below.

Although the guidance issued by OCR clarifies the privacy protections as they exist under current law post-Dobbs, it does not offer patients or providers new or strengthened privacy rights. Indeed, the guidance illustrates the limitations of HIPAA regarding protection of health information of individuals related to abortion services.

A.  HHS Actions to Safeguard PHI Post-Dobbs

Following Secretary Becerra’s press announcement, OCR issued two new guidance documents outlining (1) when the HIPAA Privacy Rule may prevent the unconsented disclosure of reproductive health-related information; and (2) best practices for consumers to protect sensitive health information collected by personal cell phones, tablets, and apps.

(1) HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

In the “Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe,”[4] OCR addresses three existing exceptions in the HIPAA Privacy Rule to the disclosure of PHI without an individual’s authorization and provides examples of how those exceptions may be applied post-Dobbs.

The three exceptions discussed in the OCR guidance are the exceptions for disclosures required by law,[5]  for purposes of law enforcement,[6] or to avert a serious threat to health or safety.[7]

While the OCR guidance reiterates that the Privacy Rule permits, “but does not require” disclosure of PHI in each of these exceptions,[8] this offers limited protection that relies on the choice of providers whether to disclose or not disclose the information. Although these exceptions are highlighted as “protections,” they expressly permit the disclosure of protected health information. Further, while true that the HIPAA Privacy Rule itself may not compel disclosure (but merely permits disclosure), the guidance fails to mention that in many situations in which these exceptions apply, the provider will have other legal authority (such as state law) mandating the disclosure and thus, a refusal to disclose the PHI may be unlawful based on a law other than HIPAA.

Two of the exceptions discussed in the guidance – the required by law exception and the law enforcement exception – both only apply in the first place when valid legal authority is requiring disclosure. In these situations, the fact that HIPAA does not compel disclosure is of no relevance. Certainly, when there is not valid legal authority requiring disclosure of PHI, then HIPAA prohibits disclosure, as noted as in the OCR guidance.  However, in states with restrictive abortion laws, the state legal authorities are likely to be designed to require disclosure – which HIPAA does not prevent.

For instance, if a health care provider receives a valid subpoena from a Texas court that is ordering the disclosure of PHI as part of a case against an individual suspected of aiding and abetting an abortion, in violation of Texas’ S.B. 8, then that provider could be held in contempt of court for failing to comply with the subpoena, despite the fact that HIPAA does not compel disclosure.[9] For more examples on when a covered entity may be required to disclose PHI, please see EBG’s prior blog: The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe.[10]

Notably, the OCR guidance does provide a new interpretation of the application of the exception for disclosures to avert a serious threat to health or safety. Under this exception, covered entities may disclose PHI, consistent with applicable law and standards of ethical conduct, if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. OCR states that it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care. Thus, in the guidance, OCR takes the position that if a patient in a state where abortion is prohibited informs a health care provider of the patient’s intent to seek an abortion that would be legal in another state, this would not fall into the exception for disclosures to avert a serious threat to health or safety.  Covered entities should be aware of OCR’s position and understand that presumably OCR would view any such disclosure as a HIPAA violation.

(2) Protecting the Privacy and Security of Individuals’ Health Information When Using Personal Cell Phones or Tablets

OCR also issued guidance on how individuals can best protect their PHI on their own personal devices. HIPAA does not generally protect the privacy or security of health information when it is accessed through or stored on personal cell phones or tablets. Rather, HIPAA only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates. As a result, it is not unlawful under HIPAA for information collected by devices or apps – including data pertaining to reproductive healthcare – to be disclosed without consumer’s knowledge.[11]

In an effort to clarify HIPAA’s limitation to protect such information, OCR issued guidance to protect consumer sensitive information stored in personal devices and apps.[12] This includes step-by-step guidance on how to control data collection on their location, and how to securely dispose old devices.[13]

Further, some states have taken steps to fill the legal gaps to varying degrees of success. For example, California’s Confidentiality of Medical Information Act (“CMIA”) extends to “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.”[14] As applied, a direct-to-consumer period tracker app provided by a technology company, for example, would fall under the CMIA’s data privacy protections, but not under HIPAA. Regardless, gaps remain as the CMIA does not protect against a Texas prosecutor subpoenaing information from the direct-to-consumer app. Conversely, Connecticut’s new reproductive health privacy law,[15] does prevent a Connecticut covered entity from disclosing reproductive health information based on a subpoena, but Connecticut’s law does not apply to non-covered entities, such as a period tracker app. Therefore, even the U.S.’s most protective state privacy laws do not fill in all of the privacy gaps.

Alongside OCR’s guidance, the Federal Trade Commission (FTC) published a blog post warning companies with access to confidential consumer information to consider FTC’s enforcement powers under Section 5 of the FTC Act, as well as the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.[16] Consistent with OCR’s guidance, the FTC’s blog post reiterates the Biden Administration’s goal of protecting reproductive health data post-Dobbs, but does not go so far as to create new privacy protections relative to current law.

B.  Despite the Biden Administration’s Guidance, Questions Remain Regarding the Future of Reproductive Health Privacy Protections Post-Dobbs

Through E.O. 14076, Secretary Becerra’s press conference, OCR’s guidance, and the FTC’s blog, the Biden Administration is signaling that it intends to use the full force of its authorities – including those vested by HIPAA – to protect patient privacy in the wake of Roe.

However, it remains unclear how this messaging will translate to affirmative executive actions, and how successful such executive actions would be. How far is the executive branch willing to push reproductive rights? Would more aggressive executive actions be upheld by a Supreme Court that just struck down decades of precedent permitting access to abortion? Will the Biden Administration’s executive actions persist if the administration changes in the next Presidential election?

Attorneys at Epstein Becker & Green are well-positioned to assist covered entities, business associates, and other companies holding sensitive reproductive health data understand how to navigate HIPAA’s exemptions and interactions with emerging guidance, regulations, and statutes at both the state and Federal levels.

Ada Peters, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office and Jack Ferdman, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Boston office, contributed to the preparation of this post. 

[1] 87 Fed. Reg. 42053 (Jul. 8, 2022), https://bit.ly/3b4N4rp.

[2] Id.

[3] HHS, Remarks by Secretary Xavier Becerra at the Press Conference in Response to President Biden’s Directive following Overturning of Roe v. Wade (June 28, 2022), https://bit.ly/3zzGYsf.

[4] HHS, Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022),  https://bit.ly/3PE2rWK.

[5] 45 CFR 164.512(a)(1)

[6] 45 CFR 164.512(f)(1)

[7] 45 CFR 164.512(j)

[8] Id.

[9] See Texas S.B. 8; e.g., Fed. R. Civ. Pro. R.37 (outlining available sanctions associated with the failure to make disclosures or to cooperate in discovery in Federal courts), https://bit.ly/3BjX4I2.

[10] EBG Health Law Advisor, The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe (June 17, 2022), https://bit.ly/3oPDegl.

[11] A 2019 Kaiser Family Foundation survey concluded that almost one third of female respondents used a smartphone app to monitor their menstrual cycles and other reproductive health data. Kaiser Family Foundation, Health Apps and Information Survey (Sept. 2019), https://bit.ly/3PC9Gyt.

[12] HHS, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone1 or Tablet (last visited Jul. 26, 2022), https://bit.ly/3S2MNWs.

[13] Id.

[14] Cal. Civ. Code § 56.10, Effective Jan. 1, 2022, https://bit.ly/3J5iDxM.

[15] 2022 Conn. Legis. Serv. P.A. 22-19 § 2 (S.B. 5414), Effective July 1, 2022, https://bit.ly/3zwn95c.

[16] FTC, Location, Health, and Other Sensitive Information: FTC Committed To Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://bit.ly/3BjrzNV.

Article By Alaap B. Shah, Allen R. Killworth, Marylana Saadeh Helou, and Devon Minnick of Epstein Becker & Green, P.C.

For more privacy-related legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Do You Have a College Student? Important Healthcare, Financial, and Educational Documents That They (and You) Need

August is upon us and you may soon be sending children off to college. If your child is age 18 or older, you and your child will need to take some simple steps so that, in the event of an emergency, you will be able to make health care and financial decisions for your child and have access to your child’s medical information and financial accounts. The same is true if you are to have access to your child’s educational records.

Medical Information. Once your child reaches age 18, your child is deemed to be an adult by law and you no longer have a legal right to make health care decisions on behalf of your child or to access your child’s health care information. As a result, if you have an adult child, your child must execute certain legal documents naming you as his or her health care agent and permitting you to access his or her medical information:

  1. Your child must execute a “Health Care Proxy” naming you as his or her agent for health care decisions. In this document, your child authorizes you to make health care decisions on your child’s behalf if he or she becomes unable to make or communicate such decisions him or herself. The child may also share his or her own wishes regarding medical treatment.
  2. Your child must also sign a “HIPAA Authorization Form.” The Health Insurance Portability & Accountability Act of 1996 (generally known as “HIPAA”) protects the privacy of an individual’s medical information, and health care providers may require written consent from a patient to share information with family members, including parents of an adult child. Your child’s college or university may also have policies in place preventing it from sharing medical information without the student’s consent. This form will serve as written permission authorizing those providing health care services to your child to share medical information with you as your child’s health care agent.
  3. In addition, you should be in contact with the health services department of your child’s college or university. The institution may provide its own form for authorizing the release of medical information that can be kept on record with the institution’s health services department.

Financial Accounts. If you are to have the ability to act on behalf of your adult child with respect to financial matters, your child also needs to execute a “Durable Power of Attorney” naming you as your child’s agent with respect to the child’s assets and finances. If your child is attending college away from home, is studying abroad, or undergoes a medical emergency, it may be useful for you to access your child’s accounts on his or her behalf. This allows you to pay bills for a child out of their accounts, make deposits and open or close accounts. In addition, a durable power of attorney allows you to handle other financial tasks for the child, like filing tax returns or renewing a lease.

Educational Records. Finally, the Family Educational Rights and Privacy Act (FERPA) protects the educational records of a child who has turned 18 or is enrolled at a postsecondary institution from access by his or her parents. If the child’s parents claim the child as a dependent on their tax returns, the parents may still access the child’s education records without the child’s consent. However, institutions may be reluctant to allow access to education records for any child over the age of 18 without a “FERPA Waiver” signed by the child, regardless of their status as a dependent. If you would like to have access to your child’s educational records, you should contact the institution to request a FERPA Waiver form.

Article By John H. Ramsey and Kerry L. Spindler of Goulston & Storrs

For more public education and services legal news, click here to visit the National Law Review.

2022 Goulston & Storrs PC.

HIPAA Enforcement Continues Under Right of Access Initiative

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

The Right of Access Initiative was launched by OCR in 2019 “to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule” as explained by OCR. In the March 28 announcement, OCR indicated its continuing commitment to enforce compliance with the HIPAA Rules, including the “foundational” Right of Access provision. With the two most recent cases, there have now been 27 investigations and settlements under the Right of Access Initiative (see full chart below).

Nearly all of the investigations in the Right of Access Initiative involve a single individual unable to obtain a copy of some or all of their protected health information from a health care provider or to do so within the timeframe required or in accordance with fees permitted by the HIPAA Privacy Rule. In some cases, additional issues found during the investigation, such as failure to have conducted a HIPAA risk assessment or lack of HIPAA policies, are part of the settlement.  In all cases, in addition to the monetary penalty, the settlement has included a Corrective Action Plan imposing various obligations, such as policy development, training, and mandatory reporting to OCR.

The Right of Access Initiative remains one of the most active areas of HIPAA enforcement. In its most recent Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance, OCR noted that right of access was the third most common issue of complaints resolved. Moreover, the Right of Access Initiative coordinates with the ONC 2020-2025 Federal HIT Strategic Plan and the goal of “Providing patients and caregivers with more robust health information.” It is a core tenant of the Federal HIT Strategic Plan that access to health information will “better support person-centered care and patient empowerment.”

Article By Allen R. Killworth and Zeina Abu-Hijleh of Epstein Becker & Green, P.C.

For more health law legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

CARES Act Brings Changes to Federal Substance Use Disorder Privacy Law

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act), enacted March 27, 2020, rewrote significant portions of 42 U.S.C. § 290dd-2, the federal statute governing the confidentiality of substance use disorder (SUD) records that is more commonly known by its implementing regulations at 42 C.F.R. Part 2 (Part 2). Among other changes, the CARES Act revises the permissible uses and disclosures of SUD records to more closely align with the HIPAA Privacy Rule, 45 C.F.R. § 164.500, et seq., when a Part 2 program obtains the patient’s prior written consent.

Historically, Part 2 programs have been restricted in their ability to share SUD records by the Part 2 regulations, which require written patient consent for each disclosure of SUD records and prohibit re-disclosure of such SUD records except in limited circumstances. The CARES Act directs the Secretary of the U.S. Department of Health and Human Services (HHS), in consultation with appropriate federal agencies (which may include the Substance Abuse and Mental Health Services Administration (SAMHSA)) to revise the Part 2 regulations as necessary to implement and enforce the statutory revisions contained in the CARES Act effective March 27, 2021. The forthcoming revisions to the Part 2 regulations may be substantial given these CARES Act changes to the federal statute.

Another significant change to the federal SUD confidentiality statute addresses the ability of health care providers to use SUD records for treatment, payment, and health care operations purposes (except for certain provider fundraising activities) in a manner more consistent with the allowances provided for protected health information under HIPAA. Specifically, the CARES Act authorizes a Covered Entity or Business Associate (as those terms are defined in the HIPAA Privacy Rule) or Part 2 Program (as defined by the Part 2 regulations) to use, disclose, or re-disclose SUD records with the patient’s written consent for treatment, payment, and health care operations as permitted by the HIPAA regulations, 45 C.F.R. Parts 160, 162, and 164, and Sections 13405(a) and (c) of the Health Information Technology and Clinical Health Act (42 U.S.C. § 17935(c)) (HITECH Act). Under the revised statute, a patient can provide written consent once that will then authorize all such future uses or disclosures for purposes of treatment, payment, and health care operations until such time as the patient revokes such consent in writing.

Additionally, the CARES Act incorporates the following privacy protections for SUD records:

  • Except as otherwise authorized by court order or by written patient consent, SUD records or testimony relaying information from the SUD records may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any federal, state, or local authority.
  • Penalties applicable to HIPAA violations (42 U.S.C. §§ 1320d-5 and 6) shall apply to a violation of 42 U.S.C. § 290dd-2.
  • The breach notification provisions of Section 13402 of the HITECH Act shall apply to SUD records.
  • By March 27, 2021, HHS will update the HIPAA Privacy Rule to require that Part 2 programs provide notice of privacy practices, written in plain language, describing the patient’s rights with respect to the Part 2 records and how the patient may exercise those rights, and describing each purpose for which the Part 2 program is permitted or required to use or disclose the SUD records without the patient’s written authorization.
  • Part 2 providers can disclose information, regardless of whether the patient gives written consent, to a public health authority (as defined by HIPAA), if the content is de-identified in accordance with the HIPAA de-identification standards set forth at 45 C.F.R. § 164.514(b).
  • Patients shall have the right to request a restriction on the use or disclosure of SUD records for treatment, payment, or health care operations.
  • Patients shall have the right to request an accounting of disclosures of SUD records consistent with the HITECH Act and HIPAA.
  • Entities shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records in: (a) admission, access to, or treatment for health care; (b) hiring, firing, or terms of employment, or receipt of worker’s compensation; (c) the sale, rental, or continued rental of housing; (d) access to federal, state, or local courts; or (e) access to, approval of, or maintenance of social services and benefits provided or funded by federal, state, or local governments.
  • Recipients of federal funds shall be prohibited from discriminating against an individual on the basis of information received, whether intentionally or inadvertently, from SUD records, when offering access to services provided with such funds.

The CARES Act provides that the above-summarized amendments to the federal SUD statute will apply to uses and disclosures of information on or after March 27, 2021. While these changes implement long-awaited alignment efforts to enable data sharing across providers in a manner consistent with the allowances permitted under HIPAA, the real impact of these changes will come from the forthcoming implementing agency regulations from, which are also due to be issued by March 27, 2021.

©2020 Greenberg Traurig, LLP. All rights reserved.

What Employers Need to Know About HIPAA

As the COVID-19 pandemic continues to affect everyday business operations across the country, employers are confronting a variety of issues on how to handle these disruptions. The intent of this Legal Update is to educate employers about under what circumstances they are permitted to disclose information related to an employee’s or patient’s positive test for COVID-19 under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Americans with Disabilities Act (“ADA”).

It may be difficult in some circumstances to discern whether health information was received by an employer through its ordinary status as an employer or through its status as a self-insured health plan. Employers should take care in making this determination based on the facts and circumstances of each situation and seek legal counsel as needed.

Covered Entities under HIPAA

  • HIPAA defines “Covered Entities” to generally include health care providers, health plans, and health care clearinghouses.

  • Covered Entities may not disclose protected health information (“PHI”) unless permitted by HIPAA. An individual’s health status related to testing positive for COVID-19 is considered PHI.

  • One permitted disclosure under HIPAA is that Covered Entities may disclose PHI to public health authorities to the extent relevant to the authority and purview of public health authorities. This includes disclosing positive test results for COVID-19 to state and local health departments, HHS, or the CDC as appropriate.

  • Covered Entities may not disclose PHI to the media.

  • Unless an employer is otherwise a Covered Entity as described above, it is not subject to HIPAA’s restrictions on disclosures of PHI.

Confidentiality under the ADA

  • The ADA requires employers that obtain medical information through inquiry or examination to maintain it in a confidential medical file and keep it separate from the employee’s personnel file.

  • Employers have been encouraged by the CDC and EEOC to question their employees regarding travel, exposure, or symptoms related to COVID-19. Any medical information disclosed as part of this dialogue should be treated as confidential.

  • If a positive case is identified in the workplace, the employer is encouraged to investigate the exposure of others in the workplace without disclosing the name of the individual or any personally identifiable information about the person.

  • The confidentiality requirements under the ADA do not prohibit disclosure to state, local, or federal health departments.

Employers with a Self-Insured Health Plan

  • Notwithstanding the discussion above regarding employers, a self-insured employee health plan maintained by an employer is a Covered Entity under HIPAA (i.e. the plan itself, not the employer, although we acknowledge this distinction is difficult to make for most employers). As a result:

    • If the employer obtained the information through its status as a plan (i.e., as the payer for the employee’s health care services), then such information is PHI and subject to HIPAA (see first bullet above for Covered Entities).

    • If the employer receives the information in the ordinary course (e.g. voluntary disclosure by the affected employee), then the second bullet above regarding employer permitted disclosures is applicable.

©2020 von Briesen & Roper, s.c

U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.

The OCR guidance focused on sharing patient information in several areas, including: treatment, public health activities, disclosures to family, friends, and others involved in an individual’s care, and disclosures to prevent a serious and imminent threat.

The HIPAA Privacy Rule allows a covered entity to disclose PHI to the Center for Disease Control (CDC) or to state or local health departments that are authorized to collect or receive such information, for the purpose of preventing disease and protecting public health.  This would include disclosure to the CDC, and/or state or local health departments, of PHI as needed to report prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus.

The OCR message in the guidance document is clear and it emphasized the balance between protecting the privacy of patient PHI and the appropriate uses and disclosures of such information to protect the public health. For more information and resources, see the HHS interactive decision tool which provides assistance to covered entities to determine how the Privacy Rule applies to disclosures of PHI in emergency situations.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more on HIPAA regulation, see the National Law Review Health Law & Managed Care section.

D.C. District Court Limits the HIPAA Privacy Rule Requirement for Covered Entities to Provide Access to Records

On January 23, 2020, the D.C. District Court narrowed an individual’s right to request that HIPAA covered entities furnish the individual’s own protected health information (“PHI”) to a third party at the individuals’ request, and removed the cap on the fee covered entities may charge to transmit that PHI to a third party.

Specifically the Court stated that individuals may only direct PHI in an electronic format to such third parties, and that HIPAA covered entities, and their business associates, are not subject to reasonable, and cost-based fees for PHI directed to third parties.

The HIPAA Privacy Rule grants individuals with rights to access their PHI in a designated record set, and it specifies the data formats and permissible fees that HIPAA covered entities (and their business associates) may charge for such production. See 45 C.F.R. § 164.524. When individuals request copies of their own PHI, the Privacy Rule permits a HIPAA covered entity (or its business associate) to charge a reasonable, cost-based fee, that excludes, for example, search and retrieval costs. See 45 C.F.R. § 164.524(c) (4). But, when an individual requests his or her own PHI to be sent to a third party, both the required format of that data (electronic or otherwise) and the fees that a covered entity may charge for that service have been the subject of additional OCR guidance over the years—guidance that the D.C. District Court has now, in part, vacated.

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act set a statutory cap on the fee that a covered entity may charge an individual for delivering records in an electronic form. 42 U.S.C. § 17935(e)(3). Then, in the 2013 Omnibus Rule, developed pursuant to Administrative Procedure Act rulemaking, the Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) implemented the HITECH Act statutory fee cap in two ways. First, OCR determined that the fee cap applied regardless of the format of the PHI—electronic or otherwise. Second, OCR stated the fee cap also applied if the individual requested that a third party receive the PHI. 78 Fed. Reg. 5566, 5631 (Jan. 25, 2013). Finally, in its 2016 Guidance document on individual access rights, OCR provided additional information regarding these provisions of the HIPAA Privacy Rule. OCR’s FAQ on this topic is available here.

The D.C. District Court struck down OCR’s 2013 and 2016 implementation of the HITECH Act, in part. Specifically, OCR’s 2013 HIPAA Omnibus Final Rule compelling delivery of protected health information (PHI) to third parties regardless of the records’ format is arbitrary and capricious insofar as it goes beyond the statutory requirements set by Congress. That statute requires only that covered entities, upon an individual’s request, transmit PHI to a third party in electronic form. Additionally, OCR’s broadening of the fee limitation under 45 C.F.R. § 164.524(c)(4) in the 2016 Guidance document titled “Individuals’ Right under HIPAA to Access their Health Information 45 C.F.R. Sec. 164.524” violates the APA, because HHS did not follow the requisite notice and comment procedure.” Ciox Health, LLC v. Azar, et al., No. 18-cv0040 (D.D.C. January 23, 2020).

All other requirements for patient access remain the same, including required time frames for the provision of access to individuals, and to third parties designated by such individuals. It remains to be seen, however, how HHS will move forward after these developments from a litigation perspective and how this decision will affect other HHS priorities, such as interoperability and information blocking.

© Polsinelli PC, Polsinelli LLP in California

For more on HIPAA Regulation, see the National Law Review Health Law & Managed Care section.