Tag: HIPAA

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

The Evolution of AI in Healthcare: Current Trends and Legal Considerations

Artificial intelligence (AI) is transforming the healthcare landscape, offering innovative solutions to age-old challenges. From diagnostics to enhanced patient care, AI’s influence is pervasive, and seems destined to reshape how healthcare is delivered and managed. However, the rapid integration of AI technologies brings with it a complex web of legal and regulatory considerations that physicians must navigate.

It appears inevitable AI will ultimately render current modalities, perhaps even today’s “gold standard” clinical strategies, obsolete. Currently accepted treatment methodologies will change, hopefully for the benefit of patients. In lockstep, insurance companies and payors are poised to utilize AI to advance their interests. Indeed, the “cat-and-mouse” battle between physician and overseer will not only remain but will intensify as these technologies intrude further into physician-patient encounters.

  1. Current Trends in AI Applications in Healthcare

As AI continues to evolve, the healthcare sector is witnessing a surge in private equity investments and start-ups entering the AI space. These ventures are driving innovation across a wide range of applications, from tools that listen in on patient encounters to ensure optimal outcomes and suggest clinical plans, to sophisticated systems that gather and analyze massive datasets contained in electronic medical records. By identifying trends and detecting imperceptible signs of disease through the analysis of audio and visual depictions of patients, these AI-driven solutions are poised to revolutionize clinical care. The involvement of private equity and start-ups is accelerating the development and deployment of these technologies, pushing the boundaries of what AI can achieve in healthcare while also raising new questions about the integration of these powerful tools into existing medical practices.

Diagnostics and Predictive Analytics:

AI-powered diagnostic tools are becoming sophisticated, capable of analyzing medical images, genetic data, and electronic health records (EHRs) to identify patterns that may elude human practitioners. Machine learning algorithms, for instance, can detect early signs of cancer, heart disease, and neurological disorders with remarkable accuracy. Predictive analytics, another AI-driven trend, is helping clinicians forecast patient outcomes, enabling more personalized treatment plans.

 

Telemedicine and Remote Patient Monitoring:

The COVID-19 pandemic accelerated the adoption of telemedicine, and AI is playing a crucial role in enhancing these services. AI-driven chatbots and virtual assistants are set to engage with patients by answering queries and triaging symptoms. Additionally, AI is used in remote and real-time patient monitoring systems to track vital signs and alert healthcare providers to potential health issues before they escalate.

 

Drug Discovery and Development:

AI is revolutionizing drug discovery by speeding up the identification of potential drug candidates and predicting their success in clinical trials. Pharmaceutical companies are pouring billions of dollars in developing AI-driven tools to model complex biological processes and simulate the effects of drugs on these processes, significantly reducing the time and cost associated with bringing new medications to market.

Administrative Automation:

Beyond direct patient care, AI is streamlining administrative tasks in healthcare settings. From automating billing processes to managing EHRs and scheduling appointments, AI is reducing the burden on healthcare staff, allowing them to focus more on patient care. This trend also helps healthcare organizations reduce operational costs and improve efficiency.

AI in Mental Health:

AI applications in mental health are gaining traction, with tools like sentiment analysis, an application of natural language processing, being used to assess a patient’s mental state. These tools can analyze text or speech to detect signs of depression, anxiety, or other mental health conditions, facilitating earlier interventions.

  1. Legal and Regulatory Considerations

As AI technologies become more deeply embedded in healthcare, they intersect with legal and regulatory frameworks designed to protect patient safety, privacy, and rights.

Data Privacy and Security:

AI systems rely heavily on vast amounts of data, often sourced from patient records. The use of this data must comply with privacy regulations established by the Health Insurance Portability and Accountability Act (HIPAA), which mandates stringent safeguards to protect patient information. Physicians and AI developers must ensure that AI systems are designed with robust security measures to prevent data breaches, unauthorized access, and other cyber threats.

Liability and Accountability:

The use of AI in clinical decision-making raises questions about liability. If an AI system provides incorrect information or misdiagnoses a condition, determining who is responsible—the physician, the AI developer, or the institution—can be complex. As AI systems become more autonomous, the traditional notions of liability may need to evolve, potentially leading to new legal precedents and liability insurance models.

These notions beg the questions:

  • Will physicians trust the “judgment” of an AI platform making a diagnosis or interpreting a test result?
  • Will the utilization of AI platforms cause physicians to become too heavily reliant on these technologies, forgoing their own professional human judgment?

Surely, plaintiff malpractice attorneys will find a way to fault the physician whatever they decide.

Insurance Companies and Payors:

Another emerging concern is the likelihood that insurance companies and payors, including Medicare/Medicaid, will develop and mandate the use of their proprietary AI systems to oversee patient care, ensuring it aligns with their rules on proper and efficient care. These AI systems, designed primarily to optimize cost-effectiveness from the insurer’s perspective, could potentially undermine the physician’s autonomy and the quality of patient care. By prioritizing compliance with insurer guidelines over individualized patient needs, these AI tools could lead to suboptimal outcomes for patients. Moreover, insurance companies may make the use of their AI systems a prerequisite for physicians to maintain or obtain enrollment on their provider panels, further limiting physicians’ ability to exercise independent clinical judgment and potentially restricting patient access to care that is truly personalized and appropriate.

Licensure and Misconduct Concerns in New York State:

Physicians utilizing AI in their practice must be particularly mindful of licensure and misconduct issues, especially under the jurisdiction of the Office of Professional Medical Conduct (OPMC) in New York. The OPMC is responsible for monitoring and disciplining physicians, ensuring that they adhere to medical standards. As AI becomes more integrated into clinical practice, physicians could face OPMC scrutiny if AI-related errors lead to patient harm, or if there is a perceived over-reliance on AI at the expense of sound clinical judgment. The potential for AI to contribute to diagnostic or treatment decisions underscores the need for physicians to maintain ultimate responsibility and ensure that AI is used to support, rather than replace, their professional expertise.

Conclusion

AI has the potential to revolutionize healthcare, but its integration must be approached with careful consideration of legal and ethical implications. By navigating these challenges thoughtfully, the healthcare industry can ensure that AI contributes to better patient outcomes, improved efficiency, and equitable access to care. The future of AI in healthcare looks promising, with ongoing advancements in technology and regulatory frameworks adapting to these changes. Healthcare professionals, policymakers, and AI developers must continue to engage in dialogue to shape this future responsibly.

©2024 Norris McLaughlin P.A., All Rights Reserved
For more on AI, visit the NLR Artificial Intelligence section.

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Data Privacy, visit the NLR Communications Media Internet section.

“Arbitrary and Capricious” – A Sign of Things to Come?

On July 3, 2024, the US District Court of Northern Texas issued a Memorandum Opinion and Order in the combined cases of Americans for Beneficiary Choice, et al. v. United States Department of Health and Human Services (Civ. Action No. 4:24-cv-00439) and Council for Medicare Council, et al., v. United States Department of Health and Human Services (Civ. Action No. 4:24-cv-00446).

The Plaintiffs (in this combined case) challenged the Centers for Medicare and Medicaid Services (“CMS”) rule issued earlier this year. The new rules attempt to place reimbursements to third-party firms into the definition of compensation where the prior rules did not include reimbursements into the definition of compensation which would have been subject to the regulatory cap on compensation.

This Memorandum Opinion Order granted the Plaintiffs’ Motion for a Stay in part and denied it in part. The Motion was granted in relation to the new CMS rules around compensation paid by Medicare Advantage and Part D plans to independent agents and brokers who help beneficiaries select and enroll in private plans.

The Court found that the compensation changes were arbitrary and capricious and that the Plaintiffs were substantially likely to succeed on the merits of the case. The Court found that CMS failed to substantiate key parts of the final rule. During the rulemaking process, industry commenters asked for clarification around parts of the rule, but CMS claimed “the sources Plaintiffs criticized were not significant enough to warrant defending them.” The Court found “because CMS failed to address important problems to their central evidence…that members of the public raised during the comment period, those aspects of the Final Rule are most likely arbitrary and capricious.”

One of the Plaintiffs, Americans for Beneficiary Choice, also challenged the consent requirement of the final rule. The final rule states that personal beneficiary data collected by a third party marketing organization (“TPMO”) can only be shared with another TPMO if the beneficiary gives prior express written consent. The Plaintiff argued that the consent requirement is “in tension with HIPAA’s broader purpose of facilitating data sharing” and CMS stated that HIPAA might facilitate data sharing, but that does not limit CMS’s ability to limit certain harmful data-sharing practices. The Court denied the Motion to Stay regarding the consent requirement, but interestingly stated that Plaintiff’s “claim regarding the Consent Requirement may ultimately have merit, [Plaintiff]’s current briefing does not demonstrate a substantial likelihood of success at this stage”.

What does this mean now that we are less than 90 days from the start of the 2025 Medicare Advantage/Part D contract year?

  1. The consent requirement is still moving forward – While the memorandum order hints at the possibility of it being rejected, as of right now, TPMO’s must get prior express written consent before sharing personal beneficiary data with another TPMO.
  2. The fixed-fee and contract-terms restrictions in the final rule have had their effective date’s stayed until this suit is resolved. Therefore, the compensation scheme that was in place last year is essentially the same for those two sections.

How does this affect the FCC’s 1:1 Ruling?

It doesn’t. While this case does show that courts are willing to look critically at agencies’s rulemaking process, the FCC’s 1:1 consent requirement is different than the compensation changes set forth by CMS.

The FCC arguably just clarified the existing rule around prior express written consent by requiring the consent to “authorize no more than one identified seller”.

CMS, on the other hand, attempted to make wholesale changes and “began to set fixed rates for a wide range of administrative payments that were previously uncapped and unregulated as compensation.”

There is still the IMC case against the FCC , so there is the possibility (albeit small) there could be relief coming in that case. However, the advice here is to continue planning for obtaining consent to share personal beneficiary data AND single seller consent.

© 2024 Troutman Amin, LLP
For more news on Challenges to CMS in the US District Court of Northern Texas, visit the NLR Health Law Managed Care section.

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.

Sharing Scientific Information with HCPs on Unapproved Uses of Medical Products: Dos and Don’ts Under FDA’s New Draft Guidance

In October 2023, the FDA released draft guidance entitled “Communications From Firms to Health Care Providers Regarding Scientific Information on Unapproved Uses of Approved/Cleared Medical Products: Questions and Answers Guidance for Industry” (“2023 Draft Guidance”).[1] The 2023 Draft Guidance supersedes previous draft guidance from 2014 entitled “Distributing Scientific and Medical Publications on Unapproved New Uses–Recommended Practices” (“2014 Draft Guidance”), which was a revision of a 2009 final guidance entitled “Good Reprint Practices for the Distribution of Medical Journal Articles and Medical or Scientific Reference Publications on Unapproved New Uses of Approved Drugs and Approved or Cleared Medical Devices.”

All three of these FDA guidance documents provide recommendations for industry regarding the sharing of scientific information with Health Care Providers (“HCPs”)[2] on unapproved uses of approved or cleared drugs and medical devices, termed “SIUU communications” by the 2023 Draft Guidance. HCPs are permitted to prescribe medical products for unapproved uses when the unapproved use is determined to be medically appropriate for a given patient. However, manufacturers may not promote their products for an unapproved use. For this reason, FDA’s position (which is articulated to some extent across all of the above-mentioned guidance documents, but most clearly and emphatically in the 2023 Draft Guidance) is that firm[3] communications to HCPs regarding unapproved uses of approved or cleared products should include all of the information necessary for HCPs to evaluate the strengths, weaknesses, validity, and utility of the information about the unapproved use in order to make determinations regarding medical appropriateness.

In the 2023 Draft Guidance, FDA seeks to balance the interests of HCPs in learning, and manufacturers in sharing, truthful and non-misleading information about unapproved uses of approved medical products, with the intent to inform clinical practice decisions against the government’s interest in protecting patients from medical product uses that have not met applicable safety and effectiveness standards required under FDA’s premarket approval framework.

While the 2023 Draft Guidance reiterates many of the recommendations from the 2014 Draft Guidance, the 2023 Draft Guidance leverages a new “Q&A” format to provide firms with more detailed and specific recommendations, including hypothetical scenarios, around SIUU communications. Below, we restate the four Q&A questions included in the 2023 Draft Guidance and then highlight key aspects of the responses provided by FDA through brief commentary and recommended Dos and Don’ts.

Q1. What should firms consider when determining whether a source publication is appropriate to serve as the basis for an SIUU communication?

According to the 2023 Draft Guidance, any study or analysis described in a source publication that serves as the basis for an SIUU communication should be scientifically sound,[4] and should provide information that is relevant to HCPs engaged in making clinical practice decisions for the care of an individual patient; in other words, these sources should be clinically relevant.[5] While the 2014 Draft Guidance suggested that scientific or medical journal article reprints intended for distribution to HCPs should describe studies that are considered “scientifically sound” by appropriate experts, the 2023 Draft Guidance builds out this standard and provides greater insight into what types of source material would meet (and not meet) the standard.

Do:

  • Choose scientifically sound studies that provide clinically relevant information to support your SIUU communications
    • For human and animal drugs, randomized, double-blind, concurrently controlled superiority trials are most likely to provide both scientifically sound and clinically relevant information (though other well-designed and well-conducted studies may also be appropriate)
    • For medical devices,[6] look to well-controlled investigations, partially controlled studies, studies and objective trials without matched controls, well-documented case histories conducted by qualified experts, reports of significant human experience with a marketed device as sources of scientifically sound and clinically relevant information
  • Consider studies with real-world data and associated real-world evidence, which may meet the scientifically sound and clinically relevant threshold depending on the nature of the data and underlying analyses

Don’t:

  • Rely on studies without an adequate control group, isolated case reports, or studies that lack sufficient detail to permit scientific evaluation as the sole basis for an SIUU communication
  • Rely on studies with “unreliable” data, even if you include disclaimers noting the limitations (e.g., studies that fail to control for confounding factors or fail to clearly define study endpoints)
  • Rely on articles focused on non-clinical studies as the sole basis for an SIUU communication
  • Rely on scientific data generated in early stages of medical product development as the sole basis for an SIUU communication, as such data can produce results that are inconsistent with later studies
  • Distort studies in SIUU communications or base SIUU communications on publications that distort studies or include fraudulent data
  • Continue to share an SIUU communication that is based on a study or analysis that is no longer clinically relevant (ex: subsequent research has established the findings from the study are not reliable)

Q2. What information should firms include as part of SIUU communications?

Like the 2014 Draft Guidance, the 2023 Draft Guidance emphasizes the importance of providing certain disclosures with SIUU communications to ensure such communications are not misleading and provide all the information necessary for HCPs to interpret the strengths and weaknesses and validity and utility of the information. The recommended disclosures in the 2023 Draft Guidance are similar to those recommended in the 2014 Draft Guidance, but are more detailed and extensive.

Do:

  • Provide a disclosure statement with any SIUU communication, which should include:
    • A statement that the use described in the communication is unapproved and the safety and effectiveness of the medical product for the unapproved use(s) has not been established
    • Disclosure of the FDA approved use of the medical product, including any limitations and contraindication(s) specified by the product’s FDA-required labeling[7]
    • Disclosure of any limitations, restrictions, cautions, warnings, or contradictions described in the FDA-required labeling about the unapproved use(s)
    • Disclosure of any serious, life-threatening, or fatal risks posed by the medical product that are relevant to the unapproved use(s) (that are either in the FDA-required labeling or known by the firm and relevant to the unapproved use)
    • Disclosure of any financial relationships between the firm and any authors, editors, or other contributors to the publications in the SIUU communication
    • A copy of the most current FDA-required labeling (or a mechanism for obtaining the labeling)
    • The publication date of any referenced or included publication(s) (if not specified in the publication or citation)
  • For an SIUU communication based on a source publication that is primarily focused on a particular scientific study or studies, for each such study where the following information is not included in the publication, provide a description of:
    • All material aspects of study design, methodology, and results
    • All material limitations related to the study design, methodology, and results
    • Any conclusions from other relevant studies, when applicable, that are contrary to or cast doubt on the results shared, including citations for any such studies

Don’t:

  • Omit any risk evaluation and mitigation strategy (REMS) applicable to the medical product (firms should disclose any REMS and should describe the goal(s) of the REMS)

Q3. What presentational considerations should firms take into account for SIUU communications?

The 2023 Draft Guidance offers a number of presentation-focused recommendations to ensure that SIUU communications are conveyed in a manner that enhances and does not interfere with HCP understanding of the underlying scientific information, and to avoid such SIUU communications being confused with promotional communications about approved uses.

Do:

  • Clearly and prominently present all recommended disclosures, considering type size, font style, layout, contrast, graphic design, headlines, spacing, volume, articulation, pace, and any other techniques to achieve emphasis or notice
  • For SIUU communications with both audio and visual components, present disclosures in both the audio and in text at the same time using the same/substantially similar language
  • Keep SIUU communications (including those relayed via email) separate and distinct from promotional communications about approved uses of medical products
  • Use dedicated vehicles, channels, and venues for sharing SIUU communications that are separate from the vehicles, channels, and venues used for promotional communications about approved uses of medical products. For example –
    • Present SIUU communications on a separate web page from the web page that hosts promotional communications about approved uses
    • At conferences and similar venues, ensure that SIUU communications are clearly identified and distinct from promotional communications about approved uses (e.g., by dividing booth space to allow a dedicated space for SIUU communications)
  • Use plain language in the content developed for SIUU communications to facilitate comprehension (i.e., clear and concise language that does not include technical jargon and clearly explains any scientific or technical terms)

Don’t:

  • Use persuasive marketing techniques, such as the use of celebrity endorsements, premium offers, and gifts. According to FDA, a firm’s choice to use persuasive marketing techniques suggests an effort to convince the HCP to prescribe or use the product for the unapproved use based on elements other than the scientific content of the communication
  • Include direct links from web pages that host promotional communications about approved uses to webpages that host SIUU communications
  • Utilize platforms with character limits that do not enable the firm to include the recommended disclosures for sharing SIUU communications (however, such platforms could be used to direct an HCP to an SIUU communication, subject to certain restrictions)

Q4. What additional recommendations apply to specific types of SIUU communications?

The 2023 Draft Guidance offers additional recommendations related to certain specific types of SIUU communications including journal reprints and clinical reference resources (such as clinical practice guidelines and reference texts). Of note, the 2023 Draft Guidance provides recommendations for a category of SIUU communications that is not specifically addressed in the 2014 Draft Guidance – “firm-generated presentations of scientific information from an accompanying published reprint.”

Discussion of such firm-generated presentations in the 2023 Draft Guidance represents a departure from the 2014 Draft Guidance, which stated that reprints (as well as clinical reference resources) regarding unapproved uses (of cleared or approved medical products) should not be “marked, highlighted, summarized, or characterized” by medical product manufacturers to emphasize or promote an unapproved use. The 2023 Draft Guidance provides new flexibility in this regard, expressly acknowledging that firms may develop their own presentations of scientific information from an accompanying reprint provided such presentation is truthful, non-misleading, factual, unbiased, and provides all the information necessary for HCPs to interpret the strengths and weaknesses and validity and utility of the presented information. The 2023 Draft Guidance includes a number of recommendations for firms to follow to prepare and distribute firm-generated presentations of information from an accompanying reprint.

Do:

  • Include the full reprint with the firm-generated presentation
  • Include the disclosures outlined above in Q2, and clearly disclose what portions of the communication are firm-generated
  • Follow the presentational considerations outlined in Q3

Don’t:

  • Imply that the study, analysis, or underlying data or information from the reprint(s) represents larger or more-general experience with the medical product than it actually does
  • Present information, such as excerpts, quotes, etc., from the reprint(s) out of context, without the information necessary for HCPs to interpret the strengths and weaknesses and validity and utility of the information
  • Include representations or suggestions about the safety or effectiveness of the medical product for the unapproved use(s) that are not consistent with the reprint
  • Present any conclusions or representations about safety or effectiveness for the unapproved use without expressly attributing such statements to the reprint, and without immediately following such statements with a disclosure of any financial relationships between the firm and any authors, editors, or other contributors to the publications in the SIUU communication
  • Use statistical analyses or techniques to indicate clinical significance or validity of a finding not supported by the data or information in the reprint
  • Use tables or graphs or other presentational elements to distort or misrepresent the relationships, trends, differences, or changes among the outcomes evaluated in the reprint

Conclusion

While the 2023 Draft Guidance veers from the 2014 Draft Guidance in some respects, many of the same principles have been pulled through into the current guidance. As such, a medical product manufacturer who has already implemented the recommendations from the 2014 Draft Guidance should not face too heavy of a lift to adjust its activities to align with the 2023 Draft Guidance. While the landscape has not shifted drastically overall, firms should still closely review the additional detail and clarifications provided by the 2023 Draft Guidance to mitigate potential risk in navigating the often murky regulatory waters of engaging in off-label and pre-approval communications.

ENDNOTES

[1] Comments on the 2023 Draft Guidance are due by December 26, 2023.

[2] The 2023 Draft Guidance only applies to HCPs engaged in making clinical practice decisions for the care of an individual patient. Per the 2023 Draft Guidance, HCPs include physicians, veterinarians, dentists, physician assistants, nurse practitioners, pharmacists, or registered nurses who are licensed or otherwise authorized by law to prescribe, order, administer, or use medical products in a professional capacity. The 2014 Draft Guidance applied to “health care professionals,” but the term was not specifically defined.

[3] As defined by the 2023 Draft Guidance, firms are the “persons legally responsible for the labeling of medical products, and includes applicants, sponsors, requestors, manufacturers, packers, and distributors of medical products, and licensees of such persons, and any persons communicating on behalf of these entities.”

[4] To be “scientifically sound,” at a minimum, studies should meet generally accepted design and other methodological standards for the particular type of study performed, taking into account established scientific principles and existing scientific knowledge.

[5] Additionally, statistical robustness is generally necessary, though not sufficient, to determine if a study or analysis is appropriate for an SIUU communication. While statistical robustness factors into the rigor of the design and methodology of a study, it does not assure that the study relates to outcomes of clinical relevance to HCPs.

[6] Notably, while the 2014 Draft Guidance stated that journal articles discussing significant non-clinical research could fall within FDA’s enforcement discretion policy under the guidance, the 2023 Draft Guidance clarifies that, generally, sharing articles focused on non-clinical studies alone would not be consistent with FDA’s enforcement discretion policy as a non-clinical study alone is unlikely to provide information that is clinically relevant.

[7] “FDA-required labeling” includes, but is not necessarily limited to, the labeling reviewed and approved by FDA as part of the medical product premarket review process. For a prescription human drug (including biological products), this consists of the FDA-approved prescribing information that meets the requirements of 21 CFR 201.100. For a device, it includes the labeling approved during the review of a premarket approval application or De Novo classification.

©2023 Epstein Becker & Green, P.C. All rights reserved.
For more news on FDA Guidance on Medical Products, visit the NLR Health Law & Managed Care section.

The End of the COVID Public Health Emergency and Its Effect on Employee Benefit Plans

The COVID-19 public health emergency ends on May 11, 2023. The emergency resulted in two big changes to welfare plans: the relaxation of certain notification and timing requirements, and the requirement for plans to cover COVID testing and vaccination at no cost to plan participants. While the public health emergency ends May 11, 2023, plans have a grace period until July 11 to take certain actions and come into compliance with the normal rules.

Plan Sponsor Requirements

Before the grace period ends, plan sponsors will generally need to follow the rules that existed before COVID. Among the most important of these rules are the requirements for plan sponsors to:

  • Timely provide all notices, including those for HIPAA and COBRA.
  • Review COVID-related coverage under their employee assistance programs (EAPs) to determine if such coverage would be considered “significant medical care,” which can result in additional reporting and compliance obligations.
  • Review telehealth options to ensure they are properly integrated and provided by an entity that can comply with the post-COVID requirements. Telehealth rules were substantially relaxed during COVID. With telehealth now expected and utilized by more participants, getting telehealth right is more crucial than before.

Plan Sponsor Decisions

With the end of the public health emergency, plan sponsors must also make several important decisions with respect to their employee benefit plans:

  • Whether testing will continue free of charge or will be subject to cost sharing.
  • Whether non-preventative care vaccines for COVID will continue to be free of charge.
  • Whether costs for certain COVID-related services will continue to be posted.

As they are mostly based on what costs the plan sponsor or plan will cover going forward, these plan sponsor decisions are largely business-related. In the absence of a choice by the plan sponsor, the insurance provider will likely make a default choice. The important legal consideration is that the plan documents and employee communications should be consistent and accurately reflect the plan sponsor’s decisions.

Participant Requirements

In addition to the changes for plan sponsors, the end of the public health emergency will result in the reinstatement of a number of rules applicable to participants. Participants will need to:

Follow the HIPAA Special Enrollment timing rules.

Elect COBRA within the 60-day window for elections.

Make all COBRA payments timely.

Timely notify the plan of disabilities and qualifying events under COBRA.

Follow the timing limitations of their plans and insurance policies regarding filing claims, appeals, and external reviews.

Next Steps

First, plan sponsors should decide what COVID-related coverage will remain fully paid by the plan, if any. Some insurance companies are already starting to communicate with participants, and maintaining a consistent message will avoid unnecessary problems.

Second, plan sponsors should review their EAP and telehealth coverages for compliance with the rules that will soon be in effect. To the extent necessary, plan sponsors should update the documentation for their plans.

Finally, plan sponsors should consider a voluntary reminder communication to participants. Many rules have been relaxed over the last two years or so, and participants may be confused regarding the rules. A reminder may save stress for participants and those administering the plan, and will also serve to document the plan sponsor’s intention to properly follow the terms of the plan.

© 2023 Varnum LLP

For more healthcare legal news, click here to visit the National Law Review.

The FTC Announces First Health Breach Notification Rule Enforcement Action

On February 1, the Federal Trade Commission (“FTC”) announced enforcement action for the first time under its Health Breach Notification Rule[1]. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement, the FTC warned health apps and connected devices that they must comply with the rule.

According to the FTC’s complaint, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.  Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—such as including its users’ prescription medications and personal health conditions.

The FTC also alleges GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health and medication-specific advertisements on Facebook and Instagram.

The FTC further alleges that GoodRx:

  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for advertising: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: GoodRx must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties.  It also prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require the company to seek deletion of data: GoodRx must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule and detail the information it collects and why such data collection is necessary.
  • Implement a Mandated Privacy Program: GoodRx must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

© 2023 Dinsmore & Shohl LLP. All rights reserved.

For more Cybersecurity and Privacy Legal News, click here to visit the National Law Review

FOOTNOTES

[1] 16 CFR Part 318

Biden Administration Seeks to Clarify Patient Privacy Protections Post-Dobbs, Though Questions Remain

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

The directive bolstered efforts already underway by the Biden Administration. A week before the E.O. was signed, HHS Secretary Xavier Becerra directed the HHS Office for Civil Rights (OCR) to take steps to ensure privacy protections for patients who receive, and providers who furnish, reproductive health care services, including abortions.[3] The following day, OCR issued two guidance documents to carry out this order, which are described below.

Although the guidance issued by OCR clarifies the privacy protections as they exist under current law post-Dobbs, it does not offer patients or providers new or strengthened privacy rights. Indeed, the guidance illustrates the limitations of HIPAA regarding protection of health information of individuals related to abortion services.

A.  HHS Actions to Safeguard PHI Post-Dobbs

Following Secretary Becerra’s press announcement, OCR issued two new guidance documents outlining (1) when the HIPAA Privacy Rule may prevent the unconsented disclosure of reproductive health-related information; and (2) best practices for consumers to protect sensitive health information collected by personal cell phones, tablets, and apps.

(1) HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care

In the “Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe,”[4] OCR addresses three existing exceptions in the HIPAA Privacy Rule to the disclosure of PHI without an individual’s authorization and provides examples of how those exceptions may be applied post-Dobbs.

The three exceptions discussed in the OCR guidance are the exceptions for disclosures required by law,[5]  for purposes of law enforcement,[6] or to avert a serious threat to health or safety.[7]

While the OCR guidance reiterates that the Privacy Rule permits, “but does not require” disclosure of PHI in each of these exceptions,[8] this offers limited protection that relies on the choice of providers whether to disclose or not disclose the information. Although these exceptions are highlighted as “protections,” they expressly permit the disclosure of protected health information. Further, while true that the HIPAA Privacy Rule itself may not compel disclosure (but merely permits disclosure), the guidance fails to mention that in many situations in which these exceptions apply, the provider will have other legal authority (such as state law) mandating the disclosure and thus, a refusal to disclose the PHI may be unlawful based on a law other than HIPAA.

Two of the exceptions discussed in the guidance – the required by law exception and the law enforcement exception – both only apply in the first place when valid legal authority is requiring disclosure. In these situations, the fact that HIPAA does not compel disclosure is of no relevance. Certainly, when there is not valid legal authority requiring disclosure of PHI, then HIPAA prohibits disclosure, as noted as in the OCR guidance.  However, in states with restrictive abortion laws, the state legal authorities are likely to be designed to require disclosure – which HIPAA does not prevent.

For instance, if a health care provider receives a valid subpoena from a Texas court that is ordering the disclosure of PHI as part of a case against an individual suspected of aiding and abetting an abortion, in violation of Texas’ S.B. 8, then that provider could be held in contempt of court for failing to comply with the subpoena, despite the fact that HIPAA does not compel disclosure.[9] For more examples on when a covered entity may be required to disclose PHI, please see EBG’s prior blog: The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe.[10]

Notably, the OCR guidance does provide a new interpretation of the application of the exception for disclosures to avert a serious threat to health or safety. Under this exception, covered entities may disclose PHI, consistent with applicable law and standards of ethical conduct, if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. OCR states that it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care. Thus, in the guidance, OCR takes the position that if a patient in a state where abortion is prohibited informs a health care provider of the patient’s intent to seek an abortion that would be legal in another state, this would not fall into the exception for disclosures to avert a serious threat to health or safety.  Covered entities should be aware of OCR’s position and understand that presumably OCR would view any such disclosure as a HIPAA violation.

(2) Protecting the Privacy and Security of Individuals’ Health Information When Using Personal Cell Phones or Tablets

OCR also issued guidance on how individuals can best protect their PHI on their own personal devices. HIPAA does not generally protect the privacy or security of health information when it is accessed through or stored on personal cell phones or tablets. Rather, HIPAA only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates. As a result, it is not unlawful under HIPAA for information collected by devices or apps – including data pertaining to reproductive healthcare – to be disclosed without consumer’s knowledge.[11]

In an effort to clarify HIPAA’s limitation to protect such information, OCR issued guidance to protect consumer sensitive information stored in personal devices and apps.[12] This includes step-by-step guidance on how to control data collection on their location, and how to securely dispose old devices.[13]

Further, some states have taken steps to fill the legal gaps to varying degrees of success. For example, California’s Confidentiality of Medical Information Act (“CMIA”) extends to “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information.”[14] As applied, a direct-to-consumer period tracker app provided by a technology company, for example, would fall under the CMIA’s data privacy protections, but not under HIPAA. Regardless, gaps remain as the CMIA does not protect against a Texas prosecutor subpoenaing information from the direct-to-consumer app. Conversely, Connecticut’s new reproductive health privacy law,[15] does prevent a Connecticut covered entity from disclosing reproductive health information based on a subpoena, but Connecticut’s law does not apply to non-covered entities, such as a period tracker app. Therefore, even the U.S.’s most protective state privacy laws do not fill in all of the privacy gaps.

Alongside OCR’s guidance, the Federal Trade Commission (FTC) published a blog post warning companies with access to confidential consumer information to consider FTC’s enforcement powers under Section 5 of the FTC Act, as well as the Safeguards Rule, the Health Breach Notification Rule, and the Children’s Online Privacy Protection Rule.[16] Consistent with OCR’s guidance, the FTC’s blog post reiterates the Biden Administration’s goal of protecting reproductive health data post-Dobbs, but does not go so far as to create new privacy protections relative to current law.

B.  Despite the Biden Administration’s Guidance, Questions Remain Regarding the Future of Reproductive Health Privacy Protections Post-Dobbs

Through E.O. 14076, Secretary Becerra’s press conference, OCR’s guidance, and the FTC’s blog, the Biden Administration is signaling that it intends to use the full force of its authorities – including those vested by HIPAA – to protect patient privacy in the wake of Roe.

However, it remains unclear how this messaging will translate to affirmative executive actions, and how successful such executive actions would be. How far is the executive branch willing to push reproductive rights? Would more aggressive executive actions be upheld by a Supreme Court that just struck down decades of precedent permitting access to abortion? Will the Biden Administration’s executive actions persist if the administration changes in the next Presidential election?

Attorneys at Epstein Becker & Green are well-positioned to assist covered entities, business associates, and other companies holding sensitive reproductive health data understand how to navigate HIPAA’s exemptions and interactions with emerging guidance, regulations, and statutes at both the state and Federal levels.

Ada Peters, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office and Jack Ferdman, a 2022 Summer Associate (not admitted to the practice of law) in the firm’s Boston office, contributed to the preparation of this post. 

[1] 87 Fed. Reg. 42053 (Jul. 8, 2022), https://bit.ly/3b4N4rp.

[2] Id.

[3] HHS, Remarks by Secretary Xavier Becerra at the Press Conference in Response to President Biden’s Directive following Overturning of Roe v. Wade (June 28, 2022), https://bit.ly/3zzGYsf.

[4] HHS, Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe (June 29, 2022),  https://bit.ly/3PE2rWK.

[5] 45 CFR 164.512(a)(1)

[6] 45 CFR 164.512(f)(1)

[7] 45 CFR 164.512(j)

[8] Id.

[9] See Texas S.B. 8; e.g., Fed. R. Civ. Pro. R.37 (outlining available sanctions associated with the failure to make disclosures or to cooperate in discovery in Federal courts), https://bit.ly/3BjX4I2.

[10] EBG Health Law Advisor, The Pendulum Swings Both Ways: State Responses to Protect Reproductive Health Data, Post-Roe (June 17, 2022), https://bit.ly/3oPDegl.

[11] A 2019 Kaiser Family Foundation survey concluded that almost one third of female respondents used a smartphone app to monitor their menstrual cycles and other reproductive health data. Kaiser Family Foundation, Health Apps and Information Survey (Sept. 2019), https://bit.ly/3PC9Gyt.

[12] HHS, Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone1 or Tablet (last visited Jul. 26, 2022), https://bit.ly/3S2MNWs.

[13] Id.

[14] Cal. Civ. Code § 56.10, Effective Jan. 1, 2022, https://bit.ly/3J5iDxM.

[15] 2022 Conn. Legis. Serv. P.A. 22-19 § 2 (S.B. 5414), Effective July 1, 2022, https://bit.ly/3zwn95c.

[16] FTC, Location, Health, and Other Sensitive Information: FTC Committed To Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://bit.ly/3BjrzNV.

Article By Alaap B. Shah, Allen R. Killworth, Marylana Saadeh Helou, and Devon Minnick of Epstein Becker & Green, P.C.

For more privacy-related legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Do You Have a College Student? Important Healthcare, Financial, and Educational Documents That They (and You) Need

August is upon us and you may soon be sending children off to college. If your child is age 18 or older, you and your child will need to take some simple steps so that, in the event of an emergency, you will be able to make health care and financial decisions for your child and have access to your child’s medical information and financial accounts. The same is true if you are to have access to your child’s educational records.

Medical Information. Once your child reaches age 18, your child is deemed to be an adult by law and you no longer have a legal right to make health care decisions on behalf of your child or to access your child’s health care information. As a result, if you have an adult child, your child must execute certain legal documents naming you as his or her health care agent and permitting you to access his or her medical information:

  1. Your child must execute a “Health Care Proxy” naming you as his or her agent for health care decisions. In this document, your child authorizes you to make health care decisions on your child’s behalf if he or she becomes unable to make or communicate such decisions him or herself. The child may also share his or her own wishes regarding medical treatment.
  2. Your child must also sign a “HIPAA Authorization Form.” The Health Insurance Portability & Accountability Act of 1996 (generally known as “HIPAA”) protects the privacy of an individual’s medical information, and health care providers may require written consent from a patient to share information with family members, including parents of an adult child. Your child’s college or university may also have policies in place preventing it from sharing medical information without the student’s consent. This form will serve as written permission authorizing those providing health care services to your child to share medical information with you as your child’s health care agent.
  3. In addition, you should be in contact with the health services department of your child’s college or university. The institution may provide its own form for authorizing the release of medical information that can be kept on record with the institution’s health services department.

Financial Accounts. If you are to have the ability to act on behalf of your adult child with respect to financial matters, your child also needs to execute a “Durable Power of Attorney” naming you as your child’s agent with respect to the child’s assets and finances. If your child is attending college away from home, is studying abroad, or undergoes a medical emergency, it may be useful for you to access your child’s accounts on his or her behalf. This allows you to pay bills for a child out of their accounts, make deposits and open or close accounts. In addition, a durable power of attorney allows you to handle other financial tasks for the child, like filing tax returns or renewing a lease.

Educational Records. Finally, the Family Educational Rights and Privacy Act (FERPA) protects the educational records of a child who has turned 18 or is enrolled at a postsecondary institution from access by his or her parents. If the child’s parents claim the child as a dependent on their tax returns, the parents may still access the child’s education records without the child’s consent. However, institutions may be reluctant to allow access to education records for any child over the age of 18 without a “FERPA Waiver” signed by the child, regardless of their status as a dependent. If you would like to have access to your child’s educational records, you should contact the institution to request a FERPA Waiver form.

Article By John H. Ramsey and Kerry L. Spindler of Goulston & Storrs

For more public education and services legal news, click here to visit the National Law Review.

2022 Goulston & Storrs PC.