In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.
The Department of Health and Human Services (HHS) announced a Request for Information (RFI) regarding how the HIPAA Privacy, Security, and Breach Notification Rules could be modified to reduce regulatory burdens and to improve care coordination, case management, and value-based health care. In addition to opening the door for public comments on current challenges and potential modifications to the HIPAA Rules, the RFI specifically requests feedback on anticipated changes to several specific provisions of the Privacy Rule.
Regulators provided key insights into enforcement trends and potential changes to HIPAA regulations at the 11th Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference in October co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR).
On October 18, 2018, FDA issued a long-awaited draft revision to its existing guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”(premarket cybersecurity guidance). This coincided with release of the FDA-supported incident preparedness and response playbook, the announcement of two new Information Sharing Analysis Organizations (ISAOs), and FDA’s recent news release discussing the agency’s enhanced cybersecurity partnership with the U.S. Department of Homeland Security (DHS) earlier this month. FDA’s recent flurry of activity focuses on providing additional clarity about when to interact with FDA, what information would be useful in submissions, and what level of documentation is expected. Cybersecurity clearly is a high priority issue for FDA and the agency is working hard to bring together stakeholders and provide the best information it can so that all entities that are involved in managing the multifaceted and evolving area of cybersecurity have the best and most current information to manage the risks of a cybersecurity intrusion.
The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come. In the latest installment of the CCPA blog series, we describe these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.
Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.
The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. Comprehensive, enterprise-wide risk analysis and risk management practices remained points of emphasis throughout the conference. Additional themes, which we outline in this post, also emerged.
Cloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services Office for Civil Rights released guidance making clear that cloud service providers that create, receive, maintain, or transmit electronic protected health information are covered by HIPAA.
On Wednesday, August 17, 2016, the Future of Privacy Forum released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles-based trust framework that builds on existing legal expectations to provide a set of best practices providing appropriate protections given the nature and sensitivity of the data.
A new report from the Department of Health and Human Services Office of the National Coordinator for Health Information Technology highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
The European Commission has actively promoted the importance of mHealth following their 2014 consultation. One of the initiatives to emerge from the Commission has been the Privacy Code of Conduct for mHealth apps. The Code was drafted by a working group set up in January this year and the final draft was published on 7th June and submitted to the Article 29 Working Party for their consideration and approval. If and when it receives the Working Party’s approval it could then be relied upon by app developers wishing to demonstrate a good standard of data protection compliance. The Code is an example of the type of initiative that is increasingly likely to develop under the forthcoming EU General Data Protection Regulation.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
The revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights. The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates. The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance. In addition, business associates will be subject to HIPAA audits for the first time.
Last week, the Department of Health and Human Services Office for Civil Rights launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.
The US government has been increasingly active in cybersecurity legislation and enforcement. Congress recently passed the Cybersecurity Act of 2015, which has spurred renewed attention to cybersecurity requirements and cyber threat information sharing. The US government continues to draw attention to how organizations can align their cybersecurity programs with the NIST Cybersecurity Framework. Moreover, a number of federal agencies including the Consumer Financial Protection Bureau, Federal Trade Commission, and Federal Communications Commission have all issued settlements relating to cybersecurity enforcement actions in recent months. In the health sector, the US Department of Health and Human Services has been increasingly focused on cybersecurity, primarily through its HIPAA enforcement activities. Against that backdrop, three recent developments demonstrate the ways in which HHS and the health sector are expanding their cybersecurity focus beyond HIPAA Security Rule compliance.
Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.
The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
The White House released the Precision Medicine Initiative Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development.
The HHS Office for Civil Rights has launched an online portal designed to solicit questions from mHealth developers regarding compliance with HIPAA privacy and security requirements. The portal is designed to demystify HIPAA for app developers while providing guidance to regulators about which aspects of HIPAA may require clarification.
In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws.