Tag: Data Privacy

Categories
Health Law Highlights

Confidentiality of Substance Use Disorder Patient Records: What to Know About Updates to Part 2

From Orrick, Herrington & Sutcliffe LLP, by Thora Johnson, Kyle Kessler, Cosmas Robless:

The U.S. Department of Health & Human Services (HHS) has updated the Confidentiality of Substance Use Disorder Patient Records regulations (Part 2) to align with HIPAA and HITECH, aiming to improve care coordination while protecting patient privacy. Notably, patient consent for disclosure of SUD treatment records has been simplified, allowing a single consent for all future uses and disclosures related to treatment, payment, and health care operations.

The Rule permits redisclosure of SUD records by HIPAA-covered entities without additional patient consent, promoting coordinated care. The Rule also introduces a definition for SUD counseling notes, mirroring the HIPAA protections for psychotherapy notes, which require separate written consent for use or disclosure.

The Rule establishes two new patient rights: the right to receive an accounting of any disclosures of their SUD records in the three years prior to their request, and the right to request restrictions on disclosures of their records for treatment, payment, and health care operations.

The Rule expands patient privacy in legal proceedings, extending the prohibition of the use and disclosure of SUD records to all criminal, civil, administrative, and legislative proceedings against a patient. It also authorizes civil penalties, in addition to criminal ones, for Part 2 violations, aligning with the value of civil penalties under HIPAA.

The Rule applies the same requirements as the HIPAA Breach Notification Rule to breaches of patient records subject to Part Providers must notify affected individuals, the Secretary of HHS, and in some cases the media in the event of a breach. The Rule will become effective 60 days after its publication in the Federal Register on February 16, 2024, with compliance required by February 16, 202

Categories
Alert

NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.

Categories
Health Law Highlights

HTI-1 Final Rule in Effect

From The HIPAA Journal, by Steve Adler:

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule, issued by the HHS’ Office of the National Coordinator for Health Information Technology (ONC), took effect on February 8, 2024. It implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new standards for AI systems.

The Final Rule is designed to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization. It aims to improve patient outcomes and reduce healthcare costs by promoting the safe, secure, and trustworthy development of AI.

The Final Rule introduces new transparency requirements for AI and other predictive algorithms within ONC-certified health IT. It allows clinical users to access a consistent set of information about the algorithms and assess them for fairness, validity, effectiveness, and safety.

It adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. Developers of certified health IT have until January 1, 2026, to transition to USCDI v3.

The Final Rule introduces new information blocking requirements and definitions, adds a new exception to support information sharing, and introduces new interoperability-focused reporting metrics. It is crucial that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure compliance with these new requirements.

Categories
Health Law Highlights

Data Broker Allegedly Selling De-Anonymized Info to Face FTC Lawsuit After All

From Ars Technica, by Ashley Belanger:

The Federal Trade Commission (FTC) has succeeded in keeping its case against geolocation data broker Kochava alive, alleging that the company has been selling vast amounts of data in violation of the FTC Act. The FTC accuses Kochava of selling data obtained from millions of mobile devices across the world, combining precise geolocation data with sensitive and identifying information without users’ informed consent.

The FTC claims Kochava’s data sales allow customers to create highly detailed profiles of individuals, which invades their privacy and increases the risk of secondary harms such as stigma, discrimination, and emotional distress. The FTC cited specific examples of consumers who have been harmed by such data sharing practices, including a Catholic priest who resigned after being tracked using mobile geolocation data.

Kochava argues that the examples of consumer harm in the FTC’s complaint are disconnected from its activities and has accused the FTC of making knowingly false allegations. However, the court found no evidence to support Kochava’s claims and refused to dismiss the FTC’s case. Kochava CEO Charles Manning maintains that the company has always complied with all rules and laws, including those specific to privacy.

The FTC has proposed that Kochava could implement safeguards to protect consumer privacy, such as blacklisting sensitive locations or removing sensitive characteristics from its data. Kochava has introduced a new feature, Privacy Block, which blocks geolocation data near sensitive locations, although this was implemented after the FTC initiated its investigation.

The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent. If the FTC wins the case against Kochava, it could trigger a wave of class-action complaints from consumers and set a precedent for future actions against data brokers.

Categories
Health Law Highlights

2024 Privacy Compliance: Are You Ready For It?

From InfoLawGroup LLP, by Justine Young Gottshall:

  • New State Privacy Laws: In 2024, Texas, Oregon, Florida, and Montana will implement new privacy laws, requiring businesses to update their policies, intake forms, and responses, and obtain opt-in consent for sensitive data collection. Similar laws will take effect in Delaware, New Hampshire, New Jersey, and Tennessee in 2025.
  • Compliance with Existing State Privacy Laws: Companies should ensure compliance with Privacy Impact Assessments (PIAs), Data Processing Agreements, Universal Opt-Out mechanisms, Web Accessibility Compliance, and conduct annual biometric reviews, especially in areas involving online advertising, use of AI, and handling of sensitive data.
  • New Health Data Laws: Washington and Nevada will introduce laws affecting companies collecting health data, requiring comprehensive compliance measures and specific authorizations. Florida’s law will apply to limited businesses with specific revenue and operational criteria.
  • Machine Learning and AI Use: The FTC is increasing scrutiny on the use of personal data in AI tools. Companies should review vendor agreements, create internal policies, and ensure responsible use of data, particularly sensitive data.
  • Data Collection from Minors: New laws and regulations affecting data collection from minors are expected. Companies should ensure compliance with existing laws and prepare for upcoming ones in Connecticut, Utah, Louisiana, and Florida. The FTC is also proposing updates to the COPPA Rule.
Categories
Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Categories
Health Law Highlights

Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

From HealthIT Security, by Jill McKeon:

  • The healthcare sector experienced significant data breaches in 2023, with over 540 organizations reporting such incidents, largely due to ransomware attacks. Healthcare was the third-most targeted industry, following manufacturing and technology.
  • The GuidePoint Research and Intelligence Team (GRIT) identified 63 distinct ransomware groups responsible for these attacks, with established groups like LockBit, Alphv, and Clop causing the majority of breaches. These groups have operated for at least nine months and have well-defined tactics.
  • Both established and emerging ransomware groups have increasingly targeted healthcare organizations. Despite traditionally being considered ‘off-limits’ due to potential negative press and law enforcement attention, the number of attacks on healthcare organizations rose in 2023.
  • Emerging groups, defined as those in operation for less than three months, have been particularly problematic for the healthcare sector. One such group, Rhysidia, has been aggressive in its attacks despite its relative newness, using tactics like phishing to compromise victims.
  • GRIT predicts that ransomware attacks will continue to escalate in 2024, with the most prolific groups leading advancements in techniques and strategies. The report emphasizes the importance of industry best practices in threat intelligence, information sharing, and public-private partnerships to combat this growing threat.
Categories
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.
Categories
Health Law Highlights

New California Law Imposes Significant Data Management Requirements for Sensitive Health Data

From Troutman Pepper, by Brent Hoard, Emma Trivax, and Erin Whaley:

  • Effective January 1, AB 352 introduces significant changes to the management and sharing of sensitive health information in California, particularly related to reproductive health services. The bill amends the existing [[Reproductive Privacy Act and the Confidentiality of Medical Information Act (CMIA)]] and several other statutes.
  • Enhanced Security Measures: By July 1, businesses that electronically store or maintain certain medical information must implement enhanced security measures, including limiting user access, preventing sharing of medical information outside of California, segregating certain medical information, and disabling access to segregated information from outside California.
  • Prohibition on Cooperation With Out-of-State Inquiries: Health care providers and related entities are prohibited from cooperating with out-of-state or federal inquiries that would identify an individual seeking or obtaining an abortion or abortion-related services, unless authorized under existing law provisions.
  • Prohibition on Disclosure of Medical Information: Entities are prohibited from knowingly disclosing information that would identify an individual related to an abortion to any individual or entity from another state, unless authorized under specific conditions. A grace period until January 31, 2026, is provided for entities working diligently and in good faith to comply with the prohibition.
  • Exclusion From Automatic Data Sharing: The bill excludes the exchange of health information related to abortion and abortion-related services from automatic sharing on the California Health and Human Services Data Exchange Framework. Entities should assess their compliance, undertake a data inventory, develop technical controls, revise procedures for individual rights requests, and incorporate these changes into training sessions.
Categories
Health Law Highlights

What Do Threads, Mastodon, and Hospital Records Have in Common?

From Ars Technica, by Fintan Burke:

  • The concept of “federated learning”, inspired by the privacy-focused structure of new social media platforms, is being adopted by medical researchers to train AI in spotting disease trends. In this approach, user data is hosted on independent servers instead of a single corporate entity, which promotes data privacy and enables selective sharing of information.
  • Instead of pooling patient data from various hospitals into one database, which raises privacy concerns and legal complications, researchers send their AI models to individual hospitals. These models can then analyze the data within the hospital’s firewall, maintaining the privacy of sensitive patient information.
  • The training process involves doctors identifying eligible patients, selecting necessary clinical data, and organizing it on a local database. The AI software then uses this data to identify disease trends. The trained model is periodically sent to a central server, where it is combined with models from other hospitals to update the original model.
  • The updated “consensus model” is sent back to each hospital to be trained further, and this cycle continues until the final model is deemed accurate enough. This process ensures data privacy, as the information sent back to the central server is anonymized and remains within the hospital’s firewall.
  • Federated learning has seen significant growth in medical research. For instance, in 2021, a study successfully used this method to predict diabetes from CT scans of abdomens, potentially identifying at-risk patients up to seven years prior to their diagnosis.