Categories
Health Law Highlights

HHS Releases Voluntary Cybersecurity Performance Goals to Beef Up Healthcare’s Digital Defenses

From Fierce Healthcare, by Dave Mulio:

  • The Department of Health and Human Services (HHS) has published voluntary cybersecurity performance goals for healthcare organizations, aiming to enhance industry-wide cybersecurity. The goals are hosted on a new website launched by the department to centralize cybersecurity resources from various government groups.
  • The goals are divided into two categories: “Essential Goals” and “Enhanced Goals”, reflecting cybersecurity frameworks, best practices, and strategies developed by the healthcare industry. They address common attack vectors against U.S. hospitals, as identified in the 2023 Hospital Cyber Resiliency Landscape Analysis.
  • The voluntary goals cover initial protection, response, and mitigation of residual risk. They provide a prioritization roadmap for layers of protection across various points of weakness, aiming to prevent potential breaches.
Categories
Health Law Highlights

New California Law Imposes Significant Data Management Requirements for Sensitive Health Data

From Troutman Pepper, by Brent Hoard, Emma Trivax, and Erin Whaley:

  • Effective January 1, AB 352 introduces significant changes to the management and sharing of sensitive health information in California, particularly related to reproductive health services. The bill amends the existing [[Reproductive Privacy Act and the Confidentiality of Medical Information Act (CMIA)]] and several other statutes.
  • Enhanced Security Measures: By July 1, businesses that electronically store or maintain certain medical information must implement enhanced security measures, including limiting user access, preventing sharing of medical information outside of California, segregating certain medical information, and disabling access to segregated information from outside California.
  • Prohibition on Cooperation With Out-of-State Inquiries: Health care providers and related entities are prohibited from cooperating with out-of-state or federal inquiries that would identify an individual seeking or obtaining an abortion or abortion-related services, unless authorized under existing law provisions.
  • Prohibition on Disclosure of Medical Information: Entities are prohibited from knowingly disclosing information that would identify an individual related to an abortion to any individual or entity from another state, unless authorized under specific conditions. A grace period until January 31, 2026, is provided for entities working diligently and in good faith to comply with the prohibition.
  • Exclusion From Automatic Data Sharing: The bill excludes the exchange of health information related to abortion and abortion-related services from automatic sharing on the California Health and Human Services Data Exchange Framework. Entities should assess their compliance, undertake a data inventory, develop technical controls, revise procedures for individual rights requests, and incorporate these changes into training sessions.
Categories
Health Law Highlights

What Do Threads, Mastodon, and Hospital Records Have in Common?

From Ars Technica, by Fintan Burke:

  • The concept of “federated learning”, inspired by the privacy-focused structure of new social media platforms, is being adopted by medical researchers to train AI in spotting disease trends. In this approach, user data is hosted on independent servers instead of a single corporate entity, which promotes data privacy and enables selective sharing of information.
  • Instead of pooling patient data from various hospitals into one database, which raises privacy concerns and legal complications, researchers send their AI models to individual hospitals. These models can then analyze the data within the hospital’s firewall, maintaining the privacy of sensitive patient information.
  • The training process involves doctors identifying eligible patients, selecting necessary clinical data, and organizing it on a local database. The AI software then uses this data to identify disease trends. The trained model is periodically sent to a central server, where it is combined with models from other hospitals to update the original model.
  • The updated “consensus model” is sent back to each hospital to be trained further, and this cycle continues until the final model is deemed accurate enough. This process ensures data privacy, as the information sent back to the central server is anonymized and remains within the hospital’s firewall.
  • Federated learning has seen significant growth in medical research. For instance, in 2021, a study successfully used this method to predict diabetes from CT scans of abdomens, potentially identifying at-risk patients up to seven years prior to their diagnosis.
Categories
Health Law Highlights

Is Stripe HIPAA Compliant?

From The HIPAA Journal, by Steve Adler:

  • Stripe’s Non-HIPAA Compliance: Despite being compliant with various US and international data privacy regulations, Stripe is not HIPAA compliant. This is due to its method of recording personal data within transaction data, which is then used for fraud detection and shared with third-party payment providers, some of which have questionable security and privacy practices.
  • Payment Processing Exemption: Stripe can process payments without violating HIPAA because of an exemption provided by the Social Security Act (§1179), which excludes financial transactions from HIPAA’s Administrative Simplification Regulations. However, this exemption only applies to payment processing and not to other activities, such as fraud detection, without a Business Associate Agreement (BAA) in place.
  • Stripe’s BAA Limitation: Stripe cannot enter into a BAA with HIPAA covered entities and business associates because some of its third-party payment providers, like Coinbase and PayPal, will not enter into a BAA with Stripe. This makes Stripe non-HIPAA compliant.
  • Stripe’s Global Compliance: As a global payment processing platform, Stripe must adhere to various consumer protection regulations and licensing requirements worldwide, leading it to restrict or prohibit certain types of business activities, including collecting payments for certain healthcare services.
  • Violating Stripe’s Terms and Conditions: If a business violates Stripe’s Terms and Conditions, which include a list of restricted business activities, Stripe can immediately terminate access to its payment processing platform. Therefore, businesses considering Stripe should thoroughly review its Terms and Conditions and related documentation to understand their obligations.
Categories
Health Law Highlights

The Most Critical Elements of the FTC’s Health Breach Rulemaking

From Lawfare, by Justin Sherman and Devan Desai,

  • The Federal Trade Commission (FTC) is considering modifications to its Health Breach Notification Rule (HBNR), which governs how non-HIPAA-covered entities handle health data breaches. The proposed changes aim to keep up with technological advancements and trends in the health tech and data landscapes.
  • The FTC’s proposal comes amid a greater focus on health data privacy, following enforcement actions against prescription drug provider GoodRx and fertility tracking app Premom, both of which allegedly violated the HBNR by sharing sensitive health data without proper disclosures.
  • The proposed changes aim to expand federal health data breach regulations to reflect the evolving role of health tech apps, telehealth services, data brokers, and digital advertisers in collecting, aggregating, identifying, sharing, and selling Americans’ health information.
  • The FTC is looking to expand and clarify the definition of personal health record identifiable information, formally expand the definition of a breach to include unauthorized data disclosures, and clarify how the HBNR applies to mobile apps and health tech companies.
  • While the proposed changes largely serve to clarify existing policies and practices, they are viewed as crucial in improving privacy regulation, aligning with state-level health data regulations, and addressing harmful practices such as selling sensitive health data without consumers’ consent.
Categories
Health Law Highlights

OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

From Taft Stettinius & Hollister LLP, by Ike Willett & Cory Brennan:

  • On December 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group following a phishing attack that affected the PHI of approximately 34,862 individuals.
  • This marks the first settlement OCR has resolved involving a phishing attack under HIPAA Rules, and comes just weeks after another settlement with a Massachusetts medical management company for a ransomware attack affecting 206,695 individuals.
  • These settlements serve as a reminder for all health care entities to regularly review and update their risk analysis, implement audit controls, utilize multi-factor authentication, and provide ongoing workforce training to mitigate the impact of cyber-attacks.
  • In addition to a $100,000 settlement, the agreement with the medical management company requires them to operate in accordance with a Corrective Action Plan (CAP) for three years, which includes updating their risk analysis and implementing security measures.
  • The health care industry continues to be a prime target for cyber threats, with a significant increase in reported breaches involving hacking and ransomware. Organizations should seek qualified legal counsel and regularly review their compliance practices to prepare for potential breaches or regulatory investigations.
Categories
Health Law Highlights

The New Health Privacy Landscape—Out of the Frying Pan and Into the Fire

From Perkins Coie, by Stephanie Duchesneau, Susan Fahringer, Meredith Halama, Janis Kestenbaum:

  • The legal landscape around health privacy has become much more complex in recent years, with more entities and types of data now subject to regulation and enforcement.
  • The FTC has taken a broader view of what constitutes sensitive health data and has pursued more enforcement actions around the sharing of such data with third parties like ad tech companies. 
  • Several states like Washington, New York, Nevada, and Connecticut have passed new consumer health privacy laws restricting certain uses of geofencing and health data.
  • HHS and the FTC have also issued new guidance clarifying that certain data sharing practices of HIPAA-covered entities may violate privacy rules.
  • All entities should review their health privacy practices given this changing legal landscape to ensure compliance and avoid litigation and enforcement risks.
Categories
Health Law Highlights

Patient Privacy: Preventing Data Leakage in Healthcare

From Security Boulevard, by Chantel Rodrigues:

  • Tracking pixels are tiny, invisible images or code snippets embedded in web pages, emails, or mobile apps. They can be used for legitimate purposes, such as monitoring website traffic, measuring user engagement, and improving user experience.
  • They can also lead to data leakage and privacy breaches, which can constitute HIPAA violations if they compromise patient privacy or security.
  • Identify all pixels and trackers on your web pages and remove the ones that are unnecessary or could be reading sensitive data.
  • Implement JavaScript security controls throughout both the development and Application Security (AppSec) lifecycles.
  • If you do use tracking technologies, ensure they only use and share protected health information (PHI) following HIPAA Privacy Rule guidelines.
  • If you use technology vendors, establish a robust business associate agreement (BAA) to protect PHI.
Categories
Health Law Highlights

Healthcare AI and HIPAA Compliance

From AI in Healthcare by Dave Pearson:

  • AI can accumulate a large amount of data from many sources. Using large datasets, AI can realistically re-identify previously de-identified healthcare data.
  • Under the HIPAA de-identification safe harbor, even if you remove the 18 specific identifiers, you cannot have actual knowledge that the information could be used alone or in combination with other information to identify patients. Is it possible to meet that standard in the age of AI?
  • This is an evolving area. These issues and others will continue to develop for years to come.