Categories
Health Law Highlights

HTI-1 Final Rule in Effect

From The HIPAA Journal, by Steve Adler:

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule, issued by the HHS’ Office of the National Coordinator for Health Information Technology (ONC), took effect on February 8, 2024. It implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new standards for AI systems.

The Final Rule is designed to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization. It aims to improve patient outcomes and reduce healthcare costs by promoting the safe, secure, and trustworthy development of AI.

The Final Rule introduces new transparency requirements for AI and other predictive algorithms within ONC-certified health IT. It allows clinical users to access a consistent set of information about the algorithms and assess them for fairness, validity, effectiveness, and safety.

It adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. Developers of certified health IT have until January 1, 2026, to transition to USCDI v3.

The Final Rule introduces new information blocking requirements and definitions, adds a new exception to support information sharing, and introduces new interoperability-focused reporting metrics. It is crucial that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure compliance with these new requirements.

Categories
Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Categories
Health Law Highlights

7 HIPAA Predictions For 2024

From Becker’s Hospital Review, by Madeline Ashley:

  • The Office for Civil Rights (OCR) is expected to increase enforcement actions for violations of HIPAA security and breach notification rules, with a predicted record number of civil monetary penalties and settlements in 2024.
  • The HIPAA right of access will continue to be a focus for OCR enforcement due to its straightforward nature and minimal resource requirement for investigations.
  • An update to the HIPAA security rule is anticipated in spring 2024, likely introducing new mandatory cybersecurity measures, including stricter access control requirements such as mandatory multi-factor authentication.
  • Following the overturning of Roe v. Wade, a new rule on reproductive health information disclosure, limiting its use to specific purposes like payment, healthcare operations, treatment, and legal investigations related to reproductive healthcare services.
  • The American Hospital Association’s lawsuit against OCR’s tracking technologies guidance could lead to the first enforcement action regarding the use of tracking technologies on hospital websites in 2024. If the lawsuit is successful, further rulemaking on tracking technology is expected to enhance patient privacy.
  • The Centers for Medicare & Medicaid Services (CMS) are projected to introduce cybersecurity requirements as a condition for participation in their programs.
  • State attorneys general are expected to increase HIPAA compliance enforcements, imposing additional financial penalties on healthcare organizations failing to meet minimum cybersecurity standards.
Categories
Health Law Highlights

Is Apple Pay HIPAA Compliant?

From The HIPAA Journal, by Steve Alder:

  • Apple Pay and HIPAA Compliance: Despite not being HIPAA compliant, Apple Pay can be used by healthcare providers and health plans to collect payments. The service is exempt from HIPAA under §1179 of the HIPAA Act, which applies to entities engaged in payment processing activities.
  • How Apple Pay Works: Apple Pay is a mobile payment service that uses a unique Device Account Number for each card registered in the Apple Wallet app. The service facilitates online, in-app, and contactless payments without sharing the user’s credit or debit card details with the recipient.
  • Privacy and Protected Health Information (PHI): Due to the unique way Apple Pay operates, neither the recipient nor Apple has access to information that could identify the user or their purchase details. As such, information sent through Apple Pay does not qualify as PHI.
  • Exceptions and Limitations: The HIPAA exemption only applies to the payment facilitation aspect of Apple Pay. Covered entities and business associates should not store individually identifying health information in the Apple Wallet app, as Apple will not sign a Business Associate Agreement. Any third-party integrations with Apple Pay used for payment reconciliation must be HIPAA compliant.
Categories
Health Law Highlights

Key Considerations for Healthcare Providers Responding to Law Enforcement Requests

From Quarles & Brady LLP, by Simone Colgan Dunlap, Sarah Coyne, Kaitlyn Fydenkevez, Meghan O’Connor:

  • Current HIPAA rules permit healthcare providers to disclose protected health information (PHI) to law enforcement under specific circumstances, such as to comply with a court order, respond to an administrative request, or in cases of identifying a suspect or victim, among others.
  • Providers must also be aware of more stringent state laws, particularly when it comes to “sensitive” categories of data like mental health records or sexual/reproductive health data. Any disclosure must meet the requirements of both HIPAA and state law.
  • Providers should ensure that staff understand organizational policies and procedures regarding law enforcement requests, and should watch for the final rule on HIPAA disclosure requirements. The Senate Finance Committee’s letter calls for broader protection, which may influence the final rule, particularly in relation to pharmacy disclosure of prescription data to law enforcement.
Categories
Health Law Highlights

Is Stripe HIPAA Compliant?

From The HIPAA Journal, by Steve Adler:

  • Stripe’s Non-HIPAA Compliance: Despite being compliant with various US and international data privacy regulations, Stripe is not HIPAA compliant. This is due to its method of recording personal data within transaction data, which is then used for fraud detection and shared with third-party payment providers, some of which have questionable security and privacy practices.
  • Payment Processing Exemption: Stripe can process payments without violating HIPAA because of an exemption provided by the Social Security Act (§1179), which excludes financial transactions from HIPAA’s Administrative Simplification Regulations. However, this exemption only applies to payment processing and not to other activities, such as fraud detection, without a Business Associate Agreement (BAA) in place.
  • Stripe’s BAA Limitation: Stripe cannot enter into a BAA with HIPAA covered entities and business associates because some of its third-party payment providers, like Coinbase and PayPal, will not enter into a BAA with Stripe. This makes Stripe non-HIPAA compliant.
  • Stripe’s Global Compliance: As a global payment processing platform, Stripe must adhere to various consumer protection regulations and licensing requirements worldwide, leading it to restrict or prohibit certain types of business activities, including collecting payments for certain healthcare services.
  • Violating Stripe’s Terms and Conditions: If a business violates Stripe’s Terms and Conditions, which include a list of restricted business activities, Stripe can immediately terminate access to its payment processing platform. Therefore, businesses considering Stripe should thoroughly review its Terms and Conditions and related documentation to understand their obligations.
Categories
Health Law Highlights

HHS Issues First Settlement for HIPAA Violations Related to a Ransomware Attack

From Hall Benefits Law, by Anne Tyler Hall:

  • The U.S. Department of Health and Human Services (HHS) reached a settlement with a Massachusetts-based medical management company for alleged violations of HIPAA’s Privacy and Security Rules. The company, a HIPAA business associate, will pay $100,000 and comply with a three-year corrective action plan (CAP).
  • The investigation began in 2019, following the company’s notification to HHS about a Gandcrab ransomware attack that had occurred two years prior. The attack, discovered 18 months after it happened, affected the electronic Protected Health Information (ePHI) of over 206,000 individuals.
  • HHS found that the company violated HIPAA rules by disclosing individuals’ ePHI without authorization and failing to perform a thorough risk analysis, regularly review information system activity, and establish compliant security policies and procedures.
  • The CAP requires the company to revise its HIPAA policies and procedures, addressing issues like security awareness, training, and regular review of information system activities. The company must distribute these revised policies to all workers who use or disclose ePHI, and promptly report any noncompliance to HHS.
  • The CAP also mandates that the company conduct a thorough risk analysis of potential risks and vulnerabilities concerning its existing system for storing ePHI. The company must document its security measures, adopt a risk management plan, and submit annual reports to HHS throughout the three-year duration of the CAP.
Categories
Health Law Highlights

OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

From Taft Stettinius & Hollister LLP, by Ike Willett & Cory Brennan:

  • On December 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group following a phishing attack that affected the PHI of approximately 34,862 individuals.
  • This marks the first settlement OCR has resolved involving a phishing attack under HIPAA Rules, and comes just weeks after another settlement with a Massachusetts medical management company for a ransomware attack affecting 206,695 individuals.
  • These settlements serve as a reminder for all health care entities to regularly review and update their risk analysis, implement audit controls, utilize multi-factor authentication, and provide ongoing workforce training to mitigate the impact of cyber-attacks.
  • In addition to a $100,000 settlement, the agreement with the medical management company requires them to operate in accordance with a Corrective Action Plan (CAP) for three years, which includes updating their risk analysis and implementing security measures.
  • The health care industry continues to be a prime target for cyber threats, with a significant increase in reported breaches involving hacking and ransomware. Organizations should seek qualified legal counsel and regularly review their compliance practices to prepare for potential breaches or regulatory investigations.
Categories
Health Law Highlights

Feds Levy First-Ever HIPAA Fine for a Phishing Breach

From Govinfo Security, by Marianne Colbasuk McGee:

  • The Department of Health and Human Services has issued the first ever HIPAA fine for a phishing breach, highlighting the importance of cybersecurity in the healthcare industry.
  • The fine was imposed on a medical practice that failed to adequately protect the sensitive information of its patients, resulting in a phishing attack that compromised over 17,000 individuals’ data.
  • The incident serves as a reminder for healthcare organizations to implement strong security measures, including employee training and robust email security protocols, to prevent similar breaches from occurring.
  • The HHS Office for Civil Rights (OCR) has emphasized the need for healthcare entities to conduct regular risk assessments and implement appropriate safeguards to protect patient data.
  • This case also highlights the OCR’s commitment to enforcing HIPAA regulations and holding organizations accountable for their failure to secure sensitive information.
Categories
Health Law Highlights

Patient Privacy: Preventing Data Leakage in Healthcare

From Security Boulevard, by Chantel Rodrigues:

  • Tracking pixels are tiny, invisible images or code snippets embedded in web pages, emails, or mobile apps. They can be used for legitimate purposes, such as monitoring website traffic, measuring user engagement, and improving user experience.
  • They can also lead to data leakage and privacy breaches, which can constitute HIPAA violations if they compromise patient privacy or security.
  • Identify all pixels and trackers on your web pages and remove the ones that are unnecessary or could be reading sensitive data.
  • Implement JavaScript security controls throughout both the development and Application Security (AppSec) lifecycles.
  • If you do use tracking technologies, ensure they only use and share protected health information (PHI) following HIPAA Privacy Rule guidelines.
  • If you use technology vendors, establish a robust business associate agreement (BAA) to protect PHI.