Categories
Health Law Highlights

Don’t Call It a Breach Rule: FTC Health Breach Notification Rule Has Been Here for Years, Now Updated to Serve as a Backdoor Privacy Regulation

Summary of article from Wyrick Robbins Yates & Ponton LLP, by Lynn Percival IV:

In December 2021, the Federal Trade Commission (FTC) began a rulemaking process to update the Health Breach Notification Rule (HBNR), which mandates notice following a security breach of unsecured personal health records. The FTC has now finalized these updates, expanding the definition of a “breach of security” to include unauthorized uses and disclosures of health information. The updated rule also broadens the terms “personal health records” and “PHR identifiable health information,” potentially encompassing more websites, apps, and data repositories. The definition of “PHR related entity” has also been clarified, expanding the types of organizations subject to the rule. The updated rule will be effective 60 days after its publication in the Federal Register, with violations potentially resulting in significant civil penalties.

Categories
Health Law Highlights

Kaiser Permanente Notifying 13.4 Million of Tracker Breach

Summary of article from Gov Info Security, by Marianne Kolbasuk McGee:

Kaiser Foundation Health Plan reported a data breach affecting 13.4 million individuals due to unauthorized access/disclosure from its previous use of online tracking technologies on its websites and mobile applications. Personal information potentially transmitted to third-party vendors like Google, Microsoft Bing, and Twitter includes IP addresses, names, account sign-in information, website navigation data, and search terms. No sensitive information like usernames, passwords, Social Security numbers, or financial account details were disclosed. Kaiser Permanente has since removed these online technologies and implemented measures to prevent such incidents in future. Despite no known misuse of the personal information, the organization will notify affected individuals directly in May out of caution.

Categories
Health Law Highlights

Artificial Intelligence Highlights from FTC’s 2024 PrivacyCon

Summary of article from Sheppard Mullin Richter & Hampton LLP, by Carolyn Metnick, Gianfranco Spinelli:

PrivacyCon’s takeaways for healthcare organizations highlighted key considerations for the use of AI in healthcare, focusing on privacy themes, Large Language Models (LLMs), and AI functionality. The study identified four privacy concerns: potential for data misuse, personal nature of data, lack of awareness and consent in data collection, and surveillance by the government. It also highlighted security, privacy, and safety concerns in LLM platforms, particularly with third-party applications, urging developers to prioritize these aspects. The fallacy of AI functionality, where users trust AI blindly without data validation, was identified as a major issue, especially in healthcare where it can lead to misdiagnosis. The post concluded by emphasizing the need for healthcare organizations to establish governance and compliance committees to address these complex challenges and facilitate responsible AI development with privacy and ethical considerations in mind.

Categories
Health Law Highlights

Comprehensive Federal Privacy Bill May Open Backdoor for HIPAA Private Right of Action

Summary of article from Fox Rothschild, by Elizabeth Litten:

The American Privacy Rights Act of 2024 (APRA) is a significant data privacy bill that aims to establish national data privacy rights and protections, superseding existing state data privacy laws. The Federal Trade Commission, states, and impacted individuals will enforce it. The bill includes a provision for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), stipulating they must comply with HIPAA’s data privacy and security requirements. However, the bill leaves room for non-compliant entities to be subject to APRA’s robust enforcement mechanisms, including the right for individuals to sue for alleged HIPAA violations. Given the complexity and evolving nature of HIPAA compliance requirements, the stability of APRA’s HIPAA provisions may be uncertain.

Categories
Alert

Proposed FTC Order will Prohibit Telehealth Firm Cerebral from Using or Disclosing Sensitive Data for Advertising Purposes, and Require it to Pay $7 Million

Cerebral, Inc., a telehealth company, has agreed to settle Federal Trade Commission (FTC) charges over its failure to secure and protect sensitive consumer health data. The settlement includes a $7 million fine for disclosing consumers’ personal health information to third parties for advertising purposes and failing to uphold its cancellation policies. The FTC claimed that Cerebral violated privacy rights by revealing sensitive mental health conditions across the internet and in the mail. The proposed order will restrict Cerebral’s use and disclosure of sensitive consumer data and require the company to implement a comprehensive privacy and data security program. The order, which must be approved by a court, also mandates that Cerebral provide an easy way for consumers to cancel services.

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.

Categories
Health Law Highlights

Healthcare Highlights from FTC’s 2024 PrivacyCon

From SheppardMullin, by Carolyn Metnick, Carolyn Young:

The Federal Trade Commission’s annual PrivacyCon highlighted three healthcare privacy research projects: tracking technology use by healthcare providers, women’s privacy concerns post Roe era, and bias propagation through large language learning models (LLMs). One key finding was the extensive use of tracking technologies on hospital websites, which can reveal personal health information and potentially be exploited. Despite serious implications, healthcare data privacy concerns are largely overlooked by users. The event also underscored how biases in LLM training data can lead to biased healthcare outcomes. The key takeaway was the need for transparency in handling healthcare data, including clear policies around data collection and usage, compliance with HIPAA and FTC rules, and the need for accurate privacy notices for users.

Categories
Alert

Large Health System Agrees To Pay $200,000 as Part of OCR’s Fourteenth Right of Access Initiative Settlement

In its first enforcement action of 2021, on January 12th, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced it settled with Banner Health its fourteenth enforcement action as part of its HIPAA Right of Access Initiative (the “Initiative”). OCR announced the Initiative in 2019 to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. In 2020, OCR announced eleven settlements as part of the Initiative including most recently against a primary care provider. The Initiative has resulted in settlements with all sizes of providers.

Source: Large Health System Agrees To Pay $200,000 as Part of OCR’s Fourteenth Right of Access Initiative Settlement

Categories
Alert

HIPAA Safe Harbor Bill Becomes Law; Requires HHS to Incentivize Security

On January 5, the President signed the HR 7898, HIPAA Safe Harbor Bill, into law, which amends the HITECH Act to require HHS to incentivize best practice security.

The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.

The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit, when an entity is found to be out of compliance with the recognized security standards.

The law also corrected technical elements of the 21st Century Cures Act related to the information blocking enforcement authority of HHS’ OIG. Specifically, under the new law, OIG is authorized to obtain information, assistance, and other support from federal agencies when investigating claims of information blocking by the developers or entities that offer health information technologies.

Source: HIPAA Safe Harbor Bill Becomes Law; Requires HHS to Incentivize Security

Categories
Alert

Proposed Changes to HIPAA Privacy Rule

HHS has proposed several important changes to the HIPAA Privacy Rule to bring it in line with HHS’s Sprint Toward Coordinated Care initiative. These proposed changes are not yet final. Comments on the proposed rules are due within 60 days of their publication in the Federal Register.

  • Reducing the time that covered entities have to respond to a patient’s request to access his or her medical records to 15 calendar days (with the possibility of a 15 day extension);
  • Allowing an individual to take notes, videos, and photographs, and use other personal resources to capture Protected Health Information (“PHI”) in a designated record set when accessing PHI in person;
  • Changing the fee structure applicable to requests for access to PHI and adding a requirement that covered entities provide advance notice of approximate fees for copies of PHI;
  • Modifying the definition of “health care operations” to clarify that the term encompasses both individual-level and population-based care coordination and case management activities by health plans and covered health care providers;
  • Adding an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for an individual;
  • Expressly allowing covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management;
  • Replacing the “professional judgment standard” with a “good faith standard” for certain disclosures of PHI allowed in the Privacy Rule;
  • Eliminating the requirement for a direct treatment provider to obtain written acknowledgment of receipt of the Notice of Privacy Practices (“NPP”) and adding an individual right to discuss the NPP with a person designated by the covered entity;
  • Expressly allowing covered entities and their business associates to disclose PHI to telecommunications relay service communications assistants; and
  • Expanding the current Armed Forces exception for covered entities to use and disclose PHI for mission requirements and veteran eligibility to all uniformed services personnel.

Source: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement