COVID-19 has quickly accelerated our expectations that digital connection can ship higher and extra economical care. As a end result, digital well being corporations have an unprecedented alternative to innovate, however with that chance additionally comes important regulatory challenges associated to the gathering and processing of private well being data. What authorized necessities apply to the processing of well being data? What are the dangers related to noncompliance? In this transient primer, we offer solutions to those questions, and a window to what might lay subsequent on the horizon.
Frequently Asked Questions
What federal legal guidelines might apply to digital well being corporations, and what do they often require?
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that protects sure well being data. When contemplating whether or not HIPAA applies to your actions, it’s best to begin with the query “who is holding the information?” slightly than, “what is the nature of the information?”
HIPAA applies to “covered entities,” that are healthcare suppliers, well being plans (insurers), and healthcare clearing homes:
Healthcare Providers | Health Plans | Healthcare Clearing Houses |
This contains suppliers akin to:
if they transmit any data in an digital type in reference to a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a typical. |
This contains:
|
This contains entities that course of nonstandard well being data they obtain from one other entity into a typical (i.e., a typical digital format or knowledge content material), or vice versa. |
Covered entities outsource many of their operations and features to service suppliers. If you’re a service supplier who creates, receives, maintains, or transmits “protected health information” (or “PHI”) for or on behalf of a lined entity, you might be probably a “business associate” to the lined entity and should adjust to relevant components of HIPAA. Traditional examples of enterprise associates embrace corporations that assist suppliers invoice for their companies and corporations that host PHI within the cloud. Today, nonetheless, any cutting-edge tech firm that processes PHI as half of their service could also be a enterprise affiliate and needs to be occupied with whether or not they should adjust to HIPAA. This contains every little thing from SaaS platforms to wearable affected person gadgets.
Among different issues, HIPAA requires lined entities and enterprise associates to: (i) develop and implement HIPAA-specific insurance policies and procedures that deal with the privateness, safety, and breach notification necessities of the HIPAA rules; (ii) conduct and doc a safety danger evaluation and danger administration plan, which usually entails a full safety audit of their data safety programs; (iii) enter into Business Associate Agreements with all of their lined entity prospects and enterprise affiliate distributors (as relevant); and (iv) present and doc HIPAA coaching yearly to all of their workforce members.
The FTC Act
Regardless of whether or not you’re a lined entity or enterprise affiliate, you might be lined by the Federal Trade Commission (FTC) Act, which prohibits misleading or unfair practices. Your practices could also be misleading if, for instance, your privateness coverage or different public statements don’t match your precise practices with respect to client knowledge. The FTC has said that disclosing delicate well being data with out discover and consent could also be an unfair apply. Additionally, failing to keep up cheap safeguards to guard well being data in opposition to breaches may additionally be an unfair apply. The FTC Act covers entities throughout all sectors of the economic system; nonetheless, it doesn’t apply to nonprofit entities or entities engaged within the enterprise of insurance coverage.
The FTC’s Health Breach Notification Rule
Once an obscure legislation, the FTC is now looking for to increase its Health Breach Notification Rule to cowl a quantity of digital well being corporations, akin to builders of well being apps and linked gadgets, by means of a current coverage assertion increasing the scope of the rule to cowl such entities. If this legislation applies to you, you need to notify customers and the FTC within the occasion of a breach, which is outlined broadly to incorporate any disclosure of well being data not licensed by a client. In addition to safety breaches, you need to notify customers if, for instance, you inadvertently shared their well being data past their consent.
The Food, Drug, and Cosmetic Act
The Food and Drug Administration (FDA) enforces the Federal Food, Drug, and Cosmetic (FD&C) Act, which, amongst different issues, regulates the security and effectiveness of medical gadgets. In sure circumstances, “medical devices” contains cell medical apps and different digital well being merchandise and companies. The FDA focuses its regulatory oversight on regulated gadgets that pose the next danger to an individual’s security if they do not work as supposed. For instance, corporations growing a services or products containing algorithms to complement scientific selections needs to be conscious of the FDA’s steering relating to “clinical decision support” and “software as a medical device” to know the regulatory implications of their product improvement.
The False Claims Act
If you’re a healthcare supplier or enterprise affiliate that submits claims to the U.S. authorities, the U.S. Department of Justice (DOJ) may additionally pursue you for violations of the False Claims Act when you 1) knowingly present poor cybersecurity services or products; 2) knowingly misrepresent cybersecurity practices or protocols; or 3) knowingly violate obligations to observe and report cybersecurity incidents and breaches.
Recognizing the overlap amongst these federal legal guidelines, the FTC, U.S. Department of Health and Human Services (HHS), and the FDA have put forth an interactive software on their web sites to assist entities decide which federal legal guidelines apply to them. However, given the complexity of these federal legal guidelines, we strongly counsel that you simply seek the advice of with authorized counsel for recommendation earlier than making any such determinations.
What state legal guidelines might apply?
In addition to federal privateness legal guidelines, you may also be topic to state privateness legal guidelines that govern the gathering, use, and disclosure of well being data. These legal guidelines usually fall into 4 classes. First, sure states have complete well being privateness legal guidelines that transcend the necessities of HIPAA. For instance, California’s Confidentiality of Medical Information Act (CMIA) imposes obligations extra restrictive than HIPAA and may additionally cowl entities that in any other case fall outdoors of HIPAA’s jurisdiction (e.g., healthcare suppliers that don’t electronically invoice insurance coverage).
Second, if you’re not topic to HIPAA however meet sure threshold necessities, you might be topic to a number of of the excellent common privateness legal guidelines enacted in California, Virginia, Colorado, Utah, and Connecticut. These legal guidelines present their residents with rights with respect to their private data, for instance, the suitable to entry their private data and the suitable to have such private data deleted. Starting in 2023, California’s legislation will even apply to worker data, akin to COVID vaccination data.
Third, sector- or issue-specific privateness legal guidelines might apply to you, akin to: Illinois’ Biometric Information Privacy Act (BIPA); state legal guidelines governing the gathering, use, and disclosure of HIV/AIDS-related data; state knowledge safety and knowledge breach notification legal guidelines; and state legal guidelines governing knowledge brokers, akin to California’s Shine the Light legislation.
Finally, state attorneys common can implement their very own state prohibitions in opposition to unfair or misleading practices.
What are some of the dangers of noncompliance?
If you are lined by HIPAA, you might be topic to civil penalties ranging within the quantity of $100 to $50,000 per violation, with a most penalty of $1.5 million for all similar violations in the identical yr. The vary of penalties are based mostly on 4 tiers, and the tiers are based mostly on the severity of the violation. The HHS Office for Civil Rights (OCR) is charged with imposing HIPAA. (State attorneys common even have authority to carry civil actions on behalf of state residents for violation of the HIPAA Privacy and Security Rules.) So far this yr, OCR has introduced enforcement actions within the following areas:
- Patients’ proper to entry their very own protected well being data: HHS launched a Right of Access Initiative in 2019, which has thus far resulted in 27 enforcement actions. The two newest access-related enforcement actions—during which healthcare suppliers didn’t well timed present sufferers with copies of their medical information upon request—resulted in roughly $30,000 in penalties.
- Unauthorized disclosure of protected well being data: In March 2022, OCR introduced an enforcement motion arising from a healthcare supplier’s unauthorized disclosure of a affected person’s identify and medical historical past in response to a detrimental overview posted by the affected person on the healthcare supplier’s Google webpage. The impermissible disclosure resulted in a $50,000 civil cash penalty.
If you might be inside the FTC’s jurisdiction and violate the Health Breach Notification Rule, the FTC can search fines of as much as $40,792 per violation per day. Although the FTC can’t search first-time penalties for violations of the FTC Act, it might companion with the states to hunt financial reduction. Notably, the FTC has been aggressively looking for non-monetary injunctive reduction in opposition to digital well being corporations it finds to be violating the FTC Act. For instance, final yr, the FTC alleged that the menstruation and fertility app Flo shared delicate well being data with third events in violation of its guarantees to customers. The Order required that the app ship discover to all present prospects in regards to the enforcement motion. Other FTC circumstances have required corporations to delete algorithms which were enriched by purportedly unlawfully obtained knowledge.
In October 2021, the DOJ introduced the launch of its Civil Cyber-Fraud Initiative to fight new and rising cyber threats. In March 2022, the DOJ introduced its first settlement underneath its newly created Cyber-Fraud Initiative, which makes use of the False Claims Act to pursue entities and people that put U.S. data or programs in danger. The case focused Comprehensive Health Services LLC (CHS), which contracted to offer medical assist companies to the U.S. authorities overseas in Iraq and Afghanistan. The DOJ alleged that CHS violated the False Claims Act by submitting claims for a purportedly safe EMR system to retailer all sufferers’ medical information, when actually sufferers’ medical information weren’t being persistently saved in a safe method. The DOJ fined CHS $930,000.
State attorneys common are additionally lively in imposing privateness violations. For instance, in September 2020, the California legal professional common introduced a settlement in opposition to digital well being firm Glow, Inc. for $250,000 for, amongst different issues, failing to adequately safeguard its customers’ well being data and permitting entry to customers’ well being data with out their consent, in violation of the CMIA and California unfair competitors legal guidelines.
How can I keep away from regulatory scrutiny?
The finest approach to keep away from regulatory scrutiny is to ensure you have a robust data safety and privateness compliance program in place. You ought to take steps akin to:
- Designating somebody to supervise your data practices.
- Conducting a knowledge mapping train so that you simply perceive what data you might be gathering, what you might be utilizing it for, and who you might be sharing it with.
- Evaluating which privateness legal guidelines apply to the data you course of and addressing compliance for every.
- Including contractual provisions addressing use of data in your agreements with service suppliers and third events.
- Conducting inner worker coaching.
- Reviewing your claims associated to the processing of people’ data.
I do not instantly acquire private data from customers, however I develop software program that processes my shoppers’ client data to assist make selections about these customers. What dangers do I must be conscious of, and how ought to I deal with them?
Please seek advice from our consumer advisory on these points, which lays out potential further authorized necessities that will apply and how one can mitigate danger.
I’ve heard about cybersecurity assaults, and particularly, ransomware assaults, within the healthcare sector. What ought to I do to mitigate these dangers?
The federal companies talked about above have offered steering, together with by means of enterprise schooling supplies and enforcement actions, on how one can safe well being data (and another private data you preserve). Here are some suggestions:
- Designate a person with duty to supervise your safety program.
- Conduct a danger evaluation. Understand the inner and exterior dangers to your programs and the well being data in your programs to develop insurance policies, procedures, and safeguards which are applicable for you.
- Know what’s in your community. Maintain a list of the software program and {hardware} property which have entry to your community. A misconfigured server or susceptible software program model is a standard means that dangerous actors get into networks.
- Don’t acquire well being data you do not want, and dispose of it securely whenever you not want it. No one can steal data you do not have.
- Restrict entry to well being data. It’s necessary to limit entry to well being data to these staff and contractors which have a must entry it and as a minimum degree of privilege essential to carry out their job duties. Use software program that enables for separate environments and instruments like firewalls to phase networks to be able to restrict entry between computer systems in your community and computer systems and the web.
- Implement strong authentication. Require advanced passwords for laptops, tablets, and smartphones. Require multi-factor authentication wherever it’s accessible. Implement insurance policies to limit entry to lively customers and lively consumer accounts, and droop or disable accounts after repeated login makes an attempt.
- Encrypt private well being data in transit and at relaxation.
- Implement controls designed to observe and log exercise of licensed customers and detect unauthorized entry.
- Regularly take a look at the effectiveness of your controls. Test for generally identified and fairly foreseeable vulnerabilities.
- Train personnel. Provide particular coaching to engineers and individuals who can entry delicate knowledge. Provide coaching to all personnel on how one can safeguard in opposition to frequent assault vectors, akin to phishing.
- Put in place procedures to maintain safety present. For instance, replace and patch third-party software program. Have a system in place to heed credible safety warnings.
- Oversee service suppliers. Conduct due diligence on service suppliers to verify they’re succesful of sustaining cheap safeguards. Have contractual provisions that require cheap safety and take steps to confirm compliance.
- Have a plan in place in case one thing does go unsuitable. Implement an incident response plan that paperwork the method to establish, comprise, remediate, and escalate incidents involving unauthorized entry to or use of well being data. Maintain enterprise continuity plans to get well from ransomware assaults or different disruptions to companies, together with backing up well being data and periodically testing and restoring backups.
I’m not within the healthcare sector, however I acquire COVID vaccination data from my staff. How ought to I mitigate dangers?
The FTC just lately issued enterprise steering on this concern, which could be discovered right here.
What if I wish to assist affect authorities insurance policies on this space? How can I get entangled?
Agencies typically launch proposed insurance policies for public remark. For instance, on April 6, 2022, OCR issued a Request for Information (RFI) to higher perceive how HIPAA-regulated entities (i.e., lined entities and enterprise associates) implement “recognized security practices.” The RFI is available in gentle of a January 2021 modification to the HITECH Act that requires the Secretary of HHS to think about entities’ “recognized security practices” when making determinations relating to fines, audits, and cures to resolve potential violations of the HIPAA Security Rule. Entities which have applied “recognized security practices” might cut back penalties and corrective motion obligations levied in opposition to them within the occasion of a HIPAA violation. Comments to the RFI should be submitted on or earlier than June 6, 2022.
The FTC has additionally famous in its public assertion of regulatory priorities for 2022 {that a} overview of the Health Breach Notification Rule is ongoing. It might concern a Notice of Proposed Rulemaking, looking for feedback on proposed adjustments to the rule.
The FTC can also be anticipated to embark on a complete privateness rulemaking. On December 10, 2021, the FTC introduced that it was “considering initiating a rulemaking…to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” The FTC will probably formally launch a rulemaking continuing quickly.
For extra data, please contact Maneesha Mithal, Tracy Shapiro, Georgia Ravitz, Haley Bavasi, Hale Melnick, or one other member of the agency’s privateness and cybersecurity or digital well being practices.