Health Law Advisor

On April 1, 2024, the U.S. Department of Health and Human Services (“HHS”) released new guidance which requires hospitals to obtain informed consent from patients before practitioners, or medical or other students, perform important surgical tasks or sensitive or invasive procedures or examinations (“Guidance”). The Guidance aims to address increasing concerns over patient privacy, in particular the performance of sensitive examinations and invasive procedures on anesthetized patients.

The Guidance both revises the Hospital Interpretive Guidelines regarding ...

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...

Healthcare organizations continue to be prime targets of cyberattacks. It is well-established that cyberattacks can lead to financial loss, reputational damage, and, in some cases, risks to patient care and safety. The recent and well-publicized cybersecurity incident affecting Change Healthcare further evidences these risks. As a result of the widespread and disruptive impact of this most recent cyberattack on the healthcare ecosystem, on March 5, 2024 the U.S. Department of Human Services (HHS) issued a public statement and has also announced that it opened an ...

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public Health and Health Planning Council.  The Governor’s press release indicates the proposed regulations, if enacted, will require New York hospitals to meet at least the following requirements: 

• Establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks;
• Develop a response plan for potential cybersecurity ...

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the Implementation Plan are to address the need for more capable actors in cyberspace to bear more of the responsibility for cybersecurity and to increase incentives to make investments in long-term resilience. The Implementation Plan is structured around the five pillars laid out in the White House’s National Cybersecurity Strategy earlier this year, namely: (1) defend critical infrastructure; (2) disrupt and dismantle threat actors; (3) shape market forces to drive security and resilience; (4) invest in a resilient future; and (5) forge international partnerships to pursue shared goals. The Implementation Plan identifies strategic objectives and high-impact cybersecurity initiatives under each pillar and designates the federal agency responsible for leading the initiative to meet each objective. The following summarizes some of the key initiatives included in the Implementation Plan that will directly impact critical infrastructure organizations, including healthcare, energy, manufacturing, information technology and financial services.

The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?

On June 16, 2023, Nevada enacted Senate Bill 370 (“SB 370”), which imposes broad restrictions on the collection, use, and sale of consumer health data. This law is set to go into effect on March 31, 2024.

Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Introduction

Following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization overturning Roe v. Wade, the federal government, pursuant to President Biden’s Executive Order (the EO) took several steps to protect reproductive health privacy, some of which we previously discussed here. Specifically, the EO called for agencies to protect “women’s fundamental right to make reproductive health decisions.” Shortly following issuance of the EO, the Biden Administration created its HHS Reproductive Healthcare Access Task Force, requiring all relevant federal agencies to draft measurable actions that they could undertake “to protect and bolster access to sexual and reproductive health care.”  

On May 18, 2023, the Federal Trade Commission (FTC) filed a Notice of Proposed Rulemaking and Request for Public Comment (“NPRM”) seeking to amend the Health Breach Notification Rule (“HBNR”). We previously wrote about the FTC’s policy statement, in which the FTC took the position that mobile health applications that are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) are covered by the HBNR. In our post, we highlighted concerns raised in dissent by commissioner Noah Joshua Phillips that the FTC’s interpretation of “breach of security” was too broad. Commissioner Phillips has since resigned.

In the absence of a comprehensive federal data privacy law, state legislators continue to add to the often-contradictory array of laws aimed at protecting the security and privacy of their residents’ data. Very recently, Washington State’s My Health My Data Act was signed into law by Governor Jay Inslee in late April, Florida lawmakers passed Senate Bill 262 in early May, and the Tennessee Information Protection Act was signed into law earlier this month as well. While preparing this update, Montana’s enacted its Consumer Data Privacy Act on May 19^th, which we will address in subsequent guidance due to its recency. These newly enacted state laws build upon the growing patchwork of laws enacted in California, Connecticut, Colorado, Virginia, and Utah, all of which we previously discussed here and here. Yet, among these state laws there is significant variety, including inconsistencies as to whether the laws allow for private rights of action, and whether the laws provide affirmative defenses and other incentives based on compliance with relevant best practices.

In the absence of a federal law directly aimed at regulating artificial intelligence (AI), the Federal Trade Commission (FTC) is seeking to position itself as one of the primary regulators of this emergent technology through existing laws under the FTC’s ambit. As we recently wrote, the FTC announced the establishment of an Office of Technology, designed to provide technology expertise and support the FTC in enforcement actions. In a May 3, 2023 opinion piece published in the New York Times entitled “We Must Regulate A.I. Here’s How,” Lina Khan, the Chairperson of the FTC, outlined at least three potential avenues for FTC enforcement and oversight of artificial intelligence technology.

On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan for termination of the existing notifications of enforcement discretion related to the expiration of the COVID-19 public health emergency (PHE) on May 11, 2023. 

On February 17, 2023, the Federal Trade Commission (“FTC”) announced the creation of the Office of Technology (the “OT”), which will be headed by Stephanie T. Nguyen as Chief Technology Officer. This development comes on the heels of increasing FTC scrutiny of technology companies. The OT will provide technical expertise and strengthen the FTC’s ability to enforce competition and consumer protection laws across a wide variety of technology-related topics, such as artificial intelligence (“AI”), automated decision systems, digital advertising, and the collection and sale of data. In addition to assisting with enforcement matters, the OT will be responsible for, among other things, policy and research initiatives, and advising the FTC’s Office of Congressional Relations and its Office of International Affairs. 

The California Privacy Protection Agency Board (the “Board”) held a public meeting on February 3, 2023, adopting and approving the current set of draft rules (the “Draft Rules”), which implement and clarify the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”). The Draft Rules cover many CCPA requirements, including restrictions on the collection and use of personal information, transparency obligations, consumer rights and responding to consumer requests, and service provider contract requirements. At the meeting, the Board also addressed additional proposed rulemaking processes concerning cybersecurity audits, risk assessments, and automated decision-making. 

On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

More than just New Year’s resolutions went into effect when the clock struck midnight on January 1, 2023. The California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCPDA”) are now effective in California and Virginia, respectively. These comprehensive data privacy laws, along with three other state laws going into effect this year, establish new and complex obligations for businesses. If your business has not taken steps to prepare for these privacy laws, it is high time to start that process to avoid violations and enforcement likely to follow later in the year. See below for a timeline of key dates.

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) gives consumers increasingly more control over their personal information when collected by businesses subject to the law. We have previously discussed the compliance requirements of these data privacy laws on organizations doing business in California.[1] Significantly, CCPA/CPRA defines the term “consumer” to mean any California resident; which from a business perspective, such a broad definition encompasses not only the business’s individual customers, but also its employees, job-applicants or even business-to-business (B2B) contacts.  With the moratoriums currently in place for B2B and employee/applicant data sunsetting on January 1, 2023 and not likely to be extended, and the prospect for federal data privacy legislation with wide preemptive effect of state law looking less likely, businesses should be actively preparing to meet these expanded statutory obligations.

From the Diagnosing Health Care Podcast:  How have complaints of information blocking been submitted to the Office of the National Coordinator (ONC), and by whom? What does government enforcement action really look like?

In this episode of our special series on interoperability, hear from ONC attorneys Cassie Weaver and Rachel Nelson.

On July 8, two weeks following the Supreme Court’s ruling in Dobbs v. Jackson that invalidated the constitutional right to abortion, President Biden signed Executive Order 14076 (E.O.). The E.O. directed federal agencies to take various actions to protect access to reproductive health care services,[1] including directing the Secretary of the U.S. Department of Health and Human Services (HHS) to “consider actions” to strengthen the protection of sensitive healthcare information, including data on reproductive healthcare services like abortion, by issuing new guidance under the Health Insurance and Accountability Act of 1996 (HIPAA).[2]

Featured on the Diagnosing Health Care Podcast:  How is openEHR transforming the way health data is managed and stored across Europe? Will it soon disrupt the U.S. marketplace?

In this episode of our special series on interoperability, hear from Alastair Allen, CTO of Better.

In this episode of the Diagnosing Health Care Podcast:  In the past decade, certified electronic health records (EHRs) have been instrumental in transforming medical records from paper to digital formats.

What obstacles are currently preventing providers from sharing patient data with each other or patients from sharing health information from their personal devices with their providers? In this episode of our special series on interoperability, hear from Tomaž Gornik, founder and CEO of Better.

The U.S. Supreme Court is expected to imminently issue its opinion in the case Dobbs v. Jackson Women’s Health Organization (“Dobbs”). If the Court rules in a manner to overturn Roe v. Wade, states will have discretion in determining how to regulate abortion services.^[1] Such a ruling would overturn nearly 50 years of precedent, leaving patients, reproductive health providers, health plans, pharmacies, and may other stakeholders to navigate a host of uncharted legal issues. Specifically, stakeholders will likely need to untangle the web of cross-state legal issues that may emerge.

Establishing and maintaining effective systems to protect sensitive personal data and confidential business information from outside interference while also assuring that privacy interests are protected is among an organization’s highest priorities. Our security and privacy team at Epstein Becker & Green has written extensively about the guidance and best practices issued by federal and state regulatory and enforcement agencies. Execution, monitoring and continually updating these preventive practices define an organization’s first line of defense. But what happens in the event that an organization actually suffers a breach? Is there guidance that might be available, particularly to healthcare organizations, to deal with continuity and disaster planning (BC/DR) directed towards assuring resilience and recovery in the event of a potentially-disastrous cyberattack?

Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

In this episode of the Diagnosing Health Care Podcast:  The interoperability and information-blocking rules have imposed new regulations and requirements on health information exchanges (HIEs). How are HIEs responding to these new regulations in a space they have been in for decades? In this episode of our special series on interoperability, hear from Dan Paoletti, CEO of the Ohio Health Information Partnership.

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.

New from the Diagnosing Health Care Podcast:  One of the long-term goals of the interoperability and information-blocking rules is to give health care providers a much more comprehensive view of a patient’s entire continuum of care.

Throughout 2021, we closely monitored the latest privacy laws and a surge of privacy, cybersecurity, and data asset management risks that affect organizations, small and large. As these laws continue to evolve, it is important for companies to be aware and compliant. We will continue to monitor these trends for 2022.

The attorneys of the Privacy, Cybersecurity & Data Asset Management group have written on a wide range of notable developments and trends that affect employers and health care providers. In case you missed any, we have assembled a recap of our top 10 blog posts of 2021, with links to each, below:

The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has approved a policy statement by a vote of 3-2 offering guidance that organizations using “health applications and connected devices” to “collect or use” consumers’ personal health information must comply with the cybersecurity, privacy and notification mandates of the Health Breach Notification Rule (the “Rule”).

The ...

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and ...

Our colleagues Alaap Shah and Stuart Gerson of Epstein Becker Green have written an Expert Analysis on Law360 that will be of interest to our readers: "Health Cos. Must Prepare for Growing Ransomware Threat."

The following is an excerpt (see below to download the full version in PDF format):

Ransomware attacks have become big business, and they are on the rise. And entities in the health care and life sciences space have become primary targets of opportunity for attackers.

As the recent Colonial Pipeline Co. ransomware event illustrates, a small group of black hat hackers, living in ...

Only a few days remain before the enforcement delay that the Centers for Medicare & Medicaid Services (CMS) exercised due to COVID-19 will end and the agency will require certain payors to publish a Patient Access application programming interface (“API”) and a Provider Directory API under the requirements of the CMS Interoperability and Patient Access Final Rule. Starting on July 1, 2021, all health plans that offer Medicare Advantage, Medicaid and Children’s Health Insurance Program (CHIP) and most Qualified Health Plans offered through the Federally-facilitated ...

The roll out of the Office of the National Coordinator’s (ONC) 21^st Century Cures Act Interoperability and Information Blocking Rules is reminiscent of the way HIPAA has rolled out over the course of the past 25 years. As of May 1, 2021, Actors have been required to comply with the Information Blocking rules. However, it will take some time before all Actors know who they are and for complaints of Information Blocking to be determined to be actual instances of Information Blocking, by which time the penalties that have not yet been finalized may also need to be adjusted.

While ONC defined ...

In this episode of the Diagnosing Health Care Podcast:  The vaccine passport has been a major topic of discussion as businesses and governments consider how to balance privacy and safety through the rollout of the COVID-19 vaccine. Epstein Becker Green attorneys Patricia Wagner, Alaap Shah, and Jessika Tuazon discuss the privacy and security concerns companies must weigh as they consider developing or implementing vaccine passports, such as the collection and use of an individual's personal health information. As state governments and the private sector take the ...

Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways.  Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any ...

Medical providers are often asked, or feel obligated, to disclose confidential information about patients.  This blog post discusses when disclosures of confidential medical information involve law enforcement, but the general principles discussed herein are instructive in any scenario.  To protect patient confidentiality and avoid costly civil liability arising from improper disclosures, it is imperative that providers ask questions to assess the urgency of any request and to understand for what purpose the information is sought by authorities.  Knowing what questions to ask at the outset prepares providers to make informed decisions about disclosing confidential information in a manner that balances the obligation to maintain patient confidentiality and trust with legitimate law enforcement requests for information aimed at protecting the public.

Alaap B. Shah and Nivedita B. Patel, attorneys in the Health Care & Life Sciences practice, in the firm’s Washington, DC, office, co-authored an article in MobiHealthNews, titled “Unlocking Value in Health Data: Truveta’s Data Monetization Strategy Carries Big Risks and Responsibilities.”

Following is an excerpt:

In today’s world, data is power. Healthcare providers have massive amounts of rich health data at their fingertips. Yet historically, third-party vendors to healthcare providers often have derived financial benefits from secondary use of ...

Ransomware basics

Ransomware is a serious form of cyber extortion that employs malware to prevent users from accessing their systems or data, either by locking the system or encrypting critical files until a ransom is paid. The hacker holds the key to unlock the system and usually demands payment in cryptocurrency.

Ransomware has been a known cyber threat vector for over a decade. In recent years, hackers have embraced increasingly sophisticated methods to exploit vulnerabilities and introduce ransomware into systems. They have also expanded the scope of impact by targeting ...

As employers continue their efforts to safely bring employees back to the workplace, many have moved beyond initial pre-entry wellness checks or questionnaires and are considering technology solutions that monitor social distancing and conduct contact tracing in real-time. Along with introducing these enhanced capabilities, the question of the privacy and security of employee personally identifiable information (“PII”) and protected health information (“PHI”) continues to loom.

In order to isolate and contain the spread of COVID-19, one critical component of an ...

On October 12, 2020, the California Attorney General issued its notice and third set of proposed modifications to the regulations implementing the California Consumer Protection Act (“CCPA”). These proposed modifications would change the regulations that were approved by the California Office of Administrative Law on August 14, 2020. The California Department of Justice is accepting written comments from the public on these proposed revisions to the regulations until October 28, 2020 at 5:00 p.m. PST.

Notable changes in these regulations include:

• A requirement for ...

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, obtained two large breach-related settlements: one from a HIPAA Covered Entity and one from a HIPAA Business Associate.  These enforcement actions signal that despite COVID-19 related challenges, organizations continue to face rampant data breaches and ensuing HIPAA enforcement.

On September 25, 2020, OCR settled an investigation into a breach suffered by a large health insurer by obtaining the second-largest resolution payment in HIPAA enforcement history ($6.85 million).  This enforcement action resolved an investigation concerning potential violations of HIPAA Privacy and Security Rules related to a breach affecting the electronic protected health information (ePHI) of more than 10.4 million people.  The breach resulted from a phishing attack that introduced malware into the insurer’s IT systems and allowed unauthorized actors to gain access and remain undetected for nearly nine months.  Similarly on September 23, 2020, a business associate providing IT and health information management services to hospitals and physicians clinics entered a settlement ($2.3 million) with OCR for potential violations of HIPAA Privacy and Security Rules related to a breach affecting over 6 million people.  Essentially, these cyberattacks were advanced persistent threats that compromised the privacy and security of ePHI and PHI and revealed longstanding gaps in the companies’ cybersecurity controls.

Earlier this summer, Ethan P. Davis, Principal Deputy Assistant Attorney General for the Civil Division of the U.S. Department of Justice (DOJ) delivered remarks addressing DOJ’s top priorities for enforcement actions related to COVID-19 and indicating that DOJ plans to “vigorously pursue fraud and other illegal activity.”[1] As discussed below, Davis’s remarks not only highlighted principles that will guide enforcement efforts of the Civil Fraud Section under the False Claims Act (FCA) and of the Consumer Protection Branch (CPB) under the Food, Drug, and Cosmetic Act (FDCA) and the Controlled Substances Act (CSA) in response to the COVID-19 public health emergency (PHE), they also provide an indication of how DOJ might approach enforcement over the next few years.

DOJ'S KEY CONSIDERATIONS & ENFORCEMENT STRATEGY FOR COVID-19

Davis highlighted two key principles that would drive DOJ’s COVID-related enforcement efforts: the energetic use of “every enforcement tool available to prevent wrongdoers from exploiting the COVID-19 crisis” and a respect of the private sector’s critical role in ending the pandemic and restarting the economy.[2] Under that framework, DOJ plans to pursue fraud and other illegal activity under the FCA, which Davis characterizes as “one of the most effective weapons in [DOJ’s] arsenal.”[3]

However, as DOJ pursues FCA cases, it will also seek to affirmatively dismiss qui tam claims that  DOJ finds meritless or that interfere with agency policy and programs.[4] DOJ also plans to collect certain information from qui tam relators regarding third-party litigation funders during relator interviews.[5] DOJ’s emphasis on qui tam cases—cases brought under the FCA by relators or whistleblowers—for COVID-related enforcement highlights the impact such matters have on DOJ’s enforcement agenda.[6]

1. DOJ will consider dismissing cases that involve regulatory overreach and are not otherwise in the interest of the United States.

Although Davis emphasized that the majority of qui tam cases would be allowed to proceed, in order to “weed out” cases that lack merit or that DOJ believes should not proceed, DOJ will consider dismissing cases that “involve regulatory overreach or are otherwise not in the interest of the United States.”[7] This is consistent with the principles reflected in the 2018 Granston Memo that instructed DOJ attorneys to consider “whether the government’s interests are served” when considering whether cases should proceed and listed considerations for seeking alternative grounds for dismissal of FCA cases.[8] Davis gave examples throughout his speech of actions DOJ might consider dismissing:

• Cases based on immaterial or inadvertent mistakes, such as technical mistakes with paperwork
• Cases based on honest misunderstandings of rules, terms, and conditions
• Cases based on alleged deviations from non-binding guidance documents
• Cases against entities that reasonably attempted to comply with guidance and “in good faith took advantage of the regulatory flexibilities granted by federal agencies in the time of crisis.”[9]

DOJ litigators have been advised to inform relators of the possibility of dismissal.[10] Additionally, qui tam suits based on behaviors temporarily permitted during the COVID-19 pandemic, particularly in circumstances in which agencies exercised discretion to waive or not enforce certain requirements, might
“fail as a matter of law for lack of materiality and knowledge.”[11]

2. DOJ will now include a series of questions during relator interviews to identify third-party litigation funders.

During each relator interview, DOJ has instructed line attorneys to ask a series of questions to identify whether the relator or their counsel has a third-party litigation funding agreement,[12] which is an agreement in which a third party—such as a commercial lender or a hedge fund—finances the cost of litigation in return for a portion of recoveries.[13] Under the new policy detailed in Davis’s speech, if a third-party funder is disclosed, DOJ will ask for the following:

• the identity of the third-party litigation funder,
• information regarding whether information of the allegations has been shared with the third party,
• whether the relator or their counsel has a written agreement with the third party, and
• whether the agreement between the relator or their counsel and the third party includes terms that entitles the third-party funder to exercise direct or indirect control over the relator’s litigation or settlement decisions.

Relators must inform DOJ of changes as the case proceeds through the course of litigation.[14] While Davis characterizes these changes as a “purely information-gathering exercise for the purpose of studying the issues,” the questions are in furtherance of DOJ’s ongoing efforts to uncover the potential negative impacts third-party litigation financing may have in qui tam actions. [15] The questions Davis referenced in his remarks reflect DOJ’s concerns with third-party litigation funding as expressed by Deputy Associate Attorney General Stephen Cox in a January 2020 speech.[16] Davis emphasized that DOJ particularly sought to evaluate the extent to which third-party litigation funders were behind qui tam cases DOJ investigates, litigates, and monitors; the extent of information sharing with third-party funders; and the amount of control third-party funders exercised over the litigation and settlement decisions.[17] While the Litigation Funding Transparency Act of 2019 has remained inactive since its introduction in February 2019 by Senator Grassley[18] and the 2018 proposal by the U.S. Court’s Advisory Committee on Civil Rights’ Multidistrict Litigation Subcommittee to require disclosure of third-party litigation funding remains under consideration,[19] DOJ’s plans to include this line of questioning potentially signals DOJ’s intention to take more concrete and significant steps to address third-party litigation funding in the future.

The regulations for the California Consumer Protection Act (“CCPA”) were approved by the California Office of Administrative Law on August 14, 2020 and went into effect immediately.   Earlier this year, the California Department of Justice proposed these regulations to govern the California Attorney General’s enforcement of CCPA. CCPA was signed into law on June 28, 2018 and went into effect on January 1, 2020.

Please see Epstein Becker Green’s earlier posts discussing CCPA for more information.

• California’s New Consumer Privacy Act: What Employers Need to Know
• Follow ...

As consumerism in healthcare increases, companies and the individuals they serve are increasingly sharing data with third-party application developers that provide innovative ways to manage health and wellness, among numerous other products that leverage individuals’ identifiable health data.  As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective.  Navigating this policy ‘tug of war’ will be critical for organizations to comply with the rules, but also maintain consumer confidence.

Reports in the last week stated that the computer manufacturer Lenovo had preloaded software onto various lines of computers which critically compromised cybersecurity. The software in question is a product called Superfish Visual Discovery, a program generally designed to replace advertisements seen while browsing the Internet with ads provided by Superfish. However, the method of implementation opens up a universe of potential problems.

What Does Superfish Do?

Superfish is designed to replace Internet advertisements with advertisements provided by their sponsors. In ...

On January 9, 2015, New Jersey Governor Chris Christie signed new legislation that will require health insurance carriers authorized to issue health benefits plans in the state—including insurance companies, health service corporations, hospital service corporations, medical service corporations, and health maintenance organizations—to encrypt personal information. Triggered by a series of data breaches involving the health information of almost a million residents, Senate Bill No. 562 (“SB 562”) was passed unanimously by both houses of the state legislature ...

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities regarding their data security and enforcement priorities.

Section 13402(i) of the Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of Health and Human Services to prepare an annual report regarding the number and nature of ...

By Brandon Ge and Alaap Shah

The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been ...

By Marshall Jackson and Alaap Shah

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk ...

   By:  Alaap Shah and Ali Lakhani

Why is data breach such a rampant problem within the health care industry?

As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.  To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards.  Health care companies also have resources to assist them with managing this risk.  Specifically ...

One of the European Parliament’s 20 committees, the Civil Liberties Committee (“LIBE”), voted on October, 21, 2013 on a proposed EU General Data Protection Regulation. The regulation includes an increased level of fines and new regulatory requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities). Companies should monitor these issues closely in the next couple of months. Most likely, after the plenary vote on November 18-21, the Parliament will push for rapid negotiations with the Council ...

By: Alaap Shah and Marshall Jackson

Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered.  It seems to be business as usual, as your health care organization continues to digitize its operations.  You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices.  However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive ...

By:  Alaap Shah and Ali Lakhani

The Good: 

“Hey Doc, just shoot me a text . . .”

The business case supporting text messaging in a health care environment is compelling - it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery.  As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI ...

Below is a re-print of an article that we recently wrote for the Advisory Board Company’s 2013 third quarter General Counsel Agenda. To view the original publication in the General Counsel Agenda, click here.

For hospitals, the promise of telehealth has spurred innovation across multiple service lines and led to the emergence of a number of new delivery models such as telestroke, teleradiology, telepsychiatry, telepathology, teleICU and remote patient monitoring.  While many of these programs are leading to significant improvements in access to health care services, quality ...

Telehealth creates unique health information management challenges for various reasons, including: aggregating large data sets (i.e. remote monitoring); using and storing numerous file formats (video, audio, text, digital images, film); establishing safeguards for sharing data with virtual providers and distant sites; determining the appropriate location for data storage (if more than one provider or entity is involved); and more.  All of these challenges create issues relating to medical record management, maintenance, ownership, and storage.

In the past, it was easier ...

Christine Kearsley contributed to this article.

In Durham, North Carolina, the child psychiatrist comes to the classroom.  By telehealth. For the past eight years, Duke University Medical Center has teamed up with Durham Public Schools to export child psychiatry to where the kids are.  Duke fellows in child psychiatry travel to three elementary schools and one upper-school site to offer in-person mental health services to children with diagnosed mental health disorders.  To supervise the fellows, the attending physician conferences in.  As Dr. Richard D’Alli, the leader of the ...

Before initiating treatment, health care providers must generally obtain their patients’ informed consent. The purpose of the informed consent process is two-fold. First, it allows patients to gain an understanding of the risks and benefits of the proposed treatment, and alternative courses of action. Second, it helps shield providers from legal exposure.

A formal informed consent process is particularly critical for procedures that carry a high risk of patient injury. When considering such “high-risk” procedures, neurosurgery or radiation therapy may come to mind ...

We all know that telehealth is going mainstream.  The numbers speak for themselves.  A leading research firm predicts that 2.8 million patients worldwide used home-based remote monitoring devices in 2012—expected to increase to 9.4 million connections globally by 2017.  Another firm projects that the number of patients using telehealth services in the United States will grow to 1.3 million in 2017, up from 227,000 in 2012.  Even less rosy projections predict growth to 2 million patients worldwide by 2017.  The news is even better in subspecialties like telepsychiatry   that are ...

In the healthcare industry we often associate information privacy and security enforcement with HIPAA and state privacy laws.  However, a lesser known but in some cases just as significant regulator of information privacy is the Federal Trade Commission (“FTC”). This is especially true with regard to mobile health applications, which depending on how they function and collect personal information, may not be regulated by HIPAA.  Regardless of whether or not you have to comply with HIPAA, if you run applications or software that can access personal information, then the FTC’s ...

Telehealth is going mainstream. Once limited to rural or remote communities, the use of telehealth is increasingly being used to address critical shortages within many medical specialties (such as dermatology, neurology, radiology, critical care and mental health), and as a more efficient means to provide health care services. Many leading nationally-recognized health care providers, health plans and others have significant telehealth initiatives underway often in partnership with telecommunications vendors and government entities.  And developments in this space tend ...

As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI).  To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures.  From locks, to security guards, to alarm systems ...

While tech companies looking to provide health solutions must figure out early on whether they are HIPAA-regulated, HIPAA is not the be-all and end-all of privacy law. Even entities not regulated under HIPAA must abide by other privacy rules, including a wide array of state privacy laws. On December 6, 2012, in the state’s first legal action under its online privacy law, California Attorney General Kamala Harris filed a lawsuit against a major airline for not including a privacy policy in its smartphone app. The complaint alleges violation of California’s Online Privacy ...

The recent discovery of a security flaw that allows Skype accounts to essentially be hijacked has again raised the issue of the security of web-based platforms—and whether providers can meet their HIPAA obligations when using these communication tools.  The issue of Skype and similar platforms and HIPAA compliance is one that I am often asked about.  In a previous post, I addressed the issue and concluded that providers who wish to use Skype or similar platforms proceed with great caution.  I noted that the use of web-based platforms, especially those that are proprietary, may make it ...

By Ross K. Friedberg and Ophir Stemmer

This year we’ve seen a continuation of the trend toward heightened regulation and enforcement of the privacy and security requirements under the Health Information Portability andAccountability Act (“HIPAA”) and under other state and federal health privacy laws. Although there have not been any significant changes to federal health privacy laws this year, federal enforcement activity continues to be strong.

This post provides a summary of the developments in privacy and security law throughout the past year; discusses the ...

by Joel Rush and Dawn Helak

All indications are that international telemedicine is well positioned for strong growth over the next several years. The global healthcare marketplace is ripe with opportunities for U.S. based healthcare systems and providers to take advantage of the expanding use of telemonitoring systems and other telemedicine technologies to deliver top flight healthcare to patients across the globe.

However, wherever there are opportunities, there are challenges. In addition to the economic and financial barriers to launching an international telemedicine ...

With a new era of active enforcement of the HIPAA privacy and security laws upon us, companies need to figure out early-on whether they are regulated under HIPAA, either as covered entities or business associates.  However, determining whether a company is subject to the HIPAA privacy and security requirements is not always straightforward, especially for companies in the health technology space.  There are two ways in which a company can become subject to HIPAA: (1) it functions as a health plan, health care provider or health care clearinghouse which could potentially make it a HIPAA ...

Mobile application (“app”) development is the new boon for technology companies of all sizes, and the phrase “There’s an app for that” tells the story of just how much this market has grown and matured.  Most of the early app development focused on low risk opportunities—those involving free or low-cost social media or gaming apps.  While protecting privacy and security of personally-identifiable information is generally important, privacy and security concerns typically do not rank as high priorities in decision-making when developing these types of apps.

By ...

by Pamela Tyner

They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception. Texas House Bill 300 (“HB 300″) amends the Texas Medical Records Privacy Act (“Texas Act”) and takes effect on September 1, 2012. HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

Read ...

I’m sure most of you know about BYOB, but do you know about BYOD (Bring Your Own Device).  This is the term used when a company chooses to forgo issuing company-owned mobile computing devices (think smartphones and tablets), and encourages its employees to use their own personal mobile devices for business purposes.  And in the healthcare context, BYOD has important implications.

For better or for worse, many companies have opted to institute a BYOD policy for a number of reasons.  Here are just a few rationales for BYOD:

• Employees likely already have a smartphone or tablet or both.

Is Skype HIPAA-compliant? This is probably the question I get asked the most. For the sake of this post, I am using the term Skype to include Skype and similar free web-based communication platforms relying on proprietary voice over Internet technology.

As with so many things, the answer is complicated. But the question itself is misleading. Many vendors and manufacturers market their technology and products using terms such as “HIPAA compliant.”

However, products or technology cannot themselves be “HIPAA-compliant.” Hospitals, providers, and other covered entities ...