Health Information Technology

Our colleague  at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens). …

Read the full post here.

On January 5, 2018, consistent with the 21st Century Cures Act’s focus on creating interoperability and correspondingly a Trusted Exchange, the Office of the National Coordinator for Health Information Technology (“ONC”) released its “Draft Trusted Exchange Framework” (“Draft Framework”).  The Draft Framework is intended to streamline the exchange of Electronic Health Information (“EHI”) so that both health care providers and patients have better access to health information, thus improving communication and quality health care.  EHI includes information beyond protected health information, such as health information from other consumer driven devices.  ONC has asked for public comments; the comment period is open until February 18, 2018.

ONC’s Draft Framework develops a mechanism to connect Health Integrated Networks (“Qualified HINs”) across the country. The ONC intends to select a single Recognized Coordinating Entity (“RCE”) through a competitive bidding process, which will be open in the spring of 2018.  The RCE’s responsibilities will be to develop the Common Agreement and operationalize the Trusted Exchange.  The Draft Framework includes the Principles of a Trusted Exchange (Part A) and the minimum terms and conditions that will be required for a Trusted Exchange (Part B) (the contractual terms that operationalize the principles of Part A).

The Draft Framework sets a number of conditions on Qualified HINs, some of which may require more direct interaction with patients than currently exists, or may require the Qualified HIN to disclose information that might otherwise be considered proprietary to the Qualified HIN. The biggest takeaways from the Principles (Part A) are:

  • Qualified HINs will be expected to use standards adopted or recognized by ONC’s Health IT Certification Program and Interoperability Standards Advisory (“ISA”) or industry standards readily available to all stakeholders;
    • Participants of Qualified HINs that provide services and functionality to providers are expected to follow the 2015 Edition Health IT Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modification final rule (“2015 Edition final rule”), and associated guidance for the certification of health IT; and
    • Qualified HINs and participants will be expected to implement processes that encourage more “person-centered” care;
  • Qualified HINs will be required to operate openly and transparently by:
    • Making terms and conditions for participation publicly available;
    • Supporting permitted uses and disclosures of EHI. Qualified HINs that only support HIPAA Treatment purpose exchanges, may want to support additional permitted purposes;
    • Making their privacy practices publicly available;
  • Qualified HINs must cooperate with and not discriminate among the various stakeholders across the continuum of care by not implementing policies, procedures, technology or fees that will obstruct access and exchange of EHI between other Qualified HINs, participants, and end users;
  • Qualified HINs must exchange EHI securely and in a manner that preserves data integrity by:
    • Including appropriate information to ensure the correct matching of individuals to their EHI; and
    • Ensuring providers and other organizations are confident that appropriate consents and authorizations have been captured;
  • Qualified HINs must ensure that individuals have easy access to their information by:
    • Ensuring full and consistent access to information; and
    • Having policies in place to allow an individual to withdraw or revoke his or her participation in the Qualified HIN; and
  • Qualified HINs will be expected to support the ability for participants to pull and push population level records—bulk transfer—in a single transaction rather than transmit one record at a time.

The Draft Framework is ONC’s most significant push toward interoperability among electronic health care systems and most likely will affect all stakeholders in the health IT industry and their participants at some point.

The 21st Century Cures Act (“Cures Act”) was enacted in December of 2016.  Among other things, the Cures Act includes provisions to encourage the interoperability of electronic health records. Specifically, the Cures Act provides for civil penalties for those who engage in “information blocking.”  The Cures Act defines “information blocking” broadly as a “practice that . . . is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information” if that practice is known by a developer, exchange, network, or provider as being likely to “interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information.”  42 U.S.C. §300jj-52(a).  The penalty for vendors is up to $1 million “per violation.”

The Office of the National Coordinator for Health IT is reported to be currently working on a draft rule on information blocking – which many hope will address a number of issues including guidance that: distinguishes between information blocking and technology implementation issues; provides for a standard for when a practice is “known” or should have been known; and describes how the “per violation” will be defined and applied.  Although there has been some suggestion that the proposed rules will be released prior to the end of the year, the Director of the Office of the National Coordinator has not indicated when he thinks the proposed rule will be released.

On July 7, 2016, the Centers for Medicare and Medicaid Services (“CMS”) imposed several administrative penalties on Theranos, a clinical laboratory company that proposed to revolutionize the clinical laboratory business by performing multiple blood tests using a few drops of blood drawn from a finger rather than from a traditional blood draw that relies on needles and tubes. However, after inspecting the laboratory, CMS concluded that the company failed to comply with federal law and regulations governing clinical laboratories and it posed an immediate jeopardy to patient health and safety. CMS has revoked the CLIA certification of the company’s California lab, imposed a civil monetary penalty of $10,000 per day until all deficiencies are corrected, barred Medicare or Medicaid reimbursement for its services, and excluded its founder and CEO from owning or operating a clinical laboratory for two years.

Although Theranos’s history has received an outsize amount of media attention, its experience with regulatory agencies highlights several important issues for start-up and emerging health care entities:

What Do Regulators Want?

It is no surprise that health care is one of the most highly regulated sectors of the U.S. economy, and that noncompliance with health care laws and regulations can result in penalties that can cripple an organization or force it to shut down. As a result, even in an environment that encourages innovation, health care organizations must understand the scope of regulatory oversight at the federal and state levels, and the range of remedies available to regulators for noncompliance. Every organization should also have a protocol in place for responding to regulatory inquiries or inspections.

What Do Health Care Providers and Payors Want?

Adopting a new health care technology is an intensely data-driven process. This is especially the case with clinical laboratories, which are subject to rigorous requirements for proficiency, quality assurance, and training. This burden is greater for laboratory-developed tests, commonly known as “home brew” tests, because they are currently exempt from FDA oversight.

In most cases, the innovator sponsors clinical studies subject to peer review and publication to demonstrate the efficacy of the new technology. These trials can also generate the clinical and cost data needed to convince practitioners that the test has reliable diagnostic or clinical value, and to persuade payors that the test is medically necessary.

However, Theranos declined requests to sponsor studies or disclose data. This was a red flag for many clinicians. In the interim, a group of independent investigators published a study based on a small sample of patients and found that the Theranos’s results were more variable than the results obtained from the same blood samples sent to laboratories using standard equipment. These variations were significant enough that they had the potential to affect clinical decision-making and jeopardize patients.

Who Is Investing in the Venture?

For start-up companies, committed investors are indispensable. Although early-stage investors are accustomed to risk, they also depend on reliable data to gauge whether health care professionals will adopt a new technology, and whether health plans will cover and pay for that technology. In Theranos’s case, several investors with experience in health care start-ups did not invest in the company because it did not release data on its proprietary technology and did not conduct or sponsor well-controlled clinical trials.

Who’s on Board?

The critical role of health care regulations demands that a company’s management and board be familiar with the key challenges and potential barriers to entry under the applicable regulatory framework. Nevertheless, at the time of the CMS survey Theranos’s board reportedly lacked individuals with specific experience in health care operations or clinical laboratories; however, it included two former Secretaries of State (one of whom had also been the dean of a business school), two former U.S. senators, the CEO of a bank, and retired military officers. While it is unclear how much the board knew of potential regulatory risks, the fact that CMS determined that the company had not made a “credible allegation of compliance” in response to any of the deficiencies in the initial survey report is an indicator that CMS did not believe that the company’s management and directors may not have appreciated the regulatory requirements or how to avoid or minimize these significant risks.

On May 17, 2016, FDA issued Draft Guidance for Industry on Use of Electronic Health Record Data in Clinical Investigations (“Draft Guidance”).  This Draft Guidance builds on prior FDA guidance on Computerized Systems Used in Clinical Investigations and Electronic Source Data in Clinical Investigations, and provides information on FDA’s expectations for the use of Electronic Health Record (“EHR”) data to clinical investigators, research institutions and sponsors of clinical research on drugs, biologics, medical devices and combination products conducted under an Investigational New Drug Application or Investigational Device Exemption.

While the recommendations set forth in the Draft Guidance do not represent a significant departure from existing guidance, research sponsors, institutions and investigators should consider the extent to which their existing policies and procedures, template agreements, protocols and informed consent documents should be updated to incorporate FDA’s recommendations.

Specifically, the draft guidance provides additional detail on FDA’s expectations for the due diligence to be performed by sponsors prior to determining the adequacy of any EHR system used by a clinical investigator to capture source data for use in a clinical investigation. FDA expects sponsors to assess whether systems have adequate controls in place to ensure the confidentiality, integrity, and reliability of the data. FDA encourages the use of EHR systems certified through the ONC Health IT Certification Program, and will presume that source data collected in Health IT certified EHR systems is reliable and that the technical and software components of privacy and security protection requirements have been met. Sponsors should consider requesting additional detail in site pre-qualification questionnaires or pre-study visits regarding any EHR system utilized by clinical investigators to record source data, including whether such systems are Health IT certified. Sponsors may also consider the extent to which their existing site qualification policies and clinical trial agreements templates adequately reflect the technical requirements for sites utilizing EHR systems to record source data, the need to ensure that any updates to those systems do not impact the reliability of the security of the data, and the extent to which the data, including all required audit trails, are backed up and retained by the site to ensure necessary access by FDA.

The Draft Guidance also includes recommendations regarding the information it expects to be included in study protocols and informed consent documents. When the use of EHR systems is contemplated, FDA recommends that study protocols include a description or diagram of the electronic data flow between the EHR and the sponsor’s EDC system, along with information regarding the manner in which the data are extracted and imported from the EHR and monitored for consistency and completeness. FDA also recommends incorporation into informed consent forms of information regarding the extent of access to EHRs granted to sponsors, contract research organizations, and study monitors, as well as a description of any reasonably foreseeable risks with the use of EHRs, such as those involving an increased risk of data breaches. While information related to third party access to health information is typically addressed in informed consent documents, specific details related to access to EHRs and their associated risks are less common. Sponsors and research institutions should consider the extent to which their template informed consent documents should be updated to incorporate the best practice recommendation in the Draft Guidance.

In addition, in the Draft Guidance, FDA encourages the development and use of interoperable EDC and EHR systems to permit electronic transfer of EHR data into the eCRFs being utilized for a clinical trial, including the adoption of data standards and standardization requirements of the ONC Health Information Technology (Health IT) Certification Program. While interoperability of EHR and EDC systems offers the promise of increasing efficiency of clinical trial data collection and reducing the transcription errors that commonly result from the maintenance of this information in separate repositories, FDA acknowledges challenges related to the diverse ownership of the data and EHR systems used to capture them, and the confidentiality of clinical trial information, that will need to be overcome in order to realize the benefits offered by interoperability.

At the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C. on March 5th and March 6th, the Federal Trade Commission (“FTC”) was clear in its message that privacy was a top priority for the agency.  The FTC had a strong presence at the conference.  Three of the five Commissioners and the Director of the Bureau of Consumer Protection (Jessica Rich) all spoke at the conference and relayed a message of the importance of consumer privacy and security.  In that regard, the FTC speakers stressed the importance of:

  • informing consumers of the collection of consumer information;
  • informing consumers how such collected information will be used; and
  • providing strong safeguards for information collected.

The FTC speakers also announced that the FTC will be beginning a new security campaign to engage businesses of all sizes in understanding the importance of securing consumer information.  The FTC speakers also emphasized the FTC’s concern and focus on the collection of health information by organizations that are not covered under HIPAA (for example organizations developing wearable devices or other consumer driven apps).  Given the tenor of the discussions, there is no question that FTC will continue to make privacy enforcement a top priority.  As a result, device manufacturers, pharmaceutical manufacturers, and mobile health developers should remember to think beyond HIPAA when they think of U.S. privacy compliance.  For a listing of prior privacy enforcement actions by the FTC see,

Security Image

Tuesday, March 24, 2015 at 12:00 p.m. – 1:00 p.m. EDT

The past year has demonstrated that no organization is immune to security incidents that could affect its employees, customers, and reputation.  Understanding the complex legal framework governing data privacy and developing a plan to mitigate risk can be the difference between an incident and a disaster.

Join Epstein Becker Green’s Privacy & Security Practice for a comprehensive overview of data breach priorities impacting organizations that deal in electronic data.  Presenters will identify strategies to prepare for and prevent security incidents as well as summarize key takeaways from the biggest breaches of 2014.

Attendees will also learn about:

  • Complying with the evolving legal landscape
  • Minimizing data breach exposure
  • Developing an incident response plan and effectively responding to an incident
  • Setting organizational priorities, and getting buy-in


Adam C. Solander, Member of the Firm

Patricia M. Wagner, Member of the Firm

Who Should Attend:

Compliance Professionals, In-House Counsel, Board Members, and Information Security Professionals

To register for this webinar, please click here.

Epstein Becker Green’s recent issue of its Take 5 newsletter focuses on the 25th Anniversary of the ADA and recent developments and future trends under Title III of the ADA.

  1. Website Accessibility
  2. Accessible Point-of-Sale Devices and Other Touchscreen Technology
  3. Movie Theater Captioning & Audio (Narrative) Description
  4. The Availability of Sign Language Interpreters at Health Care Facilities
  5. “Drive By” Design/Construction Lawsuits

Read the full newsletter here.

Our colleague Mollie K. O’Brien at Epstein Becker Green wrote an advisory on a new law that will increase the protection of personal information under HIPPA by mandating encryption on all computerized data collected by health insurance carriers: “Beyond HIPAA: New Jersey Law Requires Encryption of Personal Data by Health Insurance Carriers.” Following is an excerpt:

In response to data breaches that have occurred across the United States, several of which involved the theft of laptop computers, beginning August 1, 2015, health insurance carriers in New Jersey will be obligated to do more to protect patient information than simply comply with the federal Health Insurance Portability and Accountability Act (“HIPAA”). A new law, signed by Governor Chris Christie on January 9, 2015, specifically requires health insurance carriers to encrypt electronically gathered and stored personal information.

The key terms in the law are defined as follows:

  • “Health insurance carriers” means “an insurance company, health service corporation, hospital service corporation, medical service corporation, or health maintenance organization authorized to issue health benefits plans in this State.”
  • “Personal information” means “an individual’s first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number of State identification card number; (3) address; or (4) identifiable health information.”

Read the full advisory here.

By Evan J. Nagler

The State of the Union Address, scheduled for January 20, 2015, will contain new initiatives related to privacy, White House officials say. The known initiatives are the introduction of a data breach reporting bill, a bill restricting the sale of student information, and a Consumer Privacy Bill of Rights.


President Obama is planning on introducing a data breach bill that would standardize the reporting period nationwide at 30 days. The proposed Personal Data Notification and Protection Act would require direct customer notification. The law would also criminalize selling consumer identities overseas.

Presently, most states have their own consumer data protection laws requiring customer notification in the event of a breach. The new bill may preempt stricter state laws such as California’s 5-day window for reporting.


The White House will also propose the Student Digital Privacy Act, based on a California law passed last September. The main purpose of the bill is to restrict the sale of student data for use unrelated to education as well as restricting targeted advertising based on school-collected data. The bill seeks to restrict commercial uses while at the same time ensuring that outcome-based studies are allowed to continue.


In 2012, the White House revealed plans for a Consumer Privacy Bill of Rights. This white paper laid out a set of seven guiding principles for consumer privacy (see Appendix A of the linked PDF). After receiving and incorporating suggestions during the last three years, the President will reportedly ask Congress to enact a revised Consumer Privacy Bill of Rights into law. The bill would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union.


As more information is released regarding the President’s privacy and security plans, we will cover it here, so check back in the coming days.