Health Information Technology

On February 11th, blockchain advocates, digital health enthusiasts, and patients received positive news from the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) regarding patient data sharing.  These rules, taken together, seek to make data more liquid, which can promote patient access, continuity of care, research, collaboration across the industry and several other activities that previously faced challenges within a health care system built on data silos.

First, CMS published a proposed rule that seeks to increase interoperability and patient access to health records. CMS Administrator, Seema Verma, explained that the proposal seeks to “break down existing barriers to important data exchange needed to empower patients by giving them access to their health data.”  Second, ONC published a proposed rule aiming to deter and penalize information blocking.  As a result of lack of interoperability and information blocking, data sharing has been challenging across the industry and patients have historically struggled to gain access to their health records, which health providers and payors claimed they owned.  These proposed rules take notable steps to open avenues for data sharing and shift the role of patients with respect to their own health data.

The CMS proposed rule requires Medicare Advantage (“MA”) organizations, state Medicaid and Children’s Health Insurance Program (“CHIP”) Fee for Service (“FFS”) programs, Medicaid Managed Care Plans, CHIP managed care entities, and Qualified Health Plan (“QHP”) issuers in federally facilitated exchanges (“FFE”) to (1) provide convenient access to health care records to patients, (2) support the electronic exchange of data for transitions of care as patients move between the aforementioned plan types, and (3) require participation in trust networks to improve interoperability. Additionally, the proposed rule requires Medicare-participating hospitals, psychiatric hospitals, and Critical Access Hospitals (“CAHs”) to send electronic notifications when a patient is admitted, discharged, or transferred.

The ONC proposed rule establishes conditions for maintaining electronic health record (“EHR”) certification centered around preventing information blocking and developing technical methods for data sharing.  Specifically, health IT developers will be required to (1) attest not to engage in information blocking, (2) include application programming interfaces (API) in certified EHR technology, and develop common data export formats to allow for transitions of care, data sharing, and EHR switching.  It is also important to note that the proposed rule established seven explicit exceptions to the information blocking prohibition, including promoting privacy and security of health information.

These rules could serve as a watershed moment in terms of data ownership, sharing and patient access.  Yet, these rules could be disruptive to the way stakeholders in healthcare have historically operated relative to each other and the patients they serve.  In any case, the regulators have sent their message . . . the “walls” must come down and data ought to flow more freely.

CMS and ONC have requested that stakeholders provide comments within 60 days of issuance of the proposed rule.


Alaap B. Shah


Ebunola Aniyikaiye

GenomeDx Biosciences Corp., which markets a genomic test (Decipher®) intended to assess the aggressiveness of prostate cancer, has agreed to pay $1.99 million to the U.S. Department of Justice to resolve allegations that it violated the False Claims Act (31 U.S.C. §§ 3729 et seq.)(“FCA”) by submitting claims to Medicare for tests conducted to evaluate treatment options for men after prostate surgery.

The government and a whistleblower alleged that between September 2015 and June 2017, GenomeDx knowingly submitted Medicare reimbursement claims for the Decipher® test that did not meet the six clinical prerequisites in the Local Coverage Determinations (“LCDs”) published by each of the Medicare Administrative Contractors (MACs). LCDs are published by MACs when they make a determination that an item or service meets (or does not meet) the “reasonable and necessary” test in Section 1862(a)(1)(A) of the Social Security Act and under what circumstances. The prerequisites for a prostate cancer classifier assay to be deemed medically necessary include (1) evaluation for postoperative secondary therapy due to one or more risk factors for a recurrence within 60 months after a radical prostatectomy surgery, (2) no evidence of any distant metastasis, and (3) pathological stage T2 disease with a positive surgical margin or pathological stage T3 disease, or rising prostate-specific antigen levels after an initial test result of 0.2 ng/ml or less.

Therefore, for each claim, the government and the whistleblower alleged that GenomeDx had certified that the test was reasonable and necessary as defined in the LCD  even though the clinical criteria or documentation requirements had not been met because the patients did not have risk factors necessitating the test.

The issue of medical necessity for diagnostic services continues to be a primary issue in many health care-related cases filed pursuant to the FCA.  The federal courts have confirmed that a laboratory may rely on the ordering physician’s determination of medical necessity because laboratories do not and cannot treat patients or make medical necessity determinations; however, laboratories may still be liable under the FCA if the laboratory knowingly presents claims for reimbursement that are not medically necessary.

Moreover, Medicare will still require documentation that demonstrates medical necessity to support payment for the test services. Thus, if adequate documentation is not provided, even when the ordering provider failed to maintain the appropriate diagnostic or other medical information for his or her patient, it is the laboratory that will suffer the consequences of the denial or recovery of reimbursement for the claim.

This settlement highlights the need for clinical laboratories, and all Medicare providers and suppliers, to determine if any national or local coverage policies apply to their services and the prerequisites prior to submission of claims, and to file those claims only where there is a good faith belief that any relevant prerequisites have been met.  Jurisdiction of claims for laboratory services furnished by an independent laboratory normally lies with the MAC serving the area in which the laboratory test is performed.  If there is a disagreement with the national or local coverage determination, there are procedures to either challenge the policy or to request that the policies be revised and updated.

There is a new kid on the block . . . the Chief Data Officer (CDO).  There is no surprise in our data-driven world that such a role would exist. Yet, many organizations struggle with defining the role and value of the CDO. Effective implementation of a CDO may be informed by other historical evolutions in the C-Suite.

Examining the rise of the Chief Compliance Officer (CCO) in the 2000’s mirrors some of the same frustrations that organizations faced when implementing the CCO role. While organizations were accustomed to having legal, HR, and internal audit departments working together to ensure compliance, suddenly CCOs stepped in to pull certain functions from those departments into the folds of the newly-minted Compliance department.  Integrating CDOs appears to follow a similar approach. Particularly in health care, the CDO role is still afloat, absorbing functionality from other departments as demand inside of organizations evolves and intensifies to focus on the financial benefits of their data pools.

Corporate evolution is challenging and often uncomfortable, but the writing is on the wall . . . there are two types of companies:  ones that are data-driven and ones that should be.  Which will you be?

What Is a Chief Data Officer?

CDO responsibilities will vary depending on the organization. Some organizations position the CDO to oversee data monetization strategies, which requires melding business development acumen with attributes of a Chief Information Officer. In some organizations, the CDO may oversee the collection of all of the company’s data in order to transform it into a more meaningful resource to power analytical tools.

A survey of CDO positions identified three common aspirations that organizations have for the role: Data Integrator, Business Optimizer, and Market Innovator. Data Integrators primarily focus on infrastructure to give rise to innovation. Business Optimizers and Market Innovators focus on optimizing current lines of business or creating new ones. These aspirations will likely vary depending on the nature and maturity of organizations. Regardless of the specific role, CDOs can help organizations bridge the widening gap between business development, data management, and data analytics.

Further, a key component of a CDO’s activity will relate to responsible data stewardship.  CDO activities will heavily depend on developing a data strategy that complies with legal, regulatory, contractual and data governance boundaries around data collection, use and disclosure.  CDOs should work closely with legal counsel and compliance personnel to effectively navigate these challenges.  Further discussion of the legal and regulatory landscape around data use is available here.

The Importance of CDOs in Transforming Healthcare Companies

It is clear that leveraging data will be key to innovating, gaining efficiencies, and driving down costs over time.  Yet, many organizations continue to struggle with making sense of the data they possess.   For some, the CDO may be a critical driving force to advance a business into a new landscape.  Just as the CCO helped address decades of frustration with corporate ethics and practices (and was soon demanded by lawmakers and regulators), the role of the CDO has emerged in response to demand for efficiencies in business practices and the recognition that data has become the world’s most valuable commodity.

In light of the explosion of data in the healthcare industry, organizations should consider whether and how a CDO will fit into the corporate structure. Furthermore, organizations should work to understand how having a person at the table with a keen eye towards giving life to an organization’s data resources can benefit the business long term from internal and external perspectives.  The ultimate question a CDO can help solve is:  What don’t we know that, if we knew, would allow our organization to innovate or operate more efficiently or effectively?


Alaap B. Shah


Andrew Kuder

Data is king!  A robust privacy, security and data governance approach to data management can position an organization to avoid pitfalls and maximize value from its data strategy. In fact, some of the largest market cap firms have successfully harnessed the power of data for quite some time.  To illustrate this point, the Economist boldly published an article entitled “The world’s most valuable resource is no longer oil, but data.”  This makes complete sense when research shows that 90% of all data today was created in the last two years, which translates to approximately 2.5 quintillion bytes of data per day.

This same trend has taken hold in the healthcare industry as it seeks to rapidly digitize and learn from data in order to bend the cost curve down, increase quality of outcomes, and improve overall population health.  Specifically, there is certainly an ever-growing pool of health data being generated by providers, payors, life sciences companies, digital health companies, diagnostic companies, laboratories, and a cornucopia of other entities.  Recent estimates indicate that volume of healthcare data is growing rapidly as evidenced by 153 exabytes produced in 2013 and an estimated that 2,314 exabytes will be produced in 2020.  This translates to an overall rate of increase at least 48 percent annually.  But, to what end?

The rapid production and aggregation of data is being met with increasing demand to access and analyze this data for a variety of purposes.  Life sciences companies want access to conduct pre-market analysis, clinical trials and post-market surveillance.  Providers want access to conduct population health research.  AdTech and marketing companies want it to . . . you guessed it . . . sell more things.  These examples are just the tip of the proverbial iceberg when it comes to the secondary data analytics market.

Nevertheless, there are various issues that must be addressed before aggregating, sharing, and using such data.

First and foremost, identifiable health data is typically treated as a sensitive class of information warranting protection.  As such, entities should consider whether their intended activities must comply with applicable privacy and security regulations.  Depending on the data being collected, the use and disclosure of such data, and the jurisdictions within which data is stored and processed, entities may be subject a wide array of legal obligations, including one or more of the following:

  • Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  • the Common Rule
  • the EU General Data Protection Regulation (“GDPR”)
  • 42 C.F.R. Part 2
  • State data protection and breach laws and regulations
  • Food and Drug Administration (“FDA”) regulations; or
  • Federal Trade Commission (“FTC”) regulation.

Second, entities must consider contractual obligations, including property rights governing data collection, aggregation, use, and disclosure.  The contractual obligations that should be evaluated will depend largely on the nature of the data collected, contemplated uses and disclosures of such data and the applicable laws and regulations relative to such collection, use and disclosure.  Accordingly, entities should also consider the impact of upstream agreements and downstream agreements on rights to collect, use or disclosure data through the chain of custody.  Agreements that warrant considering may include:

  • Master Services Agreements
  • Data Use Agreements
  • Business Associate Agreements
  • Data Sharing Agreements
  • Confidentiality/Non-disclosure Agreements
  • Terms of Use/Privacy Policies (and other representations made to consumers).

Third, even if collection, aggregation and analysis is possible under law/regulation and contract, companies must still consider whether additional data governance principles should be implemented to guide responsible data stewardship.  It is critical to remember that businesses that mishandle personal data can lose the trust of customers and suffer irreparable reputational harm. To mitigate against such issues, entities should consider developing data governance principles guided by fair information practices including:  openness/transparency, collection limitation, data quality, purpose specification/use limitation, accountability, individual participation and data security.


Patricia M. Wagner


Alaap B. Shah

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that make healthcare and public health organizations more vulnerable to cybersecurity threats; and
  3. Providing certain practices that cybersecurity experts rank as most effective against such threats.

This technical assistance comes at a critical time.  Healthcare organizations, regardless of size, complexity or sophistication are vulnerable to cyber-attacks. For example, while smaller organizations may think that cyber threats, such as ransomware, tend to affect the larger organizations, approximately 58% of malware attack victims affect small businesses. Furthermore, cybersecurity attacks in 2017 cost small and medium-sized businesses an average of $2.2 million.

Most surprisingly, despite increased frequency of cyber-attacks over the last two years, coupled with cost of data breaches being highest in healthcare, the healthcare industry continues to lag behind in cybersecurity preparedness. About 4-7% of total IT budgets, across healthcare organizations, are being spent on cybersecurity, while other industries spend approximately 10-14%.  There is certainly a need and significant room for improvement across the industry.

The main volume of the new HHS guidance document cites the five most prevalent cybersecurity threats as:

  • E-mail phishing attacks;
  • Ransomware attacks;
  • Loss or theft of equipment or data;
  • Insider, accidental or intentional data loss; and
  • Attacks against connected medical devices that may affect patient safety.

The guidance document also shares ten best practices to mitigate cybersecurity threats (covered in more detail in corresponding Technical Volumes):

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

With this new cybersecurity guidance from HHS, healthcare companies can be better equipped to strengthen their security and more effectively tackle cyber threats.  Companies should prioritize these efforts because cybersecurity preparedness can reduce patient privacy risk, protect patient safety and ultimately preserve an organization’s reputation.


Alaap B. Shah


Daniel Kim

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues.  For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement.  Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.

In the tech world, blockchain technology appears to be the panacea to all problems.  As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow reaction to technological advances.

What is Blockchain Technology?

An over-simplified explanation of blockchain is an online database that stores information on a network of computers. Information also known as “a record” is stored in a block. For example, a record of you paying Mr. Smith 10 dollars is stored in a block. Traditionally, that information is saved in a database at a data center. However, blockchain technology stores that record on an individual computer with a time stamp (the “block”).  Any change to that information is then stored on another individual computer with a time stamp.  Each individual computer holds a block of information that is chronologically time stamped, which creates the blockchain. Thus, information cannot be edited or changed without the verification from all parties who have access to a block in the blockchain.  Blockchain technology distributes and decentralizes information.  There is no central company or one person that holds the information. This makes it extremely difficult for any one person to take down or corrupt the network. Traditionally, blockchain technology is used as a public transaction ledger for bitcoin. Bitcoin users utilized the technology to mitigate the issue of double spending, spending the same single digital coin more than once, without the need of one trusted authorizer or central server. 

Blockchain and Health Care

Blockchain technology could play a role in the industry’s goal to improve the quality of care through care coordination. Care coordination often involves the sharing of information between multiples providers. Blockchain technology could be used to facilitate this process in a more efficient manner by storing a variety of information, including provider and patient details, within electronic health records (EHR) on a network of computers. Blockchain would store the information on various computers, such that information entered into an EHR could be stored across a network of computers that includes providers and the patient. Providers and the patient would hold blocks of information, allowing each provider and each patient to validate the updates to that patient’s record with the consensus of all the providers and the patient. Using blockchain in this fashion would give patients control over their care while also encouraging care coordination because providers would have to interact with one another to update a patient’s file. In this sense, Blockchain could take the first step in facilitatating the improvement of patient care as a whole.

Blockchain could also reduce the health care industry’s susceptibility to privacy attacks or breaches because of its decentralized and distributed structure. Privacy attacks often involve a hacker entering a system or a database, but, with blocks held in multiple locations instead of one database, blockchain technology would help to minimize hacker infiltration.

However, as with any heavily regulated industry, implementing blockchain will not be easy. There are state and legal roadblocks that hinder blockchain’s viability. Health Insurance Portability and Accountability Act (“HIPAA”), for example, could hinder the ability of sharing health information technology between a network of computers due to restrictions on sharing of Personal Health Information (PHI). Furthermore, state and federal laws would have to be updated to facilitate this technological advance. Despite these hurdles, there may be a glimmer of hope. The Centers for Medicare & Medicaid Services is dedicated to improving interoperability and patients’ access to health information through its Promoting Interoperability program. The agency’s push for moving health towards EHR has the potential to be pivotal if the industry uses blockchain or a similar technology to improve patient access to health information.

Blockchain may not be a today solution—it will take time to change state and federal laws regarding health information to facilitate such technology. However the promotion of initiatives encouraging use of EHR, may be priming the industry’s palate to provide a place for blockchain in the future.

The Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services issued Advisory Opinion No. 18-03 in support of an arrangement where a federally qualified health center look-alike (the “Provider”) would donate free information technology-related equipment and services to a county health clinic (the “County Clinic”) to facilitate telemedicine encounters with the County Clinic’s patients (the “Proposed Arrangement”).  The OIG concluded that although the Proposed Arrangement could potentially generate prohibited remuneration under the federal Anti-Kickback Statute (“AKS”) and Civil Monetary Penalties Law (“CMPL”) with the requisite intent to induce or reward referrals of federal health care programs, the OIG would exercise its discretion and not sanction the Provider or the County Clinic (collectively the “Requestors”).

The OIG’s analysis and conclusion of the Proposed Arrangement provides new insight into the government’s position on these type of donations that facilitate telemedicine encounters.  Specifically, how the government views these type of donations with the continued expansion of coverage and reimbursement of telemedicine services under federal health care programs.  The Advisory Opinion indicates support for the development of collaborative telemedicine affiliations and that the potential remuneration from the future referrals can be outweighed by the access to health care services and benefits actually received by rural or remote communities.

Proposed Arrangement

The County Clinic is a division of the County Department of Health that furnishes certain confidential sexually transmitted infection testing, treatment and counseling. The Provider has an existing referral relationship with the County Clinic but the facilities are separated by about 80 miles making it difficult for patients to access the Provider.  Under the Proposed Arrangement, the Provider would donate information technology-related equipment and services to the County Clinic to facilitate telemedicine encounters between the Provider and the County Clinic’s patients for certain HIV prevention and treatment services.  The Provider would cover the costs of the equipment, its set up, and maintenance through grant-funding from the State Department of Health.  The Provider would bill the Medicare program for the professional services delivered in the telemedicine encounters.  The County Clinic would house the equipment and bill the state Medicaid program an originating site fee related to the telemedicine encounters. The originating site is not required to provide any personnel or equipment in order to bill for the facility fee (Q3014) (which is only a coverage requirement to provide the telehealth consult).

OIG Analysis

AKS makes it a criminal offense to knowingly and willfully offer or receive remuneration in an effort to induce or reward referrals of items or services reimbursable by federal health care programs. CMP provides for penalties against any person who offers or transfers remuneration to a Medicaid or Medicare beneficiary that the benefactor knows or should know is likely to influence the beneficiary’s selection of a specific provider, service, or item that will be paid, in whole or part, by Medicaid or Medicare.

Under the Proposed Arrangement, the County Clinic would receive remuneration of the free equipment and services and the Provider would have the opportunity to bill for the telehealth consultation referred by the County Clinic.  As such, the OIG acknowledged that the Proposed Arrangement could potentially generate prohibited remuneration under the federal AKS with the requisite intent to induce or reward referrals of services payable by a federal health care program.  However, the OIG identified the following factors as minimizing the potential risk of fraud and abuse:

  • There are safeguards in place to prevent patient steering to the Provider for treatment; namely use of technology with any other provider is not restricted and patients are given the option to have either a virtual or in-person consultation
  • Not likely to result in patient steering for prescriptions to any pharmacy operated by the Provider or County Clinic
  • There would be no increased cost to any federal health care program
  • Patients would benefit by having increased access to treatment; making it more likely that patients will seek out and receive such services

It is important to keep in mind that under the Proposed Arrangement the County Clinic would not obtain ownership of the equipment, as the Provider would use grant funds awarded by the State Department of Health to cover the costs of the equipment and services and the state agency would retain title and have the authority to recover the equipment at any time.  This could prove to be an important distinction concerning whether and how donating providers can provide information technology-related equipment and services to referring facilities in the other arrangements.

Notes and Comments

In prior Advisory Opinions (99-14, 04-07 and 11-12) concerning donations of information technology-related equipment and supplies, the OIG similarly concluded that it would not pursue sanctions; however, those proposed arrangements would not have directly resulted in a service payable by a federal health care program, but rather would only potentially result in other items or services to the patient by the donating provider. Under the Proposed Arrangement, both the County Clinic and the Provider would be in a positon to submit claims to a federal health care program as a result of the telemedicine encounter and follow-up services.  Nevertheless, the OIG concluded that there would be no increased cost to any federal health care program because the County Clinic would have performed the preliminary tests and referred clinically appropriate patients for in-person consultations and, potentially, follow-up items and services regardless of the Proposed Arrangement.

While the analysis acknowledges the additional reimbursement the County Clinic would receive for serving as the originating site (i.e., the location of the Medicaid beneficiary when the service furnished via a telecommunications system occurs), there is no actual analysis of this facility fee and why it is not considered an increased cost.  To be clear, the County Clinic does not provide the HIV preventative services to be delivered by the Provider via the telemedicine consultation, and therefore, would not have previously received any payments if and when the patient was referred to the Provider for an in-person consultation.

Again, it appears that the OIG is willing to prioritize the health benefits to patients over any secondary or tertiary benefits to the referring provider; especially when such subsequent benefits are unlikely to result in overutilization and have the potential to decrease costs to federal health care programs.

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack.

The current announcement is reflective of the interest of NIST and the Food & Drug Administration (“FDA”), the primary regulatory agency for medical devices, within the so-called Internet of Things (“IoT”).  Thus, NIST, through its National Cybersecurity Center of Excellence, will accept proposals up to  June 8, 2018, for “products and technical expertise” relevant to the creation of guidelines for securing data used by Picture Archiving and Communication Systems (“PACS”). NIST will attempt to harmonize the requirements for patient imaging devices with NIST’s overall cybersecurity framework.

The proposed project will examine the specific uses and regulatory requirements for patient imaging devices, and how those varying considerations apply to the use of the NIST cybersecurity framework. As the NIST project summary notes PACS are regulated by the FDA as “class II” devices that provide one or more functions related to the “acceptance, transfer, display, storage, and digital processing of medical images.”  These devices, which can be found in virtually every hospital, are not only vulnerable to cyber-attack in and of themselves, but NIST sees them as a “pivot point into an integrated healthcare information system.”

The current imaging device project follows last year’s release of draft guidelines for wireless infusion pumps, and evidences the government’s continuing concern, not only with the security of the IoT, but with specific reference to the vulnerable health care sector.

Epstein Becker Green routinely deals with questions related to medical device regulation and cybersecurity. For further information, you can contact Stuart Gerson, Adam Solander, Bradley Merrill Thompson or James Boiani.

Our colleague  at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens). …

Read the full post here.