Health Information Technology

As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019.  A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019.  The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.
Continue Reading Annual Breach Reporting Required Under NY SHIELD Act for Some Health Care Companies

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  
Continue Reading HHS Addresses Federal Court Invalidation of Certain Provisions of the HIPAA Rule Relating to the Third-Party Requests for Patient Records

Based on their extensive experience advising health care industry clients, Epstein Becker Green attorneys and strategic advisors from EBG Advisors are predicting the “hot” health care sectors for investment, growth, and consolidation in 2020.  These predictions for 2020 are largely based on the increasing confluence of the following three key “drivers” of health industry transformation that is substantially underway:

  1. The ongoing national imperative of reducing the cost of health care, via disease prevention and detection, and cost-effective, quality treatment, including more efficient care in ambulatory and retail settings;
  2. Extraordinary advances in technologies which enhance disease prevention, detection and cost-effective treatment (e.g., artificial intelligence (AI)-driven diagnosis and treatment, virtual care, electronic medical record (EMR) systems, medical devices, gene therapy, and precision medicine); and
  3. The aging baby-boomer population, with tens of millions of Americans entering into their 70s, 80s, and above.


Continue Reading 7 Hot Health Care Industry Sectors for Investment, Growth & Consolidation in 2020

On September 10, 2019, the Office of Inspector General of the Department of Health and Human Services (“OIG”) published Advisory Opinion 19-04.  In this favorable opinion, OIG approved a technology company’s proposal to make its online healthcare directory search results visible to federal healthcare beneficiaries in locations where the company charges the healthcare professionals

The market for direct-to-consumer (“DTC”) genetic testing has increased dramatically over recent years as more people are using at-home DNA tests.  The global market for this industry is projected to hit $2.5 billion by 2024.  Many consumers subscribe to DTC genetic testing because they can provide insights into genetic backgrounds and ancestry.  However, as

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as

The Office of Inspector General (“OIG”) for the Department of Health and Human Services recently issued an Advisory Opinion that provides insight into how the agency evaluates arrangements that deal with the integration of technology, medicine, and patient monitoring under the federal Anti-Kickback Statute (“AKS”). In Advisory Opinion No. 19-02, OIG evaluated whether a

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information