With COVID-19 rapidly spreading, telehealth services have been seeing an explosion of demand. On March 17, 2020, President Trump announced during a White House press briefing an unprecedented expansion of telehealth services for the 62 million Medicare beneficiaries who are amongst the most vulnerable to the disease. The Department of Health and Human Services (“HHS”) and Centers for Medicare and Medicaid Services (“CMS”) have since vowed to work with the administration by temporarily relaxing certain HIPAA, altering licensure, cost-sharing, and auditing requirements. As the number of patients increases, compliance and privacy risks associated with telehealth also surge.
Last year, the Department of Health and Human Services (“HHS”) proposed new rules to improve the interoperability of electronic health information (“EHI”) to fulfill its statutory requirement under the 21st Century Cures Act. These proposed rules were issued by the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) to address both technical and healthcare industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access EHI. Epic, one of the largest programs for maintaining electronic health records (“EHR”), is attempting to halt the finalization of the interoperability rules before they take effect as they believe it posts privacy concerns. On March 9, 2020, HHS announced the joint final rules from CMS and ONC to spur innovation and to end information blocking.
On January 31, 2020, the Secretary of Health and Human Services (“HHS”) Alex Azar declared a public health emergency (“PHE”) over the outbreak of the new coronavirus. The PHE response requires coordination with a complex set of federal, state, tribal and local laws and effective compliance calls for a comprehensive understanding of the legal implications and ramifications—which impose challenges from adherence to certain federal laws.
The use of facial recognition technology in the commercial context generates numerous consumer privacy concerns. As technology becomes increasingly present in many aspects of our life, regulations on states and federal level are struggling to catch up. Currently, only three states (Illinois, Washington, and Texas) implemented biometric privacy laws, and only Illinois grants individuals with a private right of action.
On September 9th, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued its first enforcement action and settlement under its Right of Access Initiative. This came as a reaction to Bayfront Health St. Petersburg (Bayfront) paying $85,000 in fines to OCR. Bayfront adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule after they failed to provide a mother timely access to the records about her unborn child. In response, the OCR Director, Roger Severino, stated “[w]e aim to hold the health care industry accountable for ignoring peoples’ right to access their medical record and those of their kids.”
Despite industry groups’ and tech companies’ numerous efforts over the past few months to water down and ultimately halt the first-ever U.S. data privacy law, the California Consumer Privacy Act of 2018 (“CCPA” or “the Act”), the CCPA now has its final language set on September 13, 2019, the end of California’s legislative calendar, and will go into effect on January 1, 2020. The goal is to give California residents control of their personal information collected and processed by companies.