HIPAA & Health Information
On February 9, a group of senators led by Tammy Baldwin of Wisconsin and Bill Cassidy of Louisiana introduced a new bill, the Health Data Use and Privacy Commission Act (the “Act”), in attempt to revitalize current legislation regarding the protection and use of health data. The bill also has the support of a number of representatives from within the healthcare industry, including Epic, IBM, and Teladoc Health, as well as a number of professional associations like the American College of Cardiology, the Association for Behavioral Health and Wellness, and the Association of Clinical Research Organizations.
Cyberattacks on the healthcare industry have reached a fever pitch. In 2020 alone, there was a drastic increase in healthcare organization cybersecurity breaches. In 2021, the average cost of a healthcare data breach increased by over $2 million to $9.23 million. Healthcare providers continue to be the most targeted industry for cybersecurity breaches, with over ninety-three percent of healthcare organizations experiencing a data breach over the past three years. 306 breaches of unsecured protected health information (“PHI”) impacting 500 or more individuals were reported to the U.S. Department of Health and Human Services (“HHS”) in 2020. Yet healthcare organizations continue to be ill-equipped to handle this growing problem.
The COVID-19 pandemic has fundamentally changed many aspects of healthcare delivery. Most notably, the pandemic increased the demand for digital health services. Telemedicine saw ten years’ worth of expansion in one year, but it was not the only digital health service that exploded as a result of the pandemic. Telehealth has evolved from merely meeting with a provider via a video conference to include more sophisticated technologies. Remote Patient Monitoring (“RPM”) allows for providers to collect patient data without the patient having to go to a healthcare facility for monitoring. RPM can improve the quality of healthcare delivery by more closely monitoring a patient while also reducing patient volumes within a healthcare setting. In addition, because RPM allows patients to get more care at home, it can largely reduce costs to the patient and the payor while increasing access. Despite the many benefits associated with RPM, there are considerable risks and compliance issues.
Joanna Shea Associate Editor Loyola University Chicago School of Law, JD 2022 A common topic of COVID-adjacent conversation these days is the ‘silver lining’ – unexpected positives resulting from the dark grey cloud that has claimed over half a million lives in the United States. Emergency adaptation measures taken by industries otherwise slow to modernize …
President Joe Biden has issued a number of Executive Orders, many of which address the ongoing COVID-19 public health emergency. On January 21, 2021, President Biden released another pillar of his Administration’s long-term plan to direct the United States out of the throes of the pandemic. The twelfth Executive Order titled, “Ensuring a Data-Driven Response to COVID-19 and Future High-Consequence Public Health Threats” orders the Department of Health and Human Services (“HHS”) Secretary Alex Azar to conduct a nationwide review of the interoperability of public health data systems in an effort to enhance the collection, sharing, analysis, and collaboration of de-identified patient data.
It cannot be denied that the COVID-19 pandemic has led to many novel legal and regulatory issues. One topic of major concern both domestically and abroad is how to manage the massive amounts of consumer data being collected in the attempt to quell the spread of the virus. This issue is especially complicated to address in the United States, where a convoluted patchwork of state and federal laws interact to create a relentlessly fragmented data regulation system. Now, as state and local governments, along with tech giants like Apple and Google, continue to roll out contact tracing applications, the need for comprehensive data privacy regulation is more pressing than ever.
The Health Insurance Portability and Accountability Act – enacted in 1996 by the U.S. Congress and signed by then-President Bill Clinton – has long served to maintain the standards of electronic health records and patient privacy, among many other provisions. Violating HIPAA can result in both criminal prosecution as well as steep civil penalties. As the healthcare industry transitioned from the use of paper records to storing patient data on electronic health records over the last two decades, health organizations have learned to adapt to HIPAA compliance, with many increasing their compliance programs by hiring full-time compliance officers, designating an individual as the compliance manager, and/or appointing a compliance committee within the organization.
On November 18th, 2019, Congress introduced the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act, known as the Smartwatch Data Act. The Smartwatch Data Act was introduced by Democratic Senator Jacky Rosen and Republican Senator Bill Cassidy, due to Google’s desire to acquire fitness tracker manufacturer Fitbit in 2020. Since notice of this acquisition, privacy advocates have raised concerns about how Google will use personal health data collected through Fitbit devices. Therefore, this legislation aims to ensure that health data collected through fitness trackers, smartwatches, and health apps, cannot be sold without consumer consent.
Earlier in 2019, a lawsuit was filed against University of Chicago Medicine, University of Chicago Medical Center, and Google. The suit claims that patient information was shared with google as part of a study aimed to advance the use of Artificial Intelligence, however, patient authorization was not obtained and the data used was not properly de-identified. In 2017, University of Chicago (UChicago) Medicine started sending patient data to Google as part of a project to look to see if historical health record data could be used to predict future medical events.
On September 9th, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued its first enforcement action and settlement under its Right of Access Initiative. This came as a reaction to Bayfront Health St. Petersburg (Bayfront) paying $85,000 in fines to OCR. Bayfront adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule after they failed to provide a mother timely access to the records about her unborn child. In response, the OCR Director, Roger Severino, stated “[w]e aim to hold the health care industry accountable for ignoring peoples’ right to access their medical record and those of their kids.”