US Private Sector Privacy Chapter 08 Medicalp1.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP the Genetic Information Nondiscrimination Act of 2008 (GINA). The chapter ends with a summary of the privacy protections included in the 21st Century Cures Act. One potential source of confusion is that an individual’s health-related information in the United States is protected differently depending on the setting. For example, HIPAA applies to “covered entities,” notably including healthcare providers and insurers as well as “business associates” who receive data from covered entities. By contrast, health information in the hands of other entities is generally not protected by HIPAA. Suppose, for instance, that an individual buys a book about a rare form of cancer. That book purchase, along with other book purchases, is covered by the bookstore’s privacy policy (if one exists). A California bookstore would also be covered by California’s Reader Privacy Act, 3 but would not be covered by HIPAA. Similarly, the records of a website that provides detailed information about this form of cancer may show that the same user has come back repeatedly with questions about the disease. This website is likely outside the scope of HIPAA, yet potentially covered by California’s Confidentiality of Medical Information Act. 4 As another example, consider the legal regulation of wearables, which are electronic devices that individuals can place on their bodies and may collect medical information in real time. When the wearable is provided under the supervision of a medical provider, the health data generally is covered by HIPAA. If the same data comes from a person’s smart watch, however, the data generally goes to a manufacturer or other company that is outside the scope of HIPAA. Such a company is generally subject to privacy enforcement by the Federal Trade Commission (FTC) for unfair or deceptive trade practices, as discussed in Chapter 5. Because U.S. privacy law and self-regulatory efforts varies by sector, the privacy professional should examine carefully whether personal information, including healthrelated information, is covered by HIPAA or some other sector-specific law. 5 8.1 The Health Insurance Portability and Accountability Act of 1996 Prior to 1996, the United States did not have a comprehensive medical privacy law. HIPAA became law in 1996. By the early 2000s, the HIPAA privacy and security rules had been put in effect. They have been updated periodically since then, most notably by the HITECH Act of 2009. The initial reason for HIPAA was not to protect privacy and security. Instead, Congress was seeking to meet other goals, including improving the efficiency of healthcare delivery. 6 To improve efficiency, HIPAA required entities receiving federal healthcare payments such as Medicare and Medicaid to shift reimbursement requests to electronic formats. At the same time, Congress realized that the shift from paper to electronic reimbursements posed a threat to privacy and security. Accordingly, HIPAA required the U.S. Department of Health and Human Services (HHS) to promulgate regulations to protect the privacy and security of healthcare information. Protected health information (PHI) is defined as any individually identifiable health information that is transmitted or maintained in any form or medium; is held by a covered entity or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present or future physical or mental condition, provision of health care, or payment for healthcare to that individual. 7 Electronic protected health information (ePHI) is any PHI that is transmitted or maintained in electronic media (such as computer hard drives, magnetic tapes or disks, or digital memory cards, all of which are considered electronic storage media). Paper records, paper-to-paper fax 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP transmissions, and voice communications (e.g., telephone) are not considered transmissions via electronic media. 8 This statutory link to electronic reimbursements helps clarify which healthcare information is covered under HIPAA. Entities that are directly covered under HIPAA (“covered entities”) include: 9 Healthcare providers (e.g., a doctors’ offices, hospitals) that conduct certain transactions in electronic form Health plans (e.g., health insurers) Healthcare clearinghouses (e.g., third-party organizations that host, handle or process medical information) 10 It is important to understand that HIPAA applies to these covered entities but not to other healthcare providers and services. For instance, some doctors accept only cash or credit cards and do not bill for insurance. 11 They are not covered by HIPAA. More broadly, individuals reveal medical information in a wide variety of settings, ranging from conversations with friends and colleagues to purchasing books about healthcare, surfing on healthcare websites, and even posting medical information online. These sorts of healthcare information are outside the scope of HIPAA. 12 Before the HITECH update, business associates were not subject to HIPAA but became subject to privacy and security protections under the written contracts they signed with covered entities. Under HITECH, however, HIPAA privacy and security rules are codified and apply directly to business associates.13 Beyond covered entities, HIPAA creates important obligations for business associates, including, for example, cloud storage providers that handle PHI knowingly or unknowingly. 14 Under the Privacy Rule, a business associate is any person or organization, other than a member of a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services or activities involve the use or disclosure of PHI. 15 Business associates may provide services and activities such as claims processing, data analysis, utilization review, and billing as well as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and/or financial services. 16 Before the release of HHS’s final rule, under HITECH, when a covered entity engaged another entity to provide the activities and services described above, the Privacy Rule required that the covered entity enter into a business associate agreement (a contract) with that other entity. 17 This contract would include provisions that passed the privacy and security standard down to the contracting entity. Also, the business associate agreement had to be in writing, although it could be signed electronically as long as such signatures are valid as “written signatures” under the applicable state’s contract laws. Modifications to the Security Rule in HITECH, however, now require business associates and covered entities to implement reasonable, appropriate safeguards to protect PHI (in addition to signing a business associate agreement).18 As such, covered entities and business associates should implement security practices that, on the whole, comply with the Security Rule. 19 8.1.1 The HIPAA Privacy Rule In August 2000, HHS promulgated the regulations on standard electronic formats for healthcare transactions, known as the “Transactions Rule.” This was followed in December 2000 by rules 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP concerning the privacy of protected health information, known as the Privacy Rule. 20 The initial HIPAA Privacy Rule was revised somewhat in 2002. 21 In February 2003, HHS promulgated the final “Security Rule.” In January 2013, the Privacy and Security rules were modified to implement statutory amendments under HITECH, which is discussed fully below. The definition of covered entity is the same for all three rules. 8.1.1.1 The Privacy Rule and the Fair Information Privacy Practices Compared with other U.S. privacy laws, HIPAA provides perhaps the most detailed implementation of the Fair Information Privacy Practices (FIPPS), including requirements concerning privacy notices, authorizations for use and disclosure of PHI, limits on use and disclosure to the minimum necessary, individual access and accounting rights, security safeguards, and accountability through administrative requirements and enforcement. There are also important exceptions to the HIPAA rules. The following are some of the key privacy protections: Privacy notices. The Privacy Rule generally requires a covered entity to provide a detailed privacy notice at the date of first service delivery. There are some defined exceptions to the notice requirements. For example, a privacy notice does not have to be provided when the healthcare provider has an “indirect treatment relationship” with the patient or in the case of medical emergencies. The rule is quite specific about elements that must be included in the notice, including detailed statements about individuals’ rights with respect to their PHI. Authorizations for uses and disclosures. Consistent with the statutory goal of improving efficiency in the healthcare system, HIPAA itself authorizes the use and disclosure of PHI for essential healthcare purposes: treatment, payment and operations (collectively, TPO), as well as for certain other established compliance purposes. Other uses or disclosures of PHI require the individual’s opt-in authorization. An authorization is an independent document that specifically identifies the information to be used or disclosed, the purposes of the use or disclosure, the person or entity to which a disclosure may be made, and other information. A covered entity may not require an individual to sign an authorization as a condition of receiving treatment or participating in a health plan. Additional, strict rules apply for authorizations to use or disclose psychotherapy notes. 22 Specific rules define when the opt-in is required for marketing purposes. For instance, faceto-face communications by a covered entity to an individual are not considered marketing. “Minimum necessary” use or disclosure. Other than for treatment, covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary in order to accomplish the intended purpose. As discussed more fully below, covered entities may disclose PHI to a business associate (such as a billing company, third-party administrator, attorney, or consultant) only if the covered entity ensures that the business associate is bound by all of the obligations applicable to the covered entity, including the minimum necessary standards. Access and accountings of disclosures. Under the Privacy Rule, individuals have the right to access and copy their own PHI from a covered entity or a business associate. The right applies to PHI kept in a “designated record set,” which is a fairly broad definition including a patient’s medical records and billing records or other records used by the covered entity to 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP make decisions about individuals. Only fairly narrow exceptions exist to this right of access. Additionally, individuals have a right to receive an accounting of certain disclosures of their PHI that have been made. A reasonable charge may be assessed to cover the costs of providing access. Individuals also have the right to amend PHI possessed by a covered entity. If the covered entity denies the request to amend the PHI, the individual may file a statement that must then be included in any future use or disclosure of the information. Safeguards. The Privacy Rule requires that covered entities implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI. The HIPAA Security Rule requires both covered entities and business associates to implement administrative, physical, and technical safeguards only for ePHI. Like the Privacy Rule, the HIPAA Security Rule aims to prevent unauthorized use or disclosure of PHI. However, the Security Rule also aims to maintain the integrity and availability of ePHI. Accordingly, the Security Rule addresses data backup and disaster recovery, among other related issues. These are discussed further below. Accountability. To foster compliance, covered entities are subject to a set of administrative requirements. Covered entities must designate a privacy official who is responsible for the development and implementation of privacy protections. Personnel must be trained, and complaint procedures, along with other procedures, must be in place. Accountability is furthered by a range of enforcement agencies. The primary enforcer for the Privacy Rule in HHS is the Office of Civil Rights (OCR). 8.1.1.2 Limits on and Exceptions to the Privacy Rule In issuing the Privacy Rule, HHS stressed the dual goals of protecting PHI while also improving the efficiency of the healthcare system. As mentioned above, the rule does not require authorizations for the major categories of treatment, payment and healthcare operations. Other limits on the scope of the rule include deidentified information and medical research. Deidentification. The Privacy Rule does not apply to information that has been “deidentified”—information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual. 23 The Privacy Rule provides two methods for deidentifying data: (1) remove all of at least 18 data elements listed in the rule, such as name, phone number, and address or (2) have an expert certify that the risk of reidentifying the individuals is very small. 24 Research. The Privacy Rule has detailed provisions for how PHI is used for medical research purposes. Research can occur with the consent of the individual, or without consent if an authorized entity such as an institutional review board approves the research as consistent with the Privacy Rule and general rules covering research on human subjects. Research is permitted on deidentified information, and rules are more flexible if only a limited data set is released to researchers. 25 Other exceptions. The Privacy Rule contains other exceptions under which PHI may be used without consent. 26 These include information used for public health activities; to report 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP victims of abuse, neglect or domestic violence; in judicial and administrative proceedings; for certain law enforcement activities; and for certain specialized governmental functions. 27 A covered entity is required to release PHI to the individual to whom it pertains or to the person’s representative (see “Access and Accountings of Disclosures,” previously discussed), and to the secretary of HHS to investigate compliance with the privacy rules. Clarification for Disclosures of Information Related to Reproductive Health Care. After the U.S. Supreme Court overturned Roe v. Wade in 2022, HHS issued guidance on the disclosure of protected health information related to reproductive health care. 28 According to HHS, “The Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services. … The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes ‘pursuant to process and as otherwise required by law,’ under certain conditions.” 29 8.1.2 The HIPAA Security Rule The HIPAA Security Rule was finalized in February 2003 and modified in January 2013. 30 It establishes minimum security requirements for PHI that a covered entity or a business associate receives, creates, maintains or transmits in electronic form. 31 The Security Rule is designed to require covered entities and business associates to implement “reasonable” security measures in a technology-neutral manner. The goal is for all covered entities and business associates to implement “policies and procedures to prevent, detect, contain, and correct security violations.” 32 The Security Rule is comprised of “standards” and “implementation specifications,” which encompass administrative, technical and physical safeguards. Some of the implementation specifications are required, while others are considered “addressable.” This means that the covered entity (or the business associate) must assess whether it is an appropriate safeguard for the entity to adopt. If not, the covered entity (or the business associate) must document why it is not reasonable and, if appropriate, adopt an alternative measure. The HIPAA Security Rule requires covered entities and business associates to: 1. Ensure the confidentiality, integrity and availability of all ePHI the covered entity or the business associate creates, receives, maintains or transmits 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of the ePHI 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule 4. Ensure compliance with the Security Rule by its workforce 33 As previously noted, the Security Rule strives for a reasonable level of security. Accordingly, the rule permits a covered entity or a business associate to “use any security measures that allow the covered entity or the business associate to reasonably and appropriately implement the standards and implementation specifications.” 34 When developing a security program, each covered entity and business associate must consider the following factors: 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP 1. The size, complexity and capabilities of the covered entity or business associate 2. The covered entity’s or the business associate’s technical infrastructure, hardware and software security capabilities 3. The costs of security measures 4. The probability and criticality of potential risks to electronic protected health information 35 The HIPAA Security Rule also requires that: 1. Each covered entity and each business associate must identify an individual who is responsible for the implementation and oversight of the Security Rule compliance program. 36 (This may be the same person who oversees the Privacy Rule compliance program.) 2. Each covered entity and each business associate must conduct initial and ongoing risk assessments. In particular, the covered entity must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” 37 This assessment should identify potential risks and vulnerabilities, each of which must be addressed. 3. Each covered entity and each business associate must implement a security awareness and training program for its workforce. Additionally, individual workers must be disciplined if they fail to comply with the policies and procedures. 38 8.1.3 Telemedicine During the COVID-19 pandemic, telemedicine became the only viable option for many people to interact with their doctors for care not related to COVID-19. 39 An estimated one in three adults used telemedicine during the pandemic. 40 An important HIPAA rule change related to privacy and security was one of the drivers for increased use of telemedicine. During the public health emergency, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) allowed healthcare providers to use “non-public facing” (meaning one-to-one or one-to-few) videoconferencing technology, even if the technology did not meet all the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, or the breach notification requirements under HIPAA. 41 Roughly speaking, the rule permitted videoconferencing with secure log-in, but not technologies where unauthorized people could readily join the videoconference. Non-privacy legal changes also speeded adoption of telemedicine during the pandemic. These included: - Payment for telemedicine visits - The Centers for Medicare & Medicaid Services allowed reimbursement for telemedicine visits. Prior to the pandemic, reimbursement was permitted only in very limited circumstances, such as for the patients in rural areas or those seeking medical attention for mental health or substance use issues. 42 - Prescribing controlled substances across state lines – The U.S. Drug Enforcement Agency (DEA) suspended the provisions of the Ryan Haight Online Pharmacy Consumer Protection Act that required an in-person medical exam before prescribing a controlled substance. During the 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP pandemic, qualified prescribers were allowed to prescribe controlled substances to patients regardless of location. 43 - Physician licensing across state lines - Numerous states allowed licensed physicians to obtain temporary licenses in another state to increase access to care via telemedicine. 44 Also, the use of the Interstate Medical Licensure Compact (IMLC) grew by nearly 50% during the pandemic, suggesting that these physicians envision continuing telemedicine after the pandemic. Post pandemic, many commentators believe that telemedicine will emerge as an integral part of the U.S. healthcare system due to 1) increased willingness by patients to use telemedicine; 2) increased willingness by healthcare providers to use telemedicine; and 3) regulatory changes related to access and payment related to telehealth. 45 Certain specialties, such as mental health treatment, 46 are more likely to experience an increase in telemedicine visits post-pandemic than other specialties, such as those related to surgery. 47 At the time of this writing, it is uncertain which of the privacy and other regulatory changes will stay in effect post-pandemic. 48 8.1.4 Enforcement The primary enforcer for both the Privacy Rule and the Security Rule is the HHS Office of Civil Rights (OCR) which processes individual complaints and can assess civil monetary penalties of up to approximately $2 million per year per type of violation, as of the writing of this book. 49 The OCR has assessed substantial penalties under HIPAA in recent years. 50 For example, the OCR entered into a settlement agreement in 2018 with Anthem for a record $16 million civil penalty after a cyberattack that left the ePHI of almost 79 million people exposed online. 51 In 2019, the Texas Health and Human Services Commission, a state agency, paid a $1.6 million civil penalty after a software flaw exposed the ePHI of more than 6,000 individuals on the internet. 52 In 2020, Premera Blue Cross agreed to pay to pay a civil penalty of $6.85 million dollars after a cyberattack that left the ePHI of more than 10 million people exposed online. 53 The OCR has instituted a program to regularly audit a select number of covered entities and business associates to ensure compliance. 54 Since 2019, OCR has emphasized enforcement of a patient’s right to access records in a timely manner. 55 Many of these enforcement actions involve a single individual who has been unable to obtain a copy of their protected health information in a timely manner. 56 For example, in 2021, Banner Health agreed to pay a $200,000 civil penalty to settle allegations from 2 individuals that each had waited months to receive copies of requested medical records. 57 In 2021, Congress enacted the HIPAA Safe Harbor Law, which requires OCR to consider whether a covered entity has implemented recognized security practices for the prior 12 months. Qualifying security practices go beyond the minimum requirements in the HIPAA Security Rule. Where such practices have been in place, the law provides OCR discretion to apply leniency in setting fines and corrective action, notably in the event of a data breach. 58 HIPAA does not include a private right of action for individuals to bring a claim under HIPAA. 59 Individuals who believe that a covered entity or business associate has violated HIPAA’s Privacy Rule or Security Rule can file a complaint with OCR. 60 HIPAA prohibits the covered entity or business associate from discriminating or retaliating against an individual who files a complaint with OCR. 61 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP The U.S. Department of Justice (DOJ) has criminal enforcement authority, with prison sentences of up to 10 years. 62 For the many companies within its jurisdiction, the FTC can bring enforcement actions for unfair and deceptive practices, even for entities covered by HIPAA. State attorneys general can also bring enforcement for unfair and deceptive practices, or pursuant to any applicable state medical privacy law. 8.1.5 Preemption For the privacy professional, it is important to remember that HIPAA does not preempt state laws that provide more protection than the federal law. In practice, reviewing applicable state laws will be important for ensuring compliance. Topics that should be of particular concern in this review include (1) additional patient rights, (2) added uses or disclosures for PHI, and (3) shortened deadlines for action. 63 8.1.6 State Laws The details of state laws that provide more protections than HIPAA are beyond the scope of this book. 64 When reviewing state privacy laws, it is important to understand that certain state laws provide exemptions related to coverage under HIPAA - meaning that complying with HIPAA will be viewed as complying with the state law. When reviewing these exemptions related to HIPAA, privacy practitioners should be alert that certain state laws exempt entities covered by HIPAA while others only exempt data covered by HIPAA. 65 8.2 The Health Information Technology for Economic and Clinical Health Act The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology. HITECH codified and funded the Office of the National Coordinator for Health Information Technology and provided $19 billion in incentives for healthcare providers to adopt electronic health records and develop a national electronic health information exchange. HITECH also strengthened HIPAA to address the privacy impacts of the expanded use of electronic health records. 66 8.2.1 Notice of Breach In the event of unauthorized acquisition, access, use or disclosure of information, a breach is presumed to have occurred, unless the covered entity or the business associate demonstrates through a risk assessment that there is a low probability that the security or privacy of the information has been compromised. 67 This language provides that covered entities and business associates have the burden of proof that an impermissible use or disclosure did not constitute a breach. 68 If there is a high probability that the security or privacy of the information (financial, reputational or other) has been compromised, a covered entity must notify individuals within 60 days of discovery. 69 If a business associate discovers a breach, it must notify the covered entity. 70 If the breach affects more than 500 people, the covered entity must notify HHS immediately, and if the breach affects 500 or more in the same jurisdiction, it must notify the media. 71 All breaches 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP requiring notice must be reported to HHS at least annually. A breach applies only to “unsecured” information, and a covered entity can avoid liability if it utilizes encryption software to secure information. 72 In 2021, HHS announced a settlement agreement with Excellus Health Plan where the health insurer agreed to pay $5.1 million after suffering a 2015 data breach where hackers gained access to the records of more than 9 million individuals. 73 A separate part of HITECH applies to “personal health record” providers. 74 Cloud services for storing an individual’s health records are covered by this provision. 75 In 2019, the FTC issued a policy statement clarifying that this rule covers medical apps and wearable devices. 76 The data breach notices required are similar to those for covered entities. These requirements apply even if the provider does not seek electronic reimbursement from the U.S. government. The rule is enforced by the Federal Trade Commission (FTC). 77 8.2.2 Increased Penalties HHS has issued a final rule pursuant to HITECH that allows for penalties of approximately $2 million for the most willful violations and extends criminal liability to individuals who misuse PHI. 78 The enforcement rules provide for penalties even if the covered entity did not know of the violation. 79 8.2.3 Limited Data All disclosures by a covered entity should attempt to comply with the definition of a limited data set, and if this is not feasible, data disclosed must be the minimum amount necessary. The term limited data set refers to protected health information that includes direct identifiers of the individual. 80 Furthermore, patients who directly pay their provider for medical care may restrict their PHI from being disclosed to a health plan unless the disclosure is otherwise required by law. 81 8.2.4 Electronic Health Records The $19 billion in funding in HITECH created important incentives for health providers to use Electronic Health Records (EHRs) more extensively. Providers who make “meaningful use” of EHRs can qualify for these funds. 82 In local markets, more practice groups have linked their EHRs with local hospitals. For broader geographic regions, there has been increased sharing of medical information toward the HHS goal of having a National Health Information Network. 83 Sharing of PHI is generally permitted under HIPAA to the extent necessary for treatment, payment or healthcare operations. Compliance issues become more important if information shared through EHRs is used for other purposes or with other entities, and such sharing can lawfully be done only with patient consent or under some other provision of HIPAA. Compliance also can become considerably more complex where the laws of different states apply to the same EHR system. HITECH itself, along with providing funding for greater use of EHRs, made certain changes to HIPAA’s legal treatment of EHRs. Covered entities must provide individuals with a copy of their EHR on request and must account for all nonoral disclosures made within three years on the request. 84 Additionally, covered entities may not sell EHRs without the consent of the patient, and covered entities cannot receive payment for certain marketing plans. 85 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP 8.3 Confidentiality of Substance Use Disorder Patient Records Rule Several decades before passage of HIPAA, Congress began its foray into the arena of medical privacy. 86 This federal action was prompted by concern that individuals might not seek medical care for alcohol and substance abuse problems unless the privacy of this information were strictly protected. In 1970, Congress passed the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act. Two years later, Congress enacted the Drug Abuse Prevention, Treatment and Rehabilitation Act. 87 These confidentiality requirements are implemented in the Confidentiality of Substance Use Disorder Patient Records Rule.88 Scope. The scope of the rule covers the disclosure and use of “patient-identifying” information by treatment programs for alcohol and substance abuse. 89 Patient-identifying information is any and all information that could reasonably be used to identify, directly or indirectly, a person who has been diagnosed with a substance abuse issue or has undergone alcohol or substance abuse treatment. 90 In addition, the rule restricts use of any information, whether written or verbal, that could lead to or substantiate criminal charges against a patient concerning their alcohol or drug usage. 91 Applicability. The law applies to any program that receives federal funding. For purposes of the rule, the term program means any one of the following: 1. “An individual or entity (other than a general medical facility) who holds itself out as providing, and provides,” alcohol or substance abuse diagnosis, treatment, or referral for treatment 2. “An identified unit within a general medical facility that holds itself out as providing, and provides,” alcohol or substance abuse diagnosis, treatment, or referral for treatment 3. “Medical personnel or other staff in a general medical facility whose primary function is provision of” the alcohol or substance abuse diagnosis, treatment, or referral for treatment 92 Other entities may become subject to the regulation in either of the following ways: (1) a state licensing agency requires them to comply or (2) the clinician uses controlled substances for detoxification, requiring licensing through the U.S. Drug Enforcement Administration (DEA). 93 Disclosure. The program must obtain written patient consent before disclosing information subject to the rule. The consent form may include a general designation that allows disclosure to either individuals or entities so long as those entities have a treating provider relationship with the patient. Upon request, the patient who signs a consent form with a general designation may receive a list of entities to which their information has been disclosed. In addition, the consent form must explicitly describe the type of information that is to be disclosed related to alcohol or drug abuse treatment. 94 Redisclosure. Redisclosing information obtained from a program is prohibited when that information would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment.”95 Exceptions to consent requirements. Exceptions to the rule that allow disclosures without consent include: Medical emergencies 96 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP 97 Scientific research Audits and evaluations 98 Communications with a qualified service organization (QSO) related to information needed by the organization to provide services to the program 99 Crimes on program premises or against program personnel 100 Child abuse reporting 101 Court order 102 Security of records. An entity lawfully holding patient-identifying information must have formal policies and procedures in place to protect the security of this information. There are separate requirements for paper and electronic records. 103 Violations of the Confidentiality of Patient Records for Alcohol and Other Drug Treatment Rule are criminal. The first violation results in a fine of not more than $500. Each subsequent offense is fined not more than $5,000. These violations are reported to the U.S. Attorney’s Office. 104 Entities subject to this rule are likely to also be subject to the HIPAA Privacy Rule. 105 In many areas, these two requirements will have parallel requirements. 106 Privacy practitioners should review both the rule and HIPAA to fully understand when the two do not converge. 107 Also, the rule is similar to HIPAA—it does not preempt state laws that include stricter protections for disclosures than those at the federal level. 108 8.4 Genetic Information Nondiscrimination Act of 2008 The Genetic Information Nondiscrimination Act (GINA) created new national limits on the use of genetic information in health insurance and employment. 109 In considering GINA, Congress found that genetic testing, before symptoms appeared, would allow individuals to take steps to reduce the likelihood of ultimately developing a disease or disorder. At the same time, such testing could create the risk of misusing that information for health insurance or employment. 110 Concerns about misuse were supported by historical examples of genetic discrimination, such as sterilization programs aimed at those with disorders that were perceived to be genetic, programs aimed at mandating sickle cell testing for African-Americans, and pre-employment genetic screening of federal employees. 111 Generally, GINA prohibits health insurance companies from discriminating on the basis of genetic predispositions in the absence of manifest symptoms or from requesting that applicants receive genetic testing and prohibits employers from using genetic information in making employment decisions. 112 GINA amended a variety of existing pieces of legislation including, among others, the Employee Retirement Income Security Act (ERISA), the Social Security Act, and the Civil Rights Act. The amendments to ERISA prohibit group health plan providers from adjusting premiums or other contribution schemes on the basis of genetic information, absent a manifestation of a disease or disorder.113 GINA also amended ERISA to prohibit group health plan providers from requesting or requiring genetic testing in connection with the offering of group health plans, although an exception is carved out for requests for voluntary testing in connection with research. 114 For the research exception to apply, providers must notify the HHS secretary and make clear that compliance is voluntary, that noncompliance will have no effect on enrollment or contributions, 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP and that no genetic information will be used for underwriting purposes. 115 The amendments to ERISA also allow for governmental enforcement. 116 A statutory penalty is set at $100 for each day of noncompliance (inclusive of the beginning date and date of rectification) with respect to each plan participant or beneficiary, although minimum penalties can rise to $15,000 in certain circumstances. 117 Some liability, however, may be avoided under this section if the grounds for liability could not have been discovered by exercising reasonable diligence. 118 Similar provisions revise the Public Health Service Act and apply to participants in the individual health insurance market to prohibit adjustments to premiums or other contribution schemes on the basis of genetic information, absent the manifestation of disease or disorder. 119 These revisions prohibit insurers from using a genetic predisposition to find an excludable preexisting condition.120 Once again, the revisions allow for governmental enforcement against violators. Amendments to the Social Security Act extend similar provisions to the providers of Medicare supplemental insurance policies. 121 GINA also directs the secretary of HHS to revise HIPAA regulations such that genetic information is considered health information, and the disclosure of such information may not be disclosed by covered entities, pursuant to HIPAA. 122 Aside from health care insurance, GINA also takes aim at the possibility of employment discrimination based on genetic information in the absence of the manifestation of a disease or disorder.123 Additionally, the employment-related sections of GINA prohibit discrimination against individuals because they have a family member who has manifested a disease. 124 These sections of GINA revised the Civil Rights Act and apply coextensively with that act. 125 Along with expressly prohibiting discrimination on the basis of genetic information, these portions of GINA prohibit employers from requiring, requesting or purchasing such genetic information about employees or family members unless an express exception applies. 126 Exceptions are provided for instances where (1) such a request is inadvertent, (2) the request is part of an employer-offered wellness program that the employee voluntarily participates in with written authorization, (3) the request is made to comply with the Family and Medical Leave Act (FMLA) of 1993, (4) an employer purchases commercially and publicly available materials that include the information, (5) the information is used for legally required genetic monitoring for toxin exposure in the workplace if the employee voluntarily participates with written authorization, or (6) the employer conducts DNA analysis for law enforcement purposes and requests the information for quality-control purposes (i.e., to identify contamination). 127 These parts of GINA not only apply to employers but also prohibit unions and training programs from excluding or expelling individuals on the basis of such information. 128 GINA does recognize that employers or unions may have legitimate reasons for possessing such information (e.g., as part of a toxin exposure monitoring program or company-sponsored wellness program). 129 Accordingly, if an employer possesses such information, it must be kept on separate forms in separate medical files, and such files must be treated as confidential employee medical records. 130 GINA itself does not provide for a private right of action, but—depending on the violation— private rights of action may be available under the federal laws that it revises as well as under similar state laws. 131 To ensure regulation keeps up with technology, GINA mandates the creation of a commission to review the developments in the science of genetics and make recommendations as to whether to establish a “disparate impact cause of action” under GINA.132 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP 8.4.1 Preemption GINA provides “a floor of minimum protection against genetic discrimination.” GINA does not preempt state laws with stricter protections. 133 8.4.2 State Laws Although GINA prevents discrimination by employers and health insurers based on genetic information, the federal law does not prevent life insurers, mortgage lenders, schools, or many other entities from treating individuals less favorably based on their genetic information. In 2011, California enacted the California Genetic Information Nondiscrimination Act (CalGINA), which prohibited genetic discrimination in emergency medical services, mortgage lending, housing, education, and other state-funded programs. 134 Several other states have enacted laws to protect individuals from genetic discrimination when seeking life insurance, disability insurance, and longterm care insurance. 135 8.5 The 21st Century Cures Act of 2016 The 21st Century Cures Act (“Cures Act”) has multiple purposes, including to promote medical research and reform mental health treatment. 136 The Cures Act promotes the use and interoperability of electronic health information (“EHI”), notably by limiting “information blocking.” 137 It also contains several privacy-specific provisions. 8.5.1 Interaction of information blocking and privacy protection The Cures Act seeks to balance the use and interoperability of EHI with reasons not to share such data. It emphasizes the usefulness of sharing EHI for purposes including operating health networks, promoting patient access to their EHI, and enabling patients to transfer their EHI more easily to apps or other uses of the patients’ choosing. A Final Rule to implement by Cures Act has been issued by the Office of the National Coordinator for Health Information Technology (“ONC”). The Final Rule sets forth detailed limits on information blocking. “Information blocking” is any activity that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” 138 The prohibition on information blocking applies to any (1) health care provider; (2) health IT developers of certified health IT; (3) health information exchanges; or (4) health information networks. 139 ONC can bring enforcement actions for violation of the information-blocking provision of the Cures Act, with a fine up to $1 million. 140 This general prohibition on information blocking has two categories of exception. First, the Final Rule recognizes important reasons that can justify the failure to share EHI. These reasons notably include the need to promote the privacy and security of EHI. The Final Rule defines criteria for when privacy and security can justify information blocking, and organizations subject to the Final Rule should comply with these criteria in order both to protect privacy and security while also sharing EHI as required by the Final Rule. Similarly, a decision not to share can be justified where 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP responding to a request would be infeasible, and in order to maintain and improve health IT performance. Second, the Final Rule allows an organization to establish procedures for fulfilling requests to access, exchange or use EHI. 141 8.5.2 Certification of Health IT Developers The Cures Act requires HHS to establish “Conditions and Maintenance of Certifications Requirements for the ONC Health IT Certification Program.” There are numerous conditions of certification for health IT developers. Most relevant for purposes of this book are to comply with requirements concerning: (1) information blocking (discussed above) and (2) Application Programming Interfaces (“APIs”) (discussed below). Organizations providing health IT software should consult the detailed applicable requirements. 142 8.5.3 Promoting Access and Portability for Patient Data The Cures Act sought to improve patient access to their EHI, and make it easier for patients to implement portability for their EHI. To improve this interoperability, covered health IT developers must “publish APIs that allow health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs.” 143 As one common example, the API would enable export of the patient’s data from a health care provider to a smartphone app. 144 The goal is to provide greater patient control over the data, including by moving data from traditional health care providers to a wider range of destinations, as the patient chooses. Going forward, there may be ongoing issues about how to achieve this greater data portability while also protecting individual privacy. Traditional health care providers are usually covered entities under HIPAA. They are thus subject to the relatively strict HIPAA privacy and security safeguards, and to enforcement actions by HHS. By contrast, most apps on a smartphone are outside of HIPAA coverage. Such apps generally are subject to enforcement by the Federal Trade Commission for “unfair and deceptive” trade practices, but a smartphone app’s privacy policy often contains fewer privacy protections than does HIPAA. Ongoing policy debates are likely about the trade-offs between the benefits of greater patient control over EHI and the risks that can result from weaker privacy and security protections. One way to address the trade-off may be by clear notice to consumers when EHI moves from HIPAA protections to recipients who are not subject to HIPAA. 8.5.4. Other Privacy Provisions in the Cures Act The Cures Act also contains other privacy-related provisions, including: Certain individual biomedical research information exempted from disclosure under Freedom of Information Act. To the extent that individual biomedical research information could reveal individual identity, the Cures Act exempts this information from mandatory disclosure under the Freedom of Information Act (FOIA). 145 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP Researchers permitted to remotely view PHI. The Cures Act provides a clarification to existing law that allows medical researchers to remotely review PHI. This remote access must meet minimum safeguards consistent with HIPAA’s Privacy and Security rules. 146 “Certificates of confidentiality” for research. The Cures Act provides stronger privacy protections for those participating in research, particularly those with alcohol and substance abuse issues. The Cures Act requires certificates of confidentiality to be issued by the National Institutes of Health (NIH) for any federally funded research and permits the NIH to issue such certificates at its discretion for research that is not federally funded. These certificates ensure that the research material cannot be used in any legal or administrative proceeding without the consent of the individual involved. 147 “Compassionate” sharing of mental health or substance abuse information with family or caregivers. The Cures Act requires HHS to issue guidance to HIPAA regarding the circumstances under which a health care provider or a covered entity is permitted to discuss with family members or caregivers the treatment of an adult with a mental health disorder or an alcohol or substance abuse disorder. 148 8.6 Medical Technology The global revenue for the medical technology (medtech) industry was estimated at approximately $570 billion for 2023. 149 A significant part of medtech includes medical devices such as x-rays, MRIs, and CT scans that are administered only by healthcare providers. Medtech, however, can also enable individuals to collect health information in real time in the convenience of their own home, to test for a variety of medical ailments at home, and to access their own electronic health records. 150 Wearables, which are electronic devises placed on a person’s body that are designed to collect health information, permit an individual to monitor heart rates or glucose levels in real time. Medical at-home tests provide people with the opportunity to check for genetic markers related to diseases as well as to map their personal DNA. Medical apps assist people in a variety of tasks, such as taking medication at the correct times, calculating the optimal day to become pregnant, and providing access to electronic health records. 151 When discussing health information in relation to medtech, it is crucial to remember that individuals can be confused when health information is protected in certain situations and not in others. 152 For example, numerous apps exist that allow individuals to store their health records to their phone or other electronic device. These individuals may have a difficult time understanding which apps will provide HIPAA protections to their health data and which will not, as the apps may appear quite similar and may even be downloaded from the same app store. 153 Importantly, HIPAA applies to “covered entities,” including healthcare providers, as well as “business associates” who receive data from covered entities. When a covered entity is involved in the use of a wearable, an app, or a website, the companies providing these products or services are generally either the covered entity or a business associate. 154 In these instances, the individual’s data is protected by HIPAA’s Privacy Rule and Security Rule, as discussed in Section 8.1. By contrast, health information in the hands of other entities is generally not protected by HIPAA. 155 In these instances, it is important to understand the types of protection that exist outside of HIPAA for this health information. 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 8 – as of 02/19/2024 © IAPP 8.6.1 Section 5 of the FTC Act Section 5 of the FTC Act applies to medtech companies that are covered by HIPAA as well as those that are not. This means, for companies not covered by HIPAA, the FTC Act is the primary federal statute that applies to their privacy and security practices. Under Section 5 of the FTC Act, medtech companies can face enforcement actions for deceptive trade practices and unfair trade practices, as discussed in Chapter 5. 156 In 2022, the FTC announced that it would focus enforcement on “illegal conduct that exploits Americans’ location, health, or other sensitive data,” including the practices of medtech companies. 157 In 2021, FloHealth, a fertility tracking app with approximately 100 million users worldwide, became one of the first medtech companies to agree to a sanction pursuant to Section 5 of the FTC Act. The FTC complaint alleged that the company promised users not to share their health information but actually disclosed the health information of users to third parties for marketing and analytics purposes. 158 8.6.2 Federal Food, Drug, and Cosmetic Act The U.S. Food & Drug Administration (FDA) protects consumers against unlawful medical devices by enforcing the Federal Food, Drug, and Cosmetic Act. The Act defines a device as an “instrument … intended for use in the diagnosis of disease or other conditions, or in the … treatment or prevention of disease.” 159 The regulation of medical devices by the FDA can be quite complex, with a system involving levels of risk that at least in part determine the amount of regulation. 160 Much of medtech utilized directly by individuals is considered low risk, meaning very little regulation is applicable. 161 In certain instances, this type of medtech can be somewhat more heavily regulated by the FDA. For example, certain medtech that utilizes artificial intelligence can be considered software as a medical device (SaMD). 162 Cybersecurity is one area of concern for the FDA. 163 As of the writing of this book, the FDA has issued new guidance to update its cybersecurity guidance that covers “wireless, Internet- and network- connected devices, portable media (e.g. USB or CD), and the frequent electronic exchange of medical device-related health information.” In the guidance, the FDA focuses on cybersecurity of medtech devices to better protect the overall cybersecurity of health information. 164 In 2023, the FDA also announced that it will “refuse to accept” medical device submissions due to cybersecurity reasons. Device manufacturers must include detailed cybersecurity plans that provide “reasonable assurances” that the devices are “cybersecure.” 165 8.6.3 State Laws Privacy practitioners should be alert to the complex regulatory landscape of state medical privacy laws. Some states have fairly comprehensive medical privacy laws, sometimes with provisions that regulate aspects of medtech. 166 At-home genetic testing is one example where several states have enacted specific privacy laws. By 2020, an estimated 20 percent of people in the U.S. had taken an at-home genetic test that consumers can buy directly, without the need to involve a doctor. 167 Although these genetic tests would likely be covered by HIPAA if ordered by a doctor, the companies that provide these at-home tests are not generally covered by this federal law. Thus, this sensitive health information – such as a person’s likelihood to develop certain diseases – remains largely unregulated at the federal level. Several states, including California, Arizona, and Utah, have 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.