- Health information is sensitive.
- Sharing it with third parties for advertising is more sensitive.
- Doing it behind a log-in where there is no expectation of such tracking?
Innovative health care-related technology and developing telemedicine products have the potential for dramatically changing the way in which health care is accessed. The Federation of State Medical Boards (FSMB) grappled with some of the complexities that arise as information is communicated electronically in connection with the provision of medical care and issued a Model Policy in April of 2014 to guide state medical boards in deciding how to regulate the practice of “telemedicine”, a definition likely to become outdated as quickly as the next technology or product is developed.
Interestingly, the development and use of medical devices and communication technology seems to outpace agency definitions and privacy laws as quickly as hackers outpace security controls. So how can we encourage innovation and adopt new models without throwing privacy out with the bathwater of the traditional, in-person patient-physician relationship? A first step is to see and understand the gaps in privacy protection and figure out how to they can be narrowed.
HIPAA does not protect all information, even when the information is clearly health information and a specific individual can be identified in connection with the health information. A guidance document issued jointly by the U.S. Department of Health and Human Services (HHS) and the Food and Drug Administration (FDA) on October 2, 2014 (FDA Guidance Document) contains the agencies’ “non-binding recommendations” to assist the medical device industry with cybersecurity. The FDA Guidance Document defines “cybersecurity” as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” If my medical device creates, receives, maintains, or transmits information related to my health status or condition, it’s likely I expect that information to be secure and private – but unless and until my doctor (or other covered entity or business associate) interfaces with it, it’s not protected health information (PHI) under HIPAA.
The FSMB’s Model Policy appropriately focused on the establishment of the physician-patient relationship. In general, HIPAA protects information created, received, maintained or transmitted in connection with that relationship. A medical device manufacturer, electronic health application developer, or personal health record vendor that is not a “health care provider” or other covered entity as defined under HIPAA, and is not providing services on behalf of a covered entity as a business associate, can collect or use health-related information from an individual without abiding by HIPAA’s privacy and security obligations. The device, health app, or health record may still be of great value to the individual, but the individual should recognize that the information it creates, receives, maintains or transmits is not HIPAA-protected until comes from or ends up with a HIPAA covered entity or business associate.
The FDA Guidance Document delineates a number of cybersecurity controls that manufacturers of FDA-regulated medical devices should develop, particularly if the device has the capability of connecting (wirelessly or hard-wired) to another device, the internet, or portable electronic media. Perhaps these controls will become standard features of medical devices, but they might also be useful to developers of other types of health-related products marketed to or purchased by consumers. In the meantime, though, it’s important to remember that your device is not your doctor, and HIPAA may not be protecting the health data created, received, maintained or transmitted by your medical device.
Continue Reading Medical Device, “Heal Thyself” from Data Hacking
Imagine you have completed your HIPAA risk assessment and implemented a robust privacy and security plan designed to meet each criteria of the Omnibus Rule. You think that, should you…
Continue Reading The Wild West of Data Breach Enforcement by the Feds
While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes…
Continue Reading HIPAA “Mega Rule”, Meet “Super BAA”: The CMS Data Use Agreement
SAIC’s recent Motion to Dismiss the Consolidated Amended Complaint filed in federal court in Florida as a putative class action highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach.
Continue Reading The SAIC Breach and a Look Across the Chasm Between Significant Risk and Actual Harm Resulting from a HIPAA Breach
CMS proposal would base eligibility for provider incentive payments for the “meaningful use” of Electronic Health Records (“EHRs”) not simply on providers’ use of EHR, but on their patients’ use.
Continue Reading Patients’ “Meaningful Use” of Electronic Health Information Proposed as Core Measure for Provider Incentive Payments from Feds
The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if…