“Circling Back” After the New Year: Recent Updates in Data Privacy & Security
As we settle in to 2023 and return to our “circle back in the new year” projects, it is a good time to catch up on data privacy and security updates from the end of 2022 and set priorities for 2023. To help you start the year off right, we have summarized some key recent updates and enforcement actions that health and life sciences entities should consider when setting compliance priorities for 2023.
HHS Issues Guidance on Using Online Tracking Technologies Under HIPAA
It was hard to miss even with the holiday season, but in case you have been putting off analyzing the guidance, note that the Office for Civil Rights (OCR) issued a bulletin on December 1, 2022 to highlight the requirements under the Health Insurance Portability and Accountability Act (HIPAA) rules when using online tracking technologies such as cookies or tracking pixels.
OCR stated in the guidance that individually identifiable health information collected on a regulated entity's authenticated (i.e., that require a user log-in) website or mobile app will qualify as PHI and be regulated under HIPAA. OCR took the position that all such data collected via a regulated entity’s website or mobile app is generally PHI even if the subject individual does not have an existing relationship with the entity and even if the data (e.g., IP address) does not include treatment or billing information. OCR explained that when collecting information, a regulated entity “connects” the individual to the regulated entity and thus indicates that the individual will receive or has received health care services from the regulated entity. More surprising, however, was OCR’s position that tracking technology on unauthenticated webpages, like webpages that address specific symptoms or health conditions or permit individuals to search for doctors or schedule appointments may have access to PHI.
OCR noted that "disclosures of PHI to tracking technology vendors for marketing purposes, without individuals' HIPAA-compliant authorizations, would constitute impermissible disclosures."
We have seen a wide variety of initial reactions to the guidance -- from the ostrich approach to outrage that the guidance is “overreach” akin to previous copy fees guidance and from considering breach reporting related to pixel use to temporary freezes on pixel use. While we do not suggest the ostrich approach, we do recommend health and life science entities to take a close look at the online tracking technologies in use by their organizations as a first step to digesting the OCR guidance.
Deadline for Comments of Proposed Changes to Part 2 Rule
On November 28, 2022, the U.S. Department of Health and Human Services (HHS) OCR and Substance Abuse and Mental Health Services Administration (SAMHSA) announced the long-awaited Notice of Proposed Rulemaking (NPRM) to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR Part 2 (Part 2). The NPRM makes significant changes to Part 2, including (on a positive note) to better align Part 2 with HIPAA and address concerns that the rules impeded the ability of health care providers to provide coordinated care to patients; but the proposed changes are not all good news for health care providers. For example, the changes also call for expanded HHS enforcement authority and new breach notification obligations. Read our full analysis here.
The deadline to comment on the NPRM is January 31. The text of the NPRM is available here.
California’s Data Exchange Framework Is Upon Us
California regulations (adopted in July 2021) established the California Health and Human Services Agency Data Exchange Framework (DxF) and require providers (e.g., acute care hospitals, physician organizations and medical groups, skilled nursing facilities, clinical labs) and certain payers that provide hospital, medical or surgical coverage to enter into the Single Data Sharing Agreement (DSA) January 31, 2023 to participate in the exchange of “health and social services information” (a broader term than PHI).
The DxF will take effect in January 2024, giving participants time to develop required infrastructure and put in place the as-of-yet pending policies and procedures. Participants can negotiate amendments to the DSA and policies and procedures. Providers should review DxF requirements, consider any appropriate amendments (as the process will take time) and begin updating authorizations to account for DxF disclosures, as it requires data sharing beyond the permissive data sharing contemplated under HIPAA. Additional DxF participants will come online in the coming years.
CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication
The Cybersecurity & Infrastructure Security Agenda (CISA) released two fact sheets, Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications, to highlight threats against accounts and systems using certain forms of multifactor authentication (MFA). Through the publication of these fact sheets, CISA strongly urged all organizations to implement phishing-resistant MFA, such as FIDO/WebAuth authentication or Public Key Infrastructure (PKI)-based MFA, to protect against phishing and other known cyber threats.
If an organization using mobile push-notification-based MFA is unable to implement phishing-resistant MFA, CISA recommends using number matching to mitigate MFA fatigue. Number matching is a setting that forces the user to enter numbers from an identity platform into their app to approve the authentication request. In the fact sheets, CISA states that although number matching is not as strong as phishing-resistant MFA, it is one of best interim mitigation for organizations who may not immediately be able to implement phishing-resistant MFA.
If you ask our breach team, MFA is one of the best investments entities can make to reduce security incident risk. We’re happy to talk to your leadership team about the ROI generated by MFA. This is a hill worth dying on.
NY Licensed Attorneys Will Be Required to Complete CLE on Privacy and Cybersecurity
Beginning July 1, 2023, attorneys barred in New York will be required to complete one CLE credit hour of cybersecurity, privacy and data protection training. The training will cover general training related to the practice of law and may include, among other things, technological aspects of protecting client and law office electronic data and communication; vetting and assessing vendors and other third parties relating to policies, protocols and practices on protecting electronic data and communication; applicable laws relating to cybersecurity (including data breach laws) and data privacy; and law office cybersecurity, privacy and data protection policies and protocols. The CLE requirement will also cover lawyers’ ethical obligations and professional responsibilities regarding the protection of electronic data and communication.
While the CLE requirement does not apply to all attorneys, we are seeing a shift in expectations for minimum privacy and security competency. We predict other states will follow suit in the future.
HHS and FTC update Mobile Health App Interactive Tool
The updated Mobile Health App Interactive Tool, which is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them, was revised in conjunction with OCR, HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) in December of 2022. The tool can help mobile app developers to determine whether their app’s functions, services and data collection would subject it to the Federal Trade Commission (FTC) Act, the FTC’s Health Breach Notification Rule, the Children’s Online Privacy Protection Act (COPPA), HIPAA, the Federal Food, Drug and Cosmetics Act (FD&C Act), and the 21st Century Cures Act and ONC Information Blocking Regulations.
OCR Releases New Recognized Security Practices Video
On October 31, 2022 OCR released video guidance for HIPAA regulated entities on recognized security practices. The guidance covers topics such HITECH requirements and how entities can demonstrate that recognized security practices are in place (e.g., in the event of a regulatory investigation or audit) and offers answers to questions submitted to OCR.
The HITECH Amendment, which went into effect on January 5, 2021, requires OCR to take into consideration any recognized security practices that a regulated entity has in place for the previous 12 months when making determinations regarding civil monetary penalties, audits or other agreed upon remedies to resolve potential violations of the HIPAA Security Rule.
The video provides OCR’s thoughts on standards, guidelines, best practices, methodologies, procedures and processes that may be considered recognized security practices under the rule. However, recall that sophisticated entities will be expected to scale and meet in line with the resources and complexity of the entity.
Interesting Enforcement Actions
OCR Settles with Dental Practice Over Disclosures of Patients’ PHI in Response to Online Reviews
On December 14, 2022, OCR announced a $23,000 settlement with a dental practice that stemmed from a complaint alleging that the practice engaged in the impermissible disclosure of PHI in response to online reviews. Why are we writing about such a small settlement discussing such a well-known no-no as disclosing PHI in online reviews? Great question. OCR concluded that the conduct resulted in impermissible disclosures of PHI. Not surprising right? But note that, in its investigation, OCR also concluded that the practice failed to have the minimum content required in its Notice of Privacy Practices and that it failed to implement policies and procedures with respect to PHI, including releasing PHI on social media/public platforms.
This enforcement action highlights that catching the attention of OCR may lead to discovery of other HIPAA violations and penalties.
OCR Issues HIPAA Right of Access Enforcement Action Against Florida Provider for Failing to Disclose Deceased’s Records to Family
An OCR investigation under its HIPAA right of access initiative resulted in a $20,000 fine and a Corrective Action Plan (CAP) for a Florida provider who failed to provide a daughter (acting as a personal representative) to timely access to her deceased father’s medical records (despite multiple requests) in violation of the HIPAA right of access standard.
The announcement, issued on December 15, 2022, marked the 42nd (and counting) case to be resolved under the right of access initiative.
DOJ Criminally Prosecutes Physician and Pharmaceutical Sales Representative for HIPAA Scheme
In October 2022, the U.S. Department of Justice (DOJ) announced that a pharmaceutical sales representative and a physician admitted to conspiring to wrongfully disclose and contain individually identifiable health information violation of the criminal provisions of HIPAA. From 2014 to 2016, the physician allowed the sales representative to have significant access to areas of the office restricted to staff, including areas with patient files and office computers, to identify and earmark patients who had insurance plans that covered expensive compound medications. The physician also brought the sales representative into patient exam rooms during appointments and gave patients the impression that the sales representative was employed by or affiliated with the medical practice, which facilitated and caused the disclosure of confidential health information to the sales representative. The physician would then prescribe the expensive medicines to patients, allowing the sales representative to receive commissions on those prescriptions.
Both the physician and the sales representative face a maximum of one year in prison and a $50,000 fine for the criminal HIPAA conspiracy charges. The sales representative also faces a maximum of 10 years in prison and a $250,000 fine for health care fraud conspiracy.
Do not forget to circle back to some of these compliance issues as you plan your 2023 priorities.
For more information regarding your health care data privacy & security questions and concerns, contact your Quarles & Brady attorney or:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Simone Coglan Dunlap: (602) 229-5510 / simone.colgandunlap@quarles.com
- Apurva Dharia: (202) 780-2675 / apurva.dharia@quarles.com