Medicine and new technologyA little rain can’t stop SXSW. Husch Blackwell attorneys have attended dozens of interesting presentations and met countless innovative minds. We will continue to post live updates on Twitter (@HBhealthcarelaw) and release brief blog posts related to certain presentations throughout the event. With former VP Joe Biden in town to discuss his cancer moonshot today, our focus is precision medicine.

Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. The potential of precision medicine is recognized at the highest levels of government. In his 2015 State of the Union address, former President Barack Obama launched the Precision Medicine Initiative (“PMI”), a bold new research effort to revolutionize health and the treatment of disease. Subsequently, Sylvia M. Burwell, Secretary of the U.S. Department of Health & Human Services (“DHHS”), announced the FY 2016 budget would include $215 million for the PMI, with $200 million of this to be used by the National Institutes of Health (“NIH”) to launch the All of Us program, a national cohort of a million or more Americans who volunteer to share genetic, clinical, and other data to improve research. The funds will also be used to invest in expanding current cancer genomics research and to initiate new studies on how a tumor’s DNA can inform prognosis and treatment choices.

Continue Reading Precision Medicine – The All of Us Program

cellphone137457731Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.

New technology is being developed to be used in healthcare settings on a near daily basis. Telehealth, mobile apps, medical devices, implantables, robotics, electronic health records, e-prescriptions, digital pills, and wearables are just a few of the innovations that contribute to a patient’s treatment. There are more ways for people to access medical care, and more ways to produce and share patient data with healthcare providers than ever before. At some point in the development stage, you and your team probably asked questions like these:

  • What data are we collecting? Where do we keep it?
  • How can we use it? How can we not use it?
  • Who owns it? Can we own it?
  • Does HIPAA apply to us?
  • Are there other laws we need to worry about?
  • What if we lose some data?

First things first, a quick primer on HIPAA, the law you’re likely generally aware of.  HIPAA is comprised of a privacy component and a security component. The HIPAA privacy rule addresses the confidentiality of certain health information and the HIPAA security rule sets basic security standards for certain health information held or transferred in electronic form. These regulations apply to covered entities and their business associates. Generally, a covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider. A business associate is an individual or entity that creates, receives, maintains or transmits PHI in the course of performing services on behalf of a covered entity. Basically, PHI may not be used or disclosed by a covered entity (or a business associate on its behalf) without patient authorization unless an exception applies. One frequently cited exemption relates to the use and disclosure of PHI necessary to carry out treatment, to obtain payment, or to conduct healthcare operations. When PHI is shared between a covered entity and a business associate the parties execute a business associate agreement that governs the business associate’s use and security of PHI.

Innovative technology is pushing the limits of HIPAA. Companies may encrypt and store data for a covered entity but never have access to it, and companies may act purely as a conduit to connect two hospital systems sharing data but never store or alter the data in any way. Should companies like this be subject to HIPAA?  This is a point of contention that the government is trying to clarify.  This has been done through guidance issued by Health and Human Services addressing the application of HIPAA to cloud service providers (found here). Further, the OCR has developed an online privacy and security portal for mobile app develops (found here) and HIMSS has developed a mobile health security kit (found here). It will be important to remain aware of further guidance that may be issued by multiple government agencies.

But what if you’re not a covered entity and you don’t have a relationship with a covered entity that makes you a business associate? Just because you have access to a medical data does not necessarily mean HIPAA applies. When someone buys a Misfit fitness tracker off the shelf, the data collected by the wearable is not protected by HIPAA. However, if a person receives a wearable from their physician to track certain data, that information likely is protected under HIPAA. This is an important distinction.

So if HIPAA doesn’t apply, what does?  The Federal Trade Commission (FTC) has issued the Health Breach Notification Rule to require certain businesses to notify their customers if there’s a breach of unsecured, individually identifiable electronic health information. This applies to any entity that is not subject to HIPAA, but collects or maintains identifiable health information on an individual. Further, the FTC is becoming very active in enforcing its consumer protection laws against companies for misrepresenting how an individual’s data is used or a company’s failure to adhere to its own data use and protection policies.
Finally, states are able to establish rules more stringent than HIPAA so it is very important to take such laws into consideration. A state may expand the definition of a covered entity or business associate, and may have its laws apply to any entity that has access to the health information of a resident of the state. This may mean that the laws of a state where you don’t have a physical location may apply to you through the data you collect.

If you have any questions about what privacy laws may apply to your operations, please feel free to contact me directly at (214) 999-6132 or john.ferguson@huschblackwell.com.

School children raising their hands ready to answer the question.When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel. Continue Reading Adding some class to Information Governance (Part 1)

risk level conceptual meterCancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program. Continue Reading $750K HIPAA settlement highlights importance of risk analysis, device control policy