Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.
New technology is being developed to be used in healthcare settings on a near daily basis. Telehealth, mobile apps, medical devices, implantables, robotics, electronic health records, e-prescriptions, digital pills, and wearables are just a few of the innovations that contribute to a patient’s treatment. There are more ways for people to access medical care, and more ways to produce and share patient data with healthcare providers than ever before. At some point in the development stage, you and your team probably asked questions like these:
- What data are we collecting? Where do we keep it?
- How can we use it? How can we not use it?
- Who owns it? Can we own it?
- Does HIPAA apply to us?
- Are there other laws we need to worry about?
- What if we lose some data?
First things first, a quick primer on HIPAA, the law you’re likely generally aware of. HIPAA is comprised of a privacy component and a security component. The HIPAA privacy rule addresses the confidentiality of certain health information and the HIPAA security rule sets basic security standards for certain health information held or transferred in electronic form. These regulations apply to covered entities and their business associates. Generally, a covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider. A business associate is an individual or entity that creates, receives, maintains or transmits PHI in the course of performing services on behalf of a covered entity. Basically, PHI may not be used or disclosed by a covered entity (or a business associate on its behalf) without patient authorization unless an exception applies. One frequently cited exemption relates to the use and disclosure of PHI necessary to carry out treatment, to obtain payment, or to conduct healthcare operations. When PHI is shared between a covered entity and a business associate the parties execute a business associate agreement that governs the business associate’s use and security of PHI.
Innovative technology is pushing the limits of HIPAA. Companies may encrypt and store data for a covered entity but never have access to it, and companies may act purely as a conduit to connect two hospital systems sharing data but never store or alter the data in any way. Should companies like this be subject to HIPAA? This is a point of contention that the government is trying to clarify. This has been done through guidance issued by Health and Human Services addressing the application of HIPAA to cloud service providers (found here). Further, the OCR has developed an online privacy and security portal for mobile app develops (found here) and HIMSS has developed a mobile health security kit (found here). It will be important to remain aware of further guidance that may be issued by multiple government agencies.
But what if you’re not a covered entity and you don’t have a relationship with a covered entity that makes you a business associate? Just because you have access to a medical data does not necessarily mean HIPAA applies. When someone buys a Misfit fitness tracker off the shelf, the data collected by the wearable is not protected by HIPAA. However, if a person receives a wearable from their physician to track certain data, that information likely is protected under HIPAA. This is an important distinction.
So if HIPAA doesn’t apply, what does? The Federal Trade Commission (FTC) has issued the Health Breach Notification Rule to require certain businesses to notify their customers if there’s a breach of unsecured, individually identifiable electronic health information. This applies to any entity that is not subject to HIPAA, but collects or maintains identifiable health information on an individual. Further, the FTC is becoming very active in enforcing its consumer protection laws against companies for misrepresenting how an individual’s data is used or a company’s failure to adhere to its own data use and protection policies.
Finally, states are able to establish rules more stringent than HIPAA so it is very important to take such laws into consideration. A state may expand the definition of a covered entity or business associate, and may have its laws apply to any entity that has access to the health information of a resident of the state. This may mean that the laws of a state where you don’t have a physical location may apply to you through the data you collect.