The use of new technologies such as digital health applications, telemedicine, and information exchanges can provide game-changing benefits for providers and patients alike. However, with increased sharing comes increased risks to both the security and the privacy of patient information. Most digital health and telemedicine companies are aware of data security and breaches. However, an arguably more important compliance area is the intentional sharing of protected health information (PHI) with third parties, whether for data mining, research, or marketing purposes. Because data sharing and data mining will only continue to grow across the health care industry, providers and vendors must understand when and how they can share PHI, including monetization opportunities, and when they must obtain the patient’s express authorization.
This article highlights some key privacy laws and rules digital health and telemedicine companies should consider before sharing, mining, or monetizing patient health information. For deeper discussions of telemedicine and digital health legal issues, please join us for “Direct to Consumer: Legal and Regulatory Issues for Entrepreneurs,” an educational program offered at the American Telemedicine Association’s 2018 Annual Conference and Expo in Chicago on April 30, 2018.
The unknown of big data opportunities can either leave companies unnecessarily fearful of sharing the PHI of their patients, or conversely, overly lax and eager to share PHI. Data mining, which allows providers to discover patterns and extract connections by examining large data sets, can benefit patients as a whole because it makes certain services more precise and powerful. Consider, for example, how genetic counseling becomes more effective when more data is mined from patients with diseases and chronic illnesses. A recent report by HFMA and Humana showed 70% of providers believe seamless health data sharing is essential to success under value based care models. Similarly, a Pew Research survey indicated that while Americans are sensitive about maintaining their personal information, 52% would find healthcare data sharing acceptable. Interoperability of shared data is one of the most important aspects of this industry trend.
Even Bruce Greenstein, Chief Technology Officer of the Federal Department of Health and Human Services, pledged at HIMSS18 to share more health data between federal departments and with the public. “The American people own the data that is in HHS, not a bureaucrat that has been there for 20 years and thinks that they have the control because other people might misuse it,” he said. “People outside of our building will do much better things with it than we are doing with it alone right now.” Data sharing must be done in a meaningful, cohesive manner. Shared data must be readable, usable, and available to other providers. As data sharing becomes more accepted throughout the health care industry, companies must take steps to ensure their data sharing complies with state and federal regulations which protect patient privacy and the choice not to share PHI.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law which governs the use and disclosure of PHI by covered entities, defined as health plans, health care clearinghouses, and health care providers who electronically transmit PHI. The general rule is that PHI cannot be disclosed without the patient’s authorization. However, certain uses and disclosures of PHI for treatment, payment, and health care operations (TPO) do not require patient authorization if the TPO conditions under HIPAA are met. Fortunately, many data sharing arrangements can be structured to meet the TPO exception and therefore would not require the patient’s authorization. Even if a provider shares PHI under the TPO exception, it must still comply with minimum necessary disclosure requirements, agreed upon patient restrictions to the use and disclosure of PHI, and other state laws which may be more stringent in how providers can share patient data.
As with many things, the rules get more complex – and restrictive – when money gets involved. If PHI is shared (or even used) in exchange for remuneration or for marketing purposes, additional requirements must be met. This sometimes includes the requirement that the provider obtain the patient’s express authorization to use or share the data, even if the disclosure would otherwise have met the TPO exception. For example, if the covered entity receives payment for sharing or using the data, that disclosure no longer meets the TPO exception (e.g., a third party vendor wants to pay the provider to send an email blast to a select group of the provider’s patients). In that case, the covered entity must obtain a valid patient authorization that specifically states the disclosure will result in remuneration to the covered entity.
A practice pointer regarding authorizations: An authorization is not the same thing as patient consent. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. A valid authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date or event, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
HIPAA contains specific rules related to the use and disclosure of patient data for research or clinical trials. For example, if PHI is used for research or clinical trials, providers must obtain approval from an Institutional Review Board or privacy board waiver of authorization, receive an authorization from an individual to create a research repository, use the PHI through the collection and use of a limited data set, or use the PHI through the collection and use of de-identified information. Data is de-identified by removing individually identifiable health information from patient information, leaving no reasonable basis to believe that the de-identified information can be used to identify an individual. Under HIPAA, de-identified information is not considered PHI and is therefore not subject to HIPAA’s privacy regulations. However, de-identification of data is not a turnkey solution to privacy and security compliance, and there are use cases and applications where it is beneficial to use the complete PHI data set.
Not all digital health or telemedicine companies are covered entities under HIPAA. But even if HIPAA does not apply, state law still applies, and can cover information broader than just PHI. In addition to patient privacy protections under federal law, it is also important to be aware of state law restrictions, which are often more broad, nuanced, and stringent than the requirements under HIPAA. Federal and state privacy laws must be read together in harmony, applying the most stringent provisions from each in the event of a conflict. Additionally, there may be unique requirements related to patient authorizations or this map of breach notifications across all 50 states, including reduced notification time lines. There may be other nuances such as California’s 14 point font requirement. Moreover, the nature of the clinical records affects the applicable privacy and security laws. Mental health treatment records, substance abuse records, and HIV diagnoses are typically considered ultra-sensitive records which require providers to take additional actions to maintain their privacy. For these reasons, many digital health and telehealth companies voluntarily choose to follow the HIPAA guidelines, even if they are not formally a covered entity.
Most cybersecurity experts concur that no company’s data security is absolutely impenetrable. Addressing ransomware and hack-based breaches, including developing a cybersecurity incident response plan, has become part of doing business in the healthcare industry. These are essential compliance considerations. While big data breaches make the headlines, and sometimes result in government settlements, the public can be forgiving on providers, particularly if the data breach was a cyber-attack not attributable to carelessness.
In contrast, there has yet to be a notable HHS Office of Civil Rights settlement based on a covered entity sharing/selling PHI to a third party without first obtaining proper patient authorization. When such an event occurs, the public may be less likely to forgive and forget, as the company made a deliberate decision to sell patient data without authorization, and was not the victim of a cyber-attack. The White House’s FY 2019 proposed budget cut OCR funding by approximately 20% compared to last year, which left some uncertainty as to the level of enforcement actions. (Congress ultimately did not follow those proposed budget cuts for OCR.) Protection of patient privacy is not only important to the federal government, it is important to many patients who feel they should own and control their health data.
Outside OCR, the FTC has issued fines and settlements against online health companies for improper online privacy practices based on the notion they are “unfair and deceptive acts or practices.” The two primary concerns in this niche are: 1) truthful advertising of the health app’s capabilities, and 2) transparent privacy practices regarding user data. Fortunately, the FTC has published a number of helpful resources for health technology companies, including Best Practices for Mobile Health App Developers, Marketing Your Mobile App, and the Mobile Health Apps Interactive Tool.
The opportunity for big data to drive transformative healthcare solutions is evident, but the challenges in achieving that opportunity – whether technical, institutional, operational, or legal –are complex. The regulatory landscape, which seeks to limit the misuse of confidential health information and protect legitimate privacy and security concerns, must be navigated by those digital health or telemedicine companies seeking to mine or monetize health care data.
For more information on telemedicine, telehealth, virtual care, and other health innovations, including the team, publications, and other materials, visit Foley’s Telemedicine and Digital Health Industry Team and read our 2017 Telemedicine and Digital Health Executive Survey.
This article was originally published in Telemedicine Magazine and appears here with permission.
This article was also published in Massachusetts Law Weekly.
This article was also republished in The Journal Record.