Data Privacy Archives - Page 10 of 35

Data Privacy

OMB Reviewing Common Rule Overhaul

by Chelsea M. Rutherford and Jennifer S. Geetter | Jan 6, 2017 | Data Privacy, General Interest, Uncategorized

On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017.

Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes to its overall jurisdictional scope, requirements relating to secondary use of biospecimens and individually identifiable information, and the general research review and oversight process.

Since the Proposed Rule’s publication, OHRP has received significant feedback from both industry and expert advisory groups about the proposed changes and their overall impact. While certain proposed changes have been applauded, the Proposed Rule has also generated considerable concern and uncertainty among stakeholders.

The current status of OMB’s review is pending.

The Joint Commission Puts the Brakes on Text Messaging Patient Orders

by Sandra M. DiVarco | Dec 28, 2016 | Data Privacy, General Interest, Telehealth, Text Messaging, Uncategorized

The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not utilize secure text messaging platforms to transmit patient care orders. TJC’s earlier position provided that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation, and policies and procedures.

TJC identified the rationale for the reinstated prohibition against secure text messaging for patient care orders as one of patient safety—after “weighing the pros and cons” TJC and the Centers For Medicare and Medicaid Services (CMS) concluded that as the impact of the modality on patient safety remained unclear, and determined that approving its use was premature.

Read more here about how this clarification impacts health care organizations.

End of Year Attention to Health IT and Digital Health Tools in 21st Century Cures

by Daniel F. Gottlieb, Jennifer S. Geetter, Karen S. Sealander, Lisa Mazur and Scott Weinstein | Dec 13, 2016 | Consumer Protection, Data Privacy, Telehealth

On December 7, 2016, the US Congress approved the 21st Century Cures Act (Cures legislation), which is intended to accelerate the “discovery, development and delivery” of medical therapies by encouraging public and private biomedical research investment, facilitating innovation review and approval processes, and continuing to invest and modernize the delivery of health care. The massive bill, however, also served as a vehicle for a variety of other health-related measures, including provisions relating to health information technology (HIT) and related digital health initiatives. President Barack Obama has expressed support for the Cures legislation and is expected to sign the bill this month.

The HIT provisions of the Cures legislation in general seek to:

Reduce administrative and regulatory burdens associated with providers’ use of electronic health records (EHRs)
Advance interoperability
Promote standards for HIT
Curb information blocking
Improve patient care and access to health information in EHRs

As public and private payers increasingly move from fee-for-service payments to value-based payment models, with a focus on maximizing health outcomes, population health improvement, and patient engagement, HIT—including EHRs and digital health tools—will be increasingly relied upon to collect clinical data, measure quality and cost effectiveness; assure continuity of care between patients and providers in different locations; and develop evidence-based clinical care guidelines.

Read the full article.

ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

by Amy C. Pimentel and Dr. Claus Färber | Oct 31, 2016 | Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

(more…)

OCR Explains How Information Blocking Violates HIPAA

by Amanda Enyeart, Edward G. Zacharias, Daniel F. Gottlieb and Ryan S. Higgins | Oct 27, 2016 | Cloud, Consumer Protection, Cybersecurity, Data Privacy, General Interest

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.

Read full article here.

The Privacy Shield: September 30, 2016, Deadline for Early Self-Certification Offers Compliance Opportunity and Risk

by McDermott Will & Emery, Amy C. Pimentel and Michael G. Morgan | Sep 6, 2016 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.

Augmented Reality

by Lynne Boisineau | Aug 25, 2016 | Cloud, Cybersecurity, Data Privacy, General Interest, Mobile Apps, Social Media

If you haven’t heard about newest gaming craze yet, it’s based on what is called “augmented reality” (AR) and it could potentially impinge on your home life and workplace as such games allow users to “photograph” imaginary items overlaid with objects existing in the real world. An augmented reality game differs from “virtual reality” in that it mixes elements of the real world with avatars, made up creatures, fanciful landscapes and the like, rather than simply presenting a completely fictional scenario. Whether you play such games yourself or are merely existing in nearby surroundings, here are few things to think about as an active participant, and some tips regarding Intellectual Property and confidentiality issues that arise from others playing the game around you.

Augmented reality games are typically played on a smartphone app and some of them allow the user to capture images of the player’s experience and post it on social media, text it to friends or maintain it on the phone’s camera roll. However, special glasses could be used or other vehicles could deliver the augmented reality experience in different contexts—not just gaming. For example, technology in this area is rapidly advancing which will allow users to link up and “experience” things together way beyond what exists in the real world, i.e., in a “mixed world” experience, if you will. These joint holographic experiences are just one facet of the direction that augmented reality is taking.

As always, with new technological advancements, there are some caveats to using AR that you should be aware of.

Trademarks

If a company’s trademark is visible in the photo of your AR experience, you need to be mindful that you do not run afoul of trademark laws. For the same reasons that some trademarks are blurred out on TV shows, you should not be publishing such photos in any fashion that might draw negative attention from the trademark owner on social media accounts. Even if you are not selling competing goods, you could potentially be liable for trademark infringement. There is another, more important reason not to post such photos that is discussed below and can lead to a second cause of action against you arising from the same photo—the right of publicity, which is a personal right and is treated in vastly different ways in each state.

Right of Publicity

The Right of Publicity (ROP) protects everyone from misappropriation of his/her name, likeness, voice, image or other recognizable element of personal identity. It is protected by state law and many states vary greatly in their treatment of ROP. For example, some states protect a person’s ROP post-mortem, whereas others have no protection whatsoever. Due to the ease with which still or moving images can be reproduced and posted on the Internet, it is critical that you consider your postings from a ROP standpoint before you upload that image to a social media account. For instance, if your photo features your best friend taken in a shared AR experience, she may not object [...]

Continue Reading

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

by Michael G. Morgan | Aug 8, 2016 | Consumer Protection, Cybersecurity, Data Privacy, Email/Spam, Telehealth

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.

Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

by Dr. Claus Färber | Jul 21, 2016 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Even though Brexit will likely have the biggest impact on the financial sector, businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations will also be affected. In particular, should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data protection laws, transfers to data processors in the United Kingdom would have to be based on an adequacy decision of the European Commission, standard contractual clauses (model contracts) or binding corporate rules.

Read the full article here.

AMA Approves New Ethical Guidance Policy and Encourages Telemedicine Training for Students and Residents

by McDermott Will & Emery and Lisa Mazur | Jun 20, 2016 | Consumer Protection, Data Privacy, General Interest, Mobile Apps, Telehealth

New Ethical Guidelines

On June 13, the American Medical Association (AMA) adopted a new ethical guidance policy governing the practice of telemedicine that will be published in the coming months. The policy is based on a report from the AMA Council on Ethical and Judicial Affairs and builds upon the AMA’s 2014 telemedicine guidance.

Consistent with past guidance from AMA and other professional organizations, the AMA notes that the ethical responsibilities of physicians are the same – regardless of whether the physician communicates with a patient in-person or remotely – and encourages providers to recognize the potential uses and limitations of technology when delivering care. “Telehealth and telemedicine are another stage in the ongoing evolution of new models for the delivery of care and patient-physician interactions,” said AMA Board Member Jack Resneck, MD. “The new AMA ethical guidance notes that while new technologies and new models of care will continue to emerge, physicians’ fundamental ethical responsibilities do not change.”

The 2016 policy recommends that once a patient-physician relationship is established, physicians who engage in telemedicine by responding to individual health queries electronically or providing clinical services through telemedicine:

Must disclose financial or other interests in certain telemedicine applications or services
Must protect patient privacy and confidentiality
Should inform patients of the limitations of the telemedicine encounter
Should encourage patients to inform their primary care doctor about the encounter
Should advise patients how to arrange follow-up care
Should, when necessary, recommend the use of a telepresenter or other health care professional at the originating site (e., the patient’s physical location)

Notably, the 2014 guidance required that a patient-physician relationship be established prior to the provision of telemedicine services. The relationship could be established during a face-to-face examination, through a consultation with another physician, or by meeting the evidence-based practice guidelines developed by major medical specialty societies. While the 2014 guidance did not specify whether the face-to-face examination must occur in-person, rather than digitally, many interpreted this requirement to be satisfied via an interactive telemedicine encounter.

In addition, the 2016 policy formally recognizes the importance of a “coordinated effort across the profession,” which includes clarifying standards and promoting access to technology. That said, the 2016 policy still requires the licensure of physicians in the state in which the patient is located. (As a general rule, physicians that practice telemedicine are subject to the licensure rules of both the state in which their patient is physically located and the state in which the provider is practicing.) One potential avenue for facilitating multi-state licensure is the Federation of State Medical Boards’ Interstate Medical Licensure Compact, which offers a streamlined licensure process in each Compact state. The Compact has been adopted by 17 states thus far and more are expected to join this year and in 2017.

In sum, the AMA’s new ethical guidance should help physicians to better understand how their fundamental ethical responsibilities may play out differently when patient interactions occur through technology, and how this technology can [...]

Continue Reading

Older Posts »

« Newer Posts

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS