We expect many of the trends of 2021 in health data privacy to continue to pick up steam this year. See below for six noteworthy trends that life sciences and healthcare companies should continue to keep an eye on in 2022:
- Interoperability of Health Records to Facilitate the Electronic Exchange
- Patient Access Rights to their Medical Records
- Litigation and Enforcement Focus on Individual Consent to Data Sharing
- Health Data Breach Notification and Security
- Growing Patchwork of State Laws in the United States (U.S.)
- Navigating Health Data Transfers both from Outside and Within the European Union (EU)
1. Interoperability of Health Records to Facilitate the Electronic Exchange of Health Information
As described below, there are several new and impending interoperability rules and frameworks to facilitate the exchange of electronic health information, including for the purposes of care coordination and case management. Life sciences and healthcare companies should consider revisiting their data sharing policies and procedures to ensure that they are in compliance with applicable requirements, such as:
Prohibition on Information Blocking
Rules released by the Office of the National Coordinator for Health Information Technology (ONC) in the U.S. Department of Health and Human Services (HHS) are now in effect that prohibit health IT developers of certified health IT, healthcare providers, health information networks, and health information exchanges from engaging in information blocking. The 21st Century Cures Act defines “information blocking” as business, technical, and organizational practices that prevent or materially discourage the access, exchange, or use of electronic health information.
Payer to Payer Exchange of Medical Records
Rules released by the Centers for Medicare and Medicaid Services (CMS) require government health plans (such as Medicare Advantage and managed Medicaid plans) to maintain a process for the electronic exchange of electronic health information with other government and commercial health plans at the direction of the individual. While there is “enforcement discretion,” payers are working to comply with this new exchange requirement.
Connecting Health Information Networks
To operationalize the ONC and CMS interoperability rules, the ONC published the Trusted Exchange Framework and the Common Agreement (TEFCA) in January 2022. TEFCA offers a set of non-binding principles for the exchange of health information. Specifically, it establishes a technical and governance infrastructure that connects health information networks together, with the goal of establishing “a universal floor of interoperability across the country” by which healthcare providers, plans and patients may securely exchange patient records.
Final HIPAA Regulations Expected Later this Year
HHS is expected to issue the final changes to the HIPAA Privacy Rule by the end of 2022. The Privacy Rule has not been amended since 2013. The HHS Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking in December 2020 that proposed a number of changes to the Privacy Rule, including changes related to the exchange of protected health information (PHI).
Proposed Changes to Part 2 Regulations Expected Later this Year
The federal Coronavirus Aid, Relief, and Economic Security (CARES) Act amended the federal law that governs the confidentiality of substance use disorder (SUD) treatment records. The statutory change requires the Substance Abuse and Mental Health Services Administration (SAMHSA) to amend 42 CFR Part 2 regulations related to such treatment records. Proposed regulations, likely to be published in early 2022, are expected to align Part 2 more closely to the uses and disclosures of protected health information permitted under the Health Insurance Portability and Accountability Act (HIPAA).
2. Patient Access Rights to their Medical Records
Consistent with the push for the interoperability of health information is the continued focus on the individuals’ right to access their medical records.
Patient Access to Medical Records Held by Governmental Health Plans
Final CMS rules require government health plans to have secure, standards-based application programming interfaces (APIs) that support a patient’s access to core data in their electronic health record (EHR). These APIs allow the patient to direct their electronic health records to a third party, such as an app.
OCR Enforcement Priority
OCR focused its 2021 enforcement efforts on patients' rights to promptly receive copies of their medical records in line with its 2019 HIPAA Right of Access Initiative. Of the thirteen (13) HIPAA settlements in 2021, eleven (11) settlements resulted from right of access violations with penalties totaling $852,150. Covered entities should be mindful of notices received from both OCR and patients related to the right of access to avoid potential liability.
3. Litigation and Enforcement Focus on Individual Consent to Data Sharing
The role of individual consent to data sharing was a focus of litigation and enforcement actions in 2021, and we expect this trend to continue. See, for example, the recent Massachusetts cookie settlement and Federal Trade Commission (FTC) settlement with Flo Health described below.
Massachusetts Cookie Settlement
Late last year, several Massachusetts health care providers settled a class action suit for $18.4 million, which may have wide ranging effects for the way in which health care providers use cookies and other analytics tools on their websites. The plaintiffs in John Doe and Jane Doe, et al. v. Partners Healthcare System, Inc., et al. alleged that over 30 health care providers did not obtain “sufficient consent when placing third party analytics tools, cookies and pixels on their general and publicly accessible websites” and disclosed the information collected through these tools to third parties without consent. When a patient, for example, set up an appointment through a provider web portal, the IP addresses were allegedly not being masked before being shared with the analytics provider, allowing third-party companies to see health care-related information. Hospitals, providers, and health plans that use cookies on their websites should consider evaluating the kind of information they disclose to analytics companies to mitigate related risk.
FTC Flo Health Settlement
Apps that collect and share health information should be mindful of the information that they share with third parties and ensure that they put consumers on notice of such disclosures in light of the FTC’s 2021 settlement with Flo Health, Inc., a popular fertility-tracking app. In its complaint, the FTC alleged that, although Flo represented that it would keep users’ health data private, in practice, it shared the health data of over 100 million users with third parties that provided marketing and analytics services to Flo. The FTC alleged that this sharing of information directly contradicted Flo’s privacy policy and violated the terms of service/use of several of the third parties with whom it shared this information. As part of the settlement, Flo agreed to notify affected users about the disclosure of their health data and direct third parties to destroy any health data they may have received. Significantly, the settlement also required Flo to provide a separate detailed notice to users and obtain users’ affirmative express consent prior to sharing health data with third parties.
4. Health Data Breach Notification and Security
It should come as no surprise that we expect to continue to see significant emphasis placed on data breach reporting and security.
Federal Trade Commission Health Breach Notification Rule
In September 2021, the FTC announced its intent to enforce the Health Breach Notification Rule (Rule) and to expand the Rule’s applicability to non-HIPAA regulated entities, such as health apps and connected devices. Under the Rule, vendors of personal health records (PHRs) and PHR-related entities are required to report security breaches to the FTC, individuals, and in some cases, the media. As discussed in Orrick’s earlier guidance, the Rule has been in effect since 2009, but the FTC has never enforced it, and to date, there have only been four instances in which a company provided notice to the FTC under the Rule. Nonetheless, given the FTC’s renewed interest in enforcing the Rule, life sciences and healthcare companies not regulated by HIPAA should be mindful of their potential reporting obligations—which include unauthorized acquisition not only by cybersecurity intrusions but also the sharing of health information without an individual’s consent (again highlighting the importance of patient consent prior to the sharing of their health information).
Part 2 Breach Notification
The CARES Act not only requires the Part 2 regulations governing the confidentiality of substance use disorder (SUD) treatment records to be updated, but includes a new breach notification rule application to SUD treatment records that are not already subject to HIPAA’s breach notification rule.
False Claims Act Liability
Although not directed solely at the healthcare industry, the U.S. Department of Justice announced a Civil Cyber-Fraud Initiative that will target government contractors and federal grant recipients that fail to comply with cybersecurity standards, misrepresent their security controls and practices, and fail to timely report suspected breaches. We expect the scope of the initiative to include life sciences and healthcare companies that contract to provide services and products to the federal government.
New Resources
To aid with security, the government launched new resources, including the following.
5. Growing Patchwork of State Laws in the United States (U.S.)
As new state data privacy laws continue to come into effect, life sciences and healthcare companies should consider the extent to which these laws apply to their business and take steps to come into compliance as needed.
U.S. State Consumer Privacy Laws
As discussed in Orrick’s earlier guidance, changes to state consumer privacy laws in California, Colorado, and Virginia will become operative in 2023. These laws include key exemptions that may apply to healthcare or life sciences companies. For example, all three laws contain exemptions for entities or personal information that is regulated by HIPAA, but the scope of the exemption differs from state to state. The California Privacy Rights Act (CPRA) and the Colorado Privacy Act (CPA) contain exemptions for protected health information (PHI) subject to HIPAA but do not exempt HIPAA covered entities or business associates. In contrast, the Virginia Consumer Data Privacy Act (VDCPA) exempts both HIPAA covered entities and business associates, as well as PHI.
Biometric and Genetic Laws
Similarly, we continue to see states adopt biometric and genetic specific privacy laws. These states include California, Illinois, Texas, Utah, and Washington. Similar to the state consumer privacy laws, they have varying exceptions for HIPAA governed data and entities.
6.Navigating Health Data Transfers both from Outside and Within the European Union (EU)
Roadblocks Continue for International Health Data Transfers
The global COVID-19 pandemic has shined an even brighter light on the need to smooth the international transfer of health data for research in the aftermath of the Schrems II decision and the absence of a Privacy Shield replacement. In particular, we expect researchers and other public interest groups to continue their focus on the need to find practical solutions for the transfer of pseudonymized health data out of the European Economic Area for research. Advances in vaccines, cancer treatment, and public health requires it.
European Health Data Space
The European Commission (EC) is expected to finalize a proposal for the European Health Data Space (EHDS) in early 2022. EHDS is an initiative to promote the exchange of and access to health data to support health care delivery, research, and policymaking, and to enhance the interoperability of data that is shared between EU Member States. The EC published a public consultation from 2020 to 2021 to gather additional information on the effect of the initiative, including how the General Data Protection Regulation (GDPR) and the data protection initiatives of each EU Member State affect the sharing of health data and the use of artificial intelligence in healthcare.