Digital Health and Privacy
Cybersecurity compliance amid the promise of telemedicine
Digital health is the application of digital and computing technologies and the harnessing of an immense array of related personal and other data to deliver enhanced and, in many cases, individualized, health care information and services. Innovations in digital health promise vastly improved health care as well as significant quality-of-life and financial benefits for consumers of health care services.
While advancements in health care delivery have paralleled those in technology throughout the modern era of medical science, the field of digital health in the U.S. was propelled significantly forward after the 2009 passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which offered financial incentives for health care providers and technology companies to develop and implement interoperable electronic health records (EHR) systems.
The EHR was conceived as a comprehensive repository for an individual’s health information and health treatment history that would make it easier for patients to receive more effective treatments from providers equipped with greater patient information. EHRs could also serve as a central database for related payment information, thereby improving health care payment flows. To top it off, a personal health history might be carried around by each individual on a smart card or otherwise be universally accessible through linked networks by every care provider that an individual might need.
The implementation of EHR systems still has a long way to go before meeting their potential. Yet, much like the technology that spun off from the moonshot efforts of the 1960s, the incentives that spurred the initial and ongoing development of EHR systems also served as a major catalyst for numerous other digital health innovations.
Devices, Mobile Applications… and Privacy Concerns
We now have countless mobile applications that allow the collection and monitoring of all types of personal data to optimize exercise and health-related activities, administer and regulate medications, track our diets, manage and treat chronic conditions, and notify us of abnormalities that occur within our bodies, to name only a few uses. Wearable and implantable devices work in combination with such applications to extend these health care capabilities even further. The homebound can now interact remotely with health care providers in virtual house calls by sharing images and other data and receive real-time diagnoses, treatments and prescriptions. Artificial intelligence is being applied within “smart” prosthetic devices that enable amputees to engage in activities with performance that rivals or even exceeds that of natural limbs. The ability to collect and analyze individual genomic information opens up the possibility for personalized and predictive assessments and care regimens to help prevent diseases before symptoms appear. And the list of possibilities goes on.
A common thread that connects almost all of these wonderful, life-enhancing innovations is that they are made possible by the collection, analysis and subsequent application of extensive health information and other personal data and data sets. Because personal health information and related financial information are among the most sensitive types of personal information, the manner in which such data are gathered, handled and stored requires careful attention.
Thus, the immense promise of digital health, resting on a foundation of extensive personal data, also carries with it significant concern over expectations of personal privacy and the security of personal data. Predictably and understandably, these concerns are the source of extensive legal regulation.
HIPAA and HITECH Protections
In the United States, Title II of the Health Insurance Portability and Accountability Act (HIPAA) and Subtitle D of the HITECH Act and the accompanying Department of Health & Human Services (HHS) are the most significant sources of safeguards for protected health information (PHI). Collectively, these laws and regulations seek to protect PHI by imposing a comprehensive framework of privacy and security obligations concerning PHI on “covered entities,” i.e., health care providers, health plans and health care clearinghouses, and their “business associates,” i.e., vendors and others that supply and support health care providers and other covered entities.
Specifically, PHI means individually identifiable health information created or received by a covered entity that relates to (i) the physical or mental health or condition of an individual, (ii) the provision of health care services or (iii) the payment for health care, and that identifies an individual or from which there is a reasonable basis to believe that the information can be used to identify an individual. Thus, a great deal of the information collected from digital health activities is PHI if collected by a covered entity or a business associate.
The data privacy and security obligations of HIPAA and the HITECH Act are best understood by considering three broad sets of regulations issued by HHS commonly referred to as the Privacy Rule, the Security Rule and the Breach Notification Rule. These regulations are in turn subject to the related regulations comprising the Enforcement Rule, which authorizes HHS’s Office of Civil Rights (OCR) to enforce these rules and impose substantial penalties for their violation. Each of these rules and their enforcement are addressed below.
The Privacy Rule
The Privacy Rule is intended to ensure PHI is treated with due respect for each individual’s privacy, and underpins the HIPAA and HITECH regulatory scheme for the protection of PHI. In this sense, the other rules are meant to reinforce the expectations of privacy and protections established by the Privacy Rule. Under HIPAA, use of PHI is restricted to only certain authorized uses connected with treatment, and then only information that is the minimum reasonably necessary for the permitted purpose, or those uses as to which an individual has given consent, such as for marketing. A notice of permissible privacy practices must be provided before services are provided. Individuals are allowed to access and review PHI records and request an accounting for most nontreatment- and nonpayment-related disclosures of the individual’s PHI made by a covered entity and its business associates.
The Security Rule
Generally, covered entities and business associates must satisfy the following security objectives: ensure the confidentiality and integrity of electronic PHI handled by them, protect against reasonably anticipated threats to the security or integrity of such PHI and reasonably anticipated unauthorized uses and disclosures of such PHI, and train their staff on related compliance matters.
To accomplish the foregoing, appropriate administrative, physical and technical safeguards and organizational processes must be implemented, and once implemented must be periodically evaluated to ensure that these safeguards and processes continue to fulfill the overall objectives noted above.
The Security Rule sets forth a wide array of mandatory as well as “addressable,” or optional, practices for covered entities and business associates to consider if warranted by the applicable circumstances. Of particular note is that while encryption of PHI is not required under the security regulations, if PHI is encrypted at an appropriate level of strength, a breach that involves such data is not subject to required disclosure under the Breach Notification Rule. As a result, in addition to being a best practice for data protection, the decision to encrypt electronic PHI is often driven by a covered health care entity being able to avoid potentially embarrassing disclosures if a breach occurs.
The Breach Notification Rule
The unfortunate reality is that data breaches occur even with covered entities and business associates that are diligent and fully comply with their obligations under the Privacy and Security rules. When a breach occurs, the Breach Notification Rule is triggered and, absent an applicable exception, requires that, no later than 60 days after discovery of the breach, actual or constructive notice of key details is provided to affected individuals, to HHS and, in some cases, to relevant news media.
A breach is broadly defined as the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule and that compromises the security or privacy of the PHI. An unauthorized acquisition, access, use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate is able to demonstrate, after conducting and documenting a thorough risk assessment, that a low probability exists that PHI has been compromised. However, breach notifications are required only if the PHI was “unsecured,” meaning it was not rendered unusable, unreadable or indecipherable to unauthorized persons through use of approved technologies, such as with specified levels of strong encryption, as noted earlier.
Enforcement by OCR
As with so many other sectors of our society where personal data is involved, the occurrence of data breaches involving health care providers and their business partners has not gone without notice by the OCR division of HHS, which is the principal investigatory and enforcement agency within HHS for health care data privacy and security concerns. Most typically, an OCR investigation is triggered by a complaint being filed by an affected individual or a covered entity or a business associate filing a required data breach notification report. Requests by the OCR for follow-up information are routine and responses to such requests frequently reveal lapses by the reporting entity in one or more areas for which compliance is mandated.
Violations are subject to civil money penalties up to $50,000 per violation, with an annual cap of $1.5 million. The absence of willfulness, prompt corrective action or other mitigating circumstances are all taken into account in how penalties are assessed. Criminal penalties and fines are also possible for intentional violations.
Historically, the OCR has been restrained in imposing civil money penalties. However, over the past few years, as more attention has been given to privacy and security matters, the OCR has significantly stepped up its audit and enforcement activities for suspected noncompliance with the Privacy and Security rules. The result is that the number of actions brought for which civil money penalties have been imposed has more than doubled from prior years and the average size of penalties per case has increased markedly, to over $1 million. In addition, last year, the OCR also imposed its first-ever penalty on a business associate and, earlier this year, its first-ever penalty for a failure to provide timely data breach notices.
Other Federal Privacy And Cybersecurity Oversight Affecting Digital Health
Although covered entities and their business associates have significant involvement with digital health initiatives, other entities in the digital health realm are neither traditional health care providers nor their vendors or contractors. For these entities, the scope of regulated privacy and cybersecurity protections is notably less encompassing than that addressed by HIPAA or the HITECH Act. Chief among these other entities are medical device manufacturers, developers of mobile software applications that have health-related uses, and providers of health records. For these entities, the Food and Drug Administration (FDA) and the Federal Trade Commission (FTC) are the two federal agencies with regulatory authority for digital health privacy and cybersecurity matters, but the approach taken to such matters is considerably less comprehensive than the attention paid by HHS to these concerns.
The FDA regulates medical devices for safety and effectiveness concerns through its pre-market notification, review and approval authority under the Food, Drug and Cosmetic Act. Because many medical devices and health-related mobile apps are deemed not to pose a significant risk of harm to user safety, they are categorized as Class I devices for which a pre-market review or approval is not required by the FDA, even though many of these devices collect and process personal data and thereby implicate privacy and security concerns.
However, although the FDA has issued a series of official Guidances on cybersecurity matters to manufacturers and developers, which recommend that mitigation of reasonably anticipated cybersecurity risks be taken into account in the design of medical devices and health-related mobile apps, these Guidances are advisory in nature. Even for Class II and Class III devices, which require more scrutiny due to heightened sensitivity for safety and effectiveness, because the FDA is focused principally on a concern for physical harm to medical device users, the agency only indirectly requires that cybersecurity controls be addressed in such devices as a recommended best practice and not as a requirement, absent a genuine health safety risk.
The FTC fills part of the legal void for non-regulated entities and devices. It relies on its long-standing authority under the Federal Trade Commission Act to address unfair and deceptive trade practices. Consequently, the FTC has asserted itself aggressively in matters of data privacy and security on the basis of holding marketplace participants accountable for the privacy and security promises made to customers, with the failure to honor such commitments being treated as a prosecutable deceptive trade practice.
Connected devices and the “Internet of Things” have received special attention from the FTC. So, it’s likely that the FTC will insert itself more pointedly in cybersecurity matters arising out of digital health efforts by non-health care providers. The FTC has also specifically staked out monitoring the data privacy and security practices of businesses that are providers of health records that are not otherwise covered entities under HIPAA.
Brett Lockwood is a partner in SGR’s Corporate Practice and chairs the Technology Law Practice.