electronic health records

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful.  With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services.

European healthcare is particularly affected by such restrictions.  This has motivated a significant group of organizations and policymakers to come together and launch a collective “call to action” to European policymakers, urging greater support and reforms to enable broader use of cloud computing in healthcare.  The Call to Action was previewed at eHealth Week 2016 in June.
Continue Reading EU Organizations Call for More Support for Cloud Computing in Healthcare

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. 
Continue Reading UK Government Launches Cybersecurity Service For Healthcare Organizations

The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World.” In that hearing, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (HHS) and the Department of Justice (DOJ) that “the overall record of [HIPAA] enforcement is simply not satisfactory,” and asked why so few HIPAA complaints are actually prosecuted.  Franken and other panelists also emphasized the need for a final rule to implement the HITECH Act’s amendments to the HIPAA Privacy and Security Rules. 

Franken’s opening statement outlined the benefits of electronic health records, but emphasized that “we need to do more to protect this data and that is what this hearing is all about.”

The first panel included U.S. Attorney Loretta Lynch, who also serves on the Health Care Fraud Working Group of the Attorney General’s Advisory Committee, and Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR).  Both officials underscored their agencies’ commitment to enforcing medical privacy laws through HIPAA’s Privacy and Security Rules and the new HITECH Act.  Lynch testified about recent DOJ efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to substantial fines.Continue Reading Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule

The Office of the National Coordinator for Health Information Technology (ONC) is proposing to conduct a nationwide survey regarding consumer attitudes toward the privacy and security aspects of electronic health records (EHR) and electronic health information exchange, according to a notice in last Thursday’s Federal Register.

ONC’s plan is to use computer-assisted telephone interviews