Health IT

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient

The EU-U.S. Privacy Shield’s recent introduction has created an efficient mechanism to ensure that trans-Atlantic personal data flows are lawful.  With that in place, attention is now turning back to restrictions within the EU, particularly around hosting data in cloud computing services.

European healthcare is particularly affected by such restrictions.  This has motivated a significant group of organizations and policymakers to come together and launch a collective “call to action” to European policymakers, urging greater support and reforms to enable broader use of cloud computing in healthcare.  The Call to Action was previewed at eHealth Week 2016 in June.
Continue Reading EU Organizations Call for More Support for Cloud Computing in Healthcare

Last week, our colleague Shruti Barker published an article on the Inside Medical Devices Blog, discussing eight data security principles that companies participating in the Precision Medicine Initiative should aim to meet.  The Administration’s guidance document additionally recommends a basic framework that organizations collecting, storing, and sharing patient information should adopt as current best practices.  

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. 
Continue Reading UK Government Launches Cybersecurity Service For Healthcare Organizations

On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule.  The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates.  In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the confidentiality and integrity of electronic protected health information (e-PHI).

A provision of the Security Rule requires covered entities and business associates to conduct a risk assessment, in which they review the safeguards currently in place and identify potential vulnerabilities in security policies, processes, and systems.  To help organizations comply with this sometimes onerous requirement, HHS has released an online template that will walk users step-by-step through the questions that must be asked as part of a required risk assessment.  HHS notes that the tool will help entities document the current state of their security system as well as develop proper risk remediation plans. Continue Reading HHS Releases New Tool to Assist with HIPAA Risk Assessments

The Department of Health and Human Services (HHS) recently published an interim final rule with comment period entitled “Administrative Simplification: Adoption of Standards for Health Care Electronic Funds Transfers (EFTs) and Remittance Advice.”  The rule establishes streamlined standards for the format and content of transmissions that health plans send to financial institutions when making electronic funds transfers.  Health plans often initiate electronic funds transfers — which involves an electronic order or authorization for a financial institution to credit or debit an account — when they pay claims to health care providers. 

The rule also requires the use of trace numbers to associate electronic funds transfers with related “remittance advice,” which is the term used for the notice that health plans send to health care providers explaining how much the plan is paying.  Currently, many health care providers expend considerable resources to “re-associate” related electronic funds transfers and remittance advice that are sent in separate communications.

As an interim final rule with comment period, the rule is final as of its effective date, but HHS has invited the public to provide comments by March 12, 2012.  HHS could change the rule, but, in the absence of such changes, covered entities must comply with the regulation by January 1, 2014.Continue Reading HHS Publishes Standards for Health Care Electronic Funds Transfers and Remittance Advice

Last month, the Minnesota Attorney General filed a lawsuit in federal court against Accretive Health, Inc. alleging that the company violated various provisions of HIPAA as well as Minnesota consumer privacy and protection law.  Although HIPAA-covered entities have been the subject of enforcement actions by state AGs and the Department of Health and Human Services, this marks the first time that an enforcement action has been brought against a HIPAA business associate.   

Accretive had partnered with two Minnesota hospitals to deliver “revenue cycle operations” services, including scheduling, registration, admissions, billing, collection and payment functions.  For one of the Minnesota hospitals, Accretive also performed “care coordination” services.  Because both the revenue cycle and care coordination services required the hospitals (HIPAA-covered entities) to disclose protected health information (PHI) to Accretive, Accretive qualifies as a “business associate” under HIPAA, and therefore must comply with certain HIPAA requirements or face civil or criminal penalties.Continue Reading Minnesota AG Files First HIPAA Enforcement Action Against Business Associate

The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World.” In that hearing, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (HHS) and the Department of Justice (DOJ) that “the overall record of [HIPAA] enforcement is simply not satisfactory,” and asked why so few HIPAA complaints are actually prosecuted.  Franken and other panelists also emphasized the need for a final rule to implement the HITECH Act’s amendments to the HIPAA Privacy and Security Rules. 

Franken’s opening statement outlined the benefits of electronic health records, but emphasized that “we need to do more to protect this data and that is what this hearing is all about.”

The first panel included U.S. Attorney Loretta Lynch, who also serves on the Health Care Fraud Working Group of the Attorney General’s Advisory Committee, and Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR).  Both officials underscored their agencies’ commitment to enforcing medical privacy laws through HIPAA’s Privacy and Security Rules and the new HITECH Act.  Lynch testified about recent DOJ efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to substantial fines.Continue Reading Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule