Authors: Randi Seigel, Partner, Manatt Health | Scott T. Lashway, Partner, Privacy and Data Security | Matthew M.K. Stein, Special Counsel, Privacy and Data Security | CJ Rundell
Editor’s Note: Manatt contributed a chapter on telehealth and digital health privacy regulations to Diabetes, Digital Health and Telehealth, a new book, published by Elsevier, explaining from technological, economic and sociologic perspectives how telehealth and digital health have come to dominate the management of diabetes. The chapter is summarized below. More information on the book is available here.
What Is the Current Status of Federal and State Privacy Law?
Federal Privacy Law
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary federal law that protects patients’ health care data and records. HIPAA consists of the HIPAA privacy rule (Privacy Rule) and the HIPAA security rule (Security Rule). HIPAA applies to covered entities (CEs) and business associates (BAs). CEs include health care providers, health plans and health care clearinghouses; BAs are contractors of CEs that receive, maintain or disclose protected health information (PHI) on behalf of a CE.
HIPAA applies only to PHI1. Under HIPAA, PHI means (i) information created or received by a health care provider, health plan or health care clearinghouse that relates to an individual’s health condition, the provision of health care or payment for health care services, and (ii) identifies, or could reasonably be used to identify, an individual.2
PHI does not include information provided by a consumer to a medical device or other company that is not a CE (unless the consumer is providing at the CE’s direction); notably, HIPAA does not apply directly to many consumer-based digital health applications. PHI also does not include de-identified data, which is not protected by HIPAA.3
Under the Privacy Rule, generally a CE may not use or disclose PHI unless the use or disclosure is permitted pursuant to a patient’s written authorization4 or one of the general exceptions, which include purposes of treatment, payment or health care operations. CEs may also share PHI with BAs for these purposes. BAs may use and disclose PHI only as permitted by the applicable BA agreement and in accordance with the Privacy Rule.5
The Security Rule contains more technical and administrative standards, including the following specific guidance on telehealth:
- Only authorized users should have access to electronic PHI (ePHI).
- A system of secure communication should be implemented to protect the integrity of ePHI.
- A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.
The Privacy Rule also requires that a breach of HIPAA be disclosed to the individuals who are the subject of the PHI, as well as the Secretary of the United States (U.S.) Department of Health & Human Services. A breach is the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, subject to some good faith exclusions. CEs and BAs that violate HIPAA may be subject to civil and criminal penalties.6 Data not subject to HIPAA may be subject to Section 5 of the Federal Trade Commission (FTC) Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce”.7
State Privacy Law
State privacy laws affecting digital health and telehealth have evolved significantly over the past decade. Both Illinois and Texas enacted privacy laws more than ten years ago governing how companies can collect and use biometric identifiers and what types of disclosures and consent are required.8
In 2018, California became the first U.S. state to enact a comprehensive privacy law, with the California Consumer Privacy Act (CCPA).9 That law and associated regulations, which became effective in 2020, require businesses subject to the law to provide notices to individuals, before collecting their information, about the categories of information collected as well as how it is used and disclosed, and to provide individuals with the right to find out what information a business has collected about them, to request that a business delete their information, and to opt out of permitting a business to sell their information. The law does not apply to businesses with revenue below $25 million or to nonprofit or state-run entities.
Although California’s law has been in force only since January 2020, in 2020 California voters enacted the California Privacy Rights Act, which, beginning in 2023, will substantially change how California’s privacy law operates. For example, it creates a special category of sensitive information, which includes health information and biometric identifiers, over which California residents will have additional rights. To date, the only other states to enact a comprehensive privacy law are Colorado and Virginia.
What Are Barriers to Progress in Federal and State Privacy Law?
Federal Privacy Law
There are many significant barriers to the progress of federal privacy law, including (1) political friction, (2) competing stakeholder interests, and (3) the pace of technological advancements and adoption. The friction among political parties in Congress poses a persistent hurdle to the enactment of new or revised federal privacy laws.
In addition, stakeholders affected by privacy laws have competing interests. Consumers desire convenient, immediate access to their data, but do not often consider how such accessibility creates many points of vulnerability whereby their data can be exposed. Companies that collect data desire fewer restrictions on the usage of data. These competing interests make drafting a law that satisfies most stakeholders difficult. Further, the pace of technological advancements and adoption requires that legislators contemplate how to draft new federal privacy law in such a way that it accounts for and applies to current and future technologies, data use and sharing.
State Privacy Law
To date, a large stumbling block for passage of comprehensive state privacy laws appears to be whether to permit individuals to sue for violation of the laws. States that may want to enact privacy protections struggle with balancing consumer/patient rights and opening the floodgates to civil lawsuits.
In addition, state legislatures are now faced with four models of state privacy laws from which to choose: the California model, the European Union model, a blend of the two and a different European Union-like model adopted by the Uniform Law Commission in July 2021. Deciding between those different models, or upon a wholly different approach, will require negotiation and agreement among local stakeholders.
Finally, another potential barrier is whether the federal government ultimately enacts a comprehensive privacy law and how much of state privacy law it preempts. Understanding what federal law may emerge, and the scope of its preemption, is likely to shape states’ adoption of their own comprehensive privacy laws.
What Is the Future of Federal and State Privacy Law?
We do not anticipate the adoption of any new federal privacy and security law in the near term. Therefore, we anticipate that states will continue to be at the forefront of privacy law adoption.
In addition, we may see movement toward self-regulation by the digital health industry. For instance, we could see third-party accreditation and certification emerge, which may include an application or testing fee and ongoing attestation and/or monitoring of compliance.
In conclusion, the pace of advancement in digital health requires significant reform of current federal and state privacy laws. HIPAA does not regulate many digital health technologies, and many states do not have comprehensive privacy laws. The state privacy laws that do exist are varied and difficult to navigate for multistate providers. However, there are many barriers to reform. As a result, the responsibilities fall on health providers, technology service providers and patients to ensure data remains private and protected when new technologies are adopted.
References
1 45 C.F.R. x 164.500(a).
2 45 C.F.R. x 160.103. There are 18 identifiers.
3 De-identified data requires application of an expert-validated methodology or the removal of at least the 18 unique identifiers. 45 C.F.R. x 164.502(d)(2). De-identified data can be at an individual level or an aggregate level. There are two ways to show that data is de-identified. First, under the “safe harbor” method, if an entity strips the 18 unique identifiers from a data set, the data is considered de-identified. 45 C.F.R. x 164.514(b)(2)(i). Alternatively, under the “expert identification” method, a “person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” must “determine that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information” and document such analysis. 45 C.F.R. x 164.514(b)(1).
4 A CE or BA generally can disclose PHI to anyone—regardless of whether the recipient is a HIPAA CE or BA—so long as the patient signs an authorization that meets particular requirements. In order to comply with HIPAA, an authorization must include, among other things, a description of the PHI that may be disclosed, the source(s) of the PHI, the recipient(s) of the PHI, and an expiration date or event. HIPAA rules are fairly flexible in terms of how these requirements must be implemented. For example, the specific name of the source(s) and recipients(s) of the PHI need not be included in the form; instead, a “class of persons” can be listed on the form. Similarly, while a form must include an expiration date or event, that date or event can occur well into the future. HIPAA also prohibits the use of “compound authorizations,” that is, combining into one document an authorization form with another form that a patient is asked to sign, such as a consent to treatment.
5 Psychotherapy notes are treated differently than PHI under HIPAA and may not be used or disclosed without a patient’s authorization. 45 C.F.R. x 164.508(2)(a)(2). “Psychotherapy notes” means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual’s medical record. Excluded from the definition of “psychotherapy notes” are medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. 45 C.F.R. x 164.501. Notes that are entered into and kept in an electronic record system are not considered psychotherapy notes for HIPAA purposes.
6 HITECH x 13410(d); 45 C.F.R. 160.404, 401; 45 C.F.R. Part 102, 85 Fed. Reg. 2869. January 17, 2020.
7 15 U.S.C. x 45(a).
8 740 Ill. Comp. Stat. 14/1 et seq.; Tex. Bus. & Com. Code x 503.001.
9 Cal. Civ. Code x 1798.100 et seq.