By Nathaniel M. Lacktman and Kelly A. Thompson
Health Care Law Today
The use of new technologies such as digital health applications, telemedicine and information exchanges can provide game-changing benefits for providers and patients alike.
But with increased sharing comes increased risks to both the security and the privacy of patient information. Most digital health and telemedicine companies are aware of data security and breaches. However, an arguably more important compliance area is the intentional sharing of protected health information — or PHI — with third parties, whether for data mining, research or marketing purposes.
Because data sharing and data mining will only continue to grow across the health care industry, providers and vendors must understand when and how they can share PHI, including monetization opportunities, and when they must obtain the patient’s express authorization.
This article highlights some key privacy laws and rules that digital health and telemedicine companies should consider before sharing, mining or monetizing patient health information.
Data sharing and mining
The unknown of big data opportunities can leave companies either unnecessarily fearful of sharing the PHI of their patients or, conversely, overly lax and eager to share PHI.
Data mining, which allows providers to discover patterns and extract connections by examining large data sets, can benefit patients as a whole because it makes certain services more precise and powerful.
Consider, for example, how genetic counseling becomes more effective when more data is mined from patients with diseases and chronic illnesses. A recent report by the Healthcare Financial Management Association and Humana showed 70 percent of providers believed seamless health data sharing was essential to success under value-based care models. Similarly, a Pew Research survey found that while Americans were sensitive about maintaining their personal information, 52 percent would find health care data sharing acceptable.
Interoperability of shared data is one of the most important aspects of this industry trend.
Even Bruce Greenstein, chief technology officer of the federal Department of Health and Human Services, pledged to share more health data between federal departments and with the public during a talk at the 2018 conference of the Healthcare Information and Management Systems Society last month in Las Vegas.
“The American people own the data that is in HHS, not a bureaucrat that has been there for 20 years and thinks that they have the control because other people might misuse it,” he said. “People outside of our building will do much better things with it than we are doing with it alone right now.”
Data sharing must be done in a meaningful, cohesive manner. Shared data must be readable, usable and available to other providers. As data sharing becomes more accepted throughout the health care industry, companies must take steps to ensure their data sharing complies with state and federal regulations that protect patient privacy and the choice not to share PHI.
Mining, sharing under HIPAA
The Health Insurance Portability and Accountability Act is a federal law that governs the use and disclosure of PHI by covered entities, defined as health plans, health care clearinghouses, and health care providers that electronically transmit PHI.
The general rule is that PHI cannot be disclosed without the patient’s authorization. However, certain uses and disclosures of PHI for treatment, payment and health care operations, or TPOs, do not require patient authorization if the TPO conditions under HIPAA are met.
Fortunately, many data-sharing arrangements can be structured to meet the TPO exception and therefore would not require the patient’s authorization. Even if a provider shares PHI under the TPO exception, it must still comply with minimum necessary disclosure requirements, agreed-upon patient restrictions to the use and disclosure of PHI, and other state laws that may be more stringent in how providers can share patient data.
Monetizing health data
As with many things, the rules get more complex — and restrictive — when money gets involved.
If PHI is shared (or even used) in exchange for remuneration or for marketing purposes, additional requirements must be met. This sometimes includes the requirement that the provider obtain the patient’s express authorization to use or share the data, even if the disclosure would otherwise have met the TPO exception.
For example, if the covered entity receives payment for sharing or using the data, that disclosure no longer meets the TPO exception (e.g., a third-party vendor wants to pay the provider to send an email blast to a select group of the provider’s patients). In that case, the covered entity must obtain a valid patient authorization that specifically states the disclosure will result in remuneration to the covered entity.
A practice pointer regarding authorizations: An authorization is not the same thing as patient consent. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual.
A valid authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date or event, and, in some cases, the purpose for which the information may be used or disclosed.
With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
Data sharing in research
HIPAA contains specific rules related to the use and disclosure of patient data for research or clinical trials.
For example, if PHI is used for research or clinical trials, providers must obtain approval from an institutional review board or privacy board waiver of authorization, receive an authorization from an individual to create a research repository, use the PHI through the collection and use of a limited data set, or use the PHI through the collection and use of de-identified information.
Data is de-identified by removing individually identifiable health information from patient information, leaving no reasonable basis to believe that the de-identified information can be used to identify an individual.
Under HIPAA, de-identified information is not considered PHI and is therefore not subject to HIPAA’s privacy regulations.
However, de-identification of data is not a turnkey solution to privacy and security compliance, and there are use cases and applications when it is beneficial to use the complete PHI data set.
What if I’m not a covered entity?
Not all digital health or telemedicine companies are covered entities under HIPAA. But even if HIPAA does not apply, state law still applies and can cover information broader than just PHI.
In addition to patient privacy protections under federal law, it is important to be aware of state law restrictions, which are often more broad, nuanced and stringent than the requirements under HIPAA. Federal and state privacy laws must be read together in harmony, applying the most stringent provisions from each in the event of a conflict.
Additionally, there may be unique requirements related to patient authorizations, including reduced notification time lines. There may be other nuances such as California’s 14 point font requirement.
Moreover, the nature of the clinical records affects the applicable privacy and security laws. Mental health treatment records, substance abuse records, and HIV diagnoses are typically considered ultra-sensitive records that require providers to take additional actions to maintain their privacy.
For these reasons, many digital health and telehealth companies voluntarily choose to follow the HIPAA guidelines, even if they are not formally a covered entity.
Cyberattacks vs. deliberate privacy violations
Most cybersecurity experts concur that no company’s data security is absolutely impenetrable. Addressing ransomware and hack-based breaches, including developing a cybersecurity incident response plan, has become part of doing business in the health care industry. These are essential compliance considerations.
Though big data breaches make the headlines, and sometimes result in government settlements, the public can be forgiving, particularly if the data breach was a cyberattack not attributable to the provider’s carelessness.
In contrast, there has yet to be a notable HHS Office of Civil Rights settlement based on a covered entity sharing/selling PHI to a third party without first obtaining proper patient authorization. When such an event occurs, the public may be less likely to forgive and forget, as the company made a deliberate decision to sell patient data without authorization and was not the victim of a cyberattack.
The White House’s FY 2019 proposed budget cut OCR funding by approximately 20 percent compared to last year, which left some uncertainty as to the level of enforcement actions. (Congress ultimately did not follow those proposed budget cuts for OCR.)
Protection of patient privacy is not only important to the federal government; it is important to many patients who feel they should own and control their health data.
Outside OCR, the FTC has issued fines and settlements against online health companies for improper online privacy practices based on the notion that they are “unfair and deceptive acts or practices.” The two primary concerns in this niche are: 1) truthful advertising of the health app’s capabilities, and 2) transparent privacy practices regarding user data.
Fortunately, the FTC has published a number of helpful resources for health technology companies, including “Best Practices for Mobile Health App Developers,” “Marketing Your Mobile App,” and the “Mobile Health Apps Interactive Tool.”
The opportunity for big data to drive transformative health care solutions is evident, but the challenges in achieving that opportunity — whether technical, institutional, operational or legal — are complex. The regulatory landscape, which seeks to limit the misuse of confidential health information and protect legitimate privacy and security concerns, must be navigated by those digital health or telemedicine companies seeking to mine or monetize health care data.
This article was originally published in Telemedicine Magazine and on Foley & Lardner’s blog, Health Care Law Today. Nathaniel M. Lacktman, a partner at Foley & Lardner, is chairman of the firm’s telemedicine industry team and co-chair of the digital health work group. Kelly A. Thompson, a health care business lawyer, is an associate at Foley.