Recent Updates: Data Privacy & Security for Health Care Entities Summer 2022
Spring and summer have been busy seasons in the data privacy and security space. Here are some recent health updates to keep you up to speed:
- Biden Administration, OCR, and FTC Issue Guidance on Post-Dobbs Privacy Risks to Reproductive Health-Related Data. On June 29, 2022, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance pertaining to the disclosure of reproductive services, including abortion care, under the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule. The guidance explains that disclosures to law enforcement officials must be narrowly tailored to protect the individual's privacy and support their ability to access health services. Disclosures to law enforcement officials is only permitted when "required by law," i.e., when a mandate contained in law compels an entity to disclose protected health information (PHI) and the mandate would be enforceable in court (such as through a court order).
In July, the Federal Trade Commission (FTC) reminded businesses that process sensitive data – including reproductive health data and location data – should ensure that they are transparent about data collection and disclosure practices, and limit over collection and indefinite retention consistent with FTC requirements. Businesses that rely on “anonymization” for data processing should also confirm that de-identification and anonymization practices meet FTC guidelines.
These are among the agencies tasked with further action to address potential threats to patient privacy pursuant to President Biden’s July 8, 2022 Executive Order.
- Pennsylvania Passes Bills to Align Mental Health and Substance Use Disorder Information Protections with Federal Law. On July 7, 2022, Pennsylvania Governor Tom Wolff signed two bills which amend the state’s Mental Health Procedures Act and Drug and Alcohol Abuse Control Act to align with federal health information privacy standards. The updates to Pennsylvania’s laws will enable mental health and substance use disorder-related data sharing that is critical for care coordination, while providing patients the confidentiality protections afforded to them under federal privacy laws. Importantly, these laws loosen the restriction on the sharing of "Super Protected Data," leading to better care coordination and improved patient outcomes.
- New Jersey Public Defender Files Suit to Determine Scope of Police Use of Infant Blood Samples. On July 11, 2022, the New Jersey Public Defender's Office filed an open records lawsuit to determine the scope of law enforcement's use of infant blood samples collected during mandatory newborn disease screening. In 2021, New Jersey State Police subpoenaed a state laboratory to obtain a sample of an infant's blood that was collected shortly after the child's birth. The DNA in the infant's blood was then used to identify a serial rapist whose DNA, left on the scene during his crimes, matched the infant's. In the suit, the Office of the Public Defender has asked for redacted grand jury subpoenas to determine how frequently law enforcement has used this tactic, circumventing the typical requirement for law enforcement to obtain a warrant for this kind of data. The disclosure of genetic data collected for screening purposes raises questions about whether parents should have the ability to consent to these types of uses, or whether there will be a dampening effect on a parent's willingness to consent to their child's participation in future screenings.
- University Settles Breach Enforcement Action for $875,000. On July 14, 2022, OCR announced it agreed to implement a corrective action plan and settle potential HIPAA Privacy, Security, and Breach Notification rule violations with a university's Center for Health Services (the Center) for $875,000. A hacker installed malware in the Center's web server which resulted in the disclosure of nearly 280,000 individuals' electronic PHI. OCR found that the Center failed to conduct an accurate and thorough risk assessment, among other potential HIPAA violations. In addition to the monetary penalty, the Center has agreed to a corrective action plan that includes two years of monitoring by OCR.
- OCR Continues Enforcement Actions Under "Right of Access Initiative." On July 15, 2022, OCR announced the resolution of 11 additional investigations under its "Right of Access Initiative," bringing the total number of enforcement actions to 38 since the onset of the initiative. This indicates the initiative is still very much a priority for OCR. Under HIPAA, individuals have a right to see and receive copies of their health information within 30 days of a request (absent an approved extension); failure to provide individuals with their information within the approved window can result in significant fines. In this last round of enforcement actions, a not-for-profit health system consisting of 17 hospitals was fined $240,000 for failing to respond timely to an individual's request for information.
What is Coming?
In the coming quarter, we expect to see continued movement in state legislatures on comprehensive data privacy bills, as well as the beginning of the rulemaking process for states like Colorado and California, who have already passed state-level data privacy laws. We also anticipate seeing additional guidance and movement related to reproductive health records as implications of the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision continue to come to light.
We do not have a crystal ball, but here’s hoping for a Q3 development in much-anticipated HIPAA, 42 CFR Part 2, and information blocking rulemaking. We also continue to track the American Data Privacy and Protection Act as it moves its way through Congress. As always, we will keep you updated as it all unfolds.
For more information regarding these updates or other data privacy and security related questions in the health care industry, contact your Quarles & Brady attorney or:
- Meghan O’Connor: (414) 277-5423 / firstname.lastname@example.org
- Sarah Erdmann: 414) 277-5512 / email@example.com
- Kaitlyn Fydenkevez: (202) 780-2642 / firstname.lastname@example.org
- Benjamin A. Lockwood: (414) 277-5661 / email@example.com
- Apurva Dharia: 202) 780-2675 / firstname.lastname@example.org