Telehealth and Digital Health Privacy Regulations | Manat Phelps & Phillips Law Firm

Editor’s Note: Manatt has added a chapter on telemedicine and digital health privacy regulations to diabetes, digital health, telehealth, a new book published by Elsevier, explains how telemedicine and digital medicine have come to dominate diabetes management from a technical, economic and sociological perspective. are summarized below. Find out more about the book here.

What is the current state of federal and state privacy laws?

federal privacy law

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary federal law that protects patient health data and records. HIPAA consists of the HIPAA Privacy Rule and the HIPAA Security Rule. HIPAA applies to Covered Entities (CE) and Business Associates (BA). CE includes healthcare providers, health plans and healthcare clearinghouses. BA is a CE contractor that receives, maintains, or discloses Protected Health Information (PHI) on behalf of CE.

HIPAA applies only to PHI¹Under HIPAA, PHI means (i) created or received by a healthcare provider, health plan, or healthcare clearinghouse in connection with an individual’s health condition, healthcare provision, or payment for healthcare services. and (ii) information that identifies: Alternatively, it may reasonably be used to identify an individual.²

PHI does not include information that consumers provide to non-CE medical devices or other companies (unless consumers provide it at CE’s direction). Notably, HIPAA does not directly apply to many consumer-based digital health applications. PHI also does not include anonymized data that is not HIPAA protected.³

Under the Privacy Regulation, CEs generally cannot use or disclose PHI unless the use or disclosure is permitted pursuant to the patient’s written permission.^Four Or one of the general exceptions, including for purposes of treatment, payment, or medical services. CEs may also share PHI with BAs for these purposes. BA may use and disclose PHI only as permitted in the applicable BA Agreement and in accordance with the Privacy Policy.^Five

The Security Rules contain more technical and administrative standards, including specific guidance for telemedicine below.

• Only authorized users should have access to electronic PHI (ePHI).
• A secure communication system must be implemented to protect the integrity of ePHI.
• Systems to monitor communications involving ePHI should be implemented to prevent accidental or malicious breaches.

The Privacy Rule also requires disclosure of HIPAA violations to individuals subject to PHI and to the United States (US) Secretary of Health and Human Services. A violation is any acquisition, access, use, or disclosure of her PHI in a manner not permitted by the Privacy Rules that violates the security or privacy of PHI. CEs and BAs that violate HIPAA may be subject to civil and criminal penalties.⁶ Data not subject to HIPAA may be subject to Section 5 of the Federal Trade Commission (FTC) Act. It prohibits “unfair or deceptive acts or practices in or affecting commerce.”⁷

state privacy laws

State privacy laws affecting digital health and telehealth have evolved significantly over the past decade. Both Illinois and Texas enacted privacy laws more than a decade ago that govern how businesses collect and use biometric identifiers and what types of disclosures and consents are required.⁸

In 2018, California became the first U.S. state to enact comprehensive privacy legislation with the California Consumer Privacy Act (CCPA).⁹ That law and related regulations, which came into force in 2020, require companies subject to the law to notify individuals of the categories of information collected and how it is used and disclosed before collecting information and must provide information to The right to review the information the business has collected, the right to request the business to delete the information, and the right to opt out of the business selling the information. The law does not apply to businesses whose revenue is less than his $25 million, or to nonprofits or state-owned entities.

California law has been in effect since January 2020, but in 2020 California voters enacted the California Privacy Rights Act. Beginning in 2023, this will significantly change the way California’s privacy laws operate. For example, we create special categories of sensitive information, including health information and biometric identifiers, to give California residents additional rights. Currently, Colorado and Virginia are the only other states with comprehensive privacy laws.

What are the barriers to advancing federal and state privacy laws?

federal privacy law

There are many significant barriers to advancing federal privacy law, including (1) political friction, (2) competing stakeholder interests, and (3) technological advances and pace of adoption. Friction between political parties in Congress is a persistent obstacle to enacting new or revised federal privacy laws.

In addition, stakeholders affected by privacy laws have competing interests. Consumers want convenient and immediate access to their data, but give little thought to how such accessibility creates so many vulnerabilities that data can be exposed. I have not. The companies that collect the data want to relax restrictions on how the data is used. These competing interests make it difficult to draft legislation that satisfies most stakeholders. Additionally, the pace of technological advances and adoption requires legislators to consider how to draft new federal privacy laws in a way that considers and applies current and future technology, data use and sharing.

state privacy laws

To date, the major stumbling block to passing state comprehensive privacy laws appears to be whether to allow individuals to sue for violations of the law. States that want to enact privacy protections struggle to balance consumer and patient rights and open the floodgates to civil lawsuits.

Additionally, state legislatures are now faced with four models of state privacy legislation from which to choose. The California model, the European Union model, a mix of the two models, and another European Union-like model adopted by the Uniform Law Commission in July. 2021 years. Deciding between these different models, or with very different approaches, will require negotiation and consensus among local stakeholders.

Finally, another potential barrier is whether the federal government will eventually enact comprehensive privacy laws, and how far ahead the federal government will preempt state privacy laws. Understanding what federal law could emerge and the extent of its preemption could shape the adoption of its own comprehensive privacy laws by states.

What is the Future of Federal and State Privacy Laws?

We do not anticipate the adoption of new federal privacy and security laws in the near future. Therefore, states are expected to continue to be at the forefront of adopting privacy laws.

We may also see a move toward self-regulation by the digital health industry. For example, third-party certifications and certifications may emerge. This may include application or testing fees and ongoing certification and/or compliance monitoring.

In conclusion, the pace of digital health advancement requires significant reform of current federal and state privacy laws. HIPAA does not regulate many digital health technologies, and many states do not have comprehensive privacy laws. State privacy laws in existence vary and are difficult for multistate providers to navigate. However, there are many barriers to reform. As a result, healthcare providers, technology service providers, and patients have a responsibility to ensure that data remains private and protected when new technologies are adopted.

References

_{¹ 45CFR x 164.500(a).}

_{² 45CFR x 160.103. There are 18 identifiers.}

_{³ De-identified data must apply an expert-validated methodology or have at least 18 unique identifiers removed. 45CFR x 164.502(d)(2). Anonymized data can be on an individual or aggregate level. There are two ways to indicate that data has been anonymized. First, in the “safe harbor” method, data is considered anonymized if an entity strips her 18 unique identifiers from the dataset. 45 CFR x 164.514(b)(2)(i). Alternatively, under the “professional identification” law, “a person with appropriate knowledge and experience of generally accepted statistical and scientific principles and how to provide non-personally identifiable information” should be determined that there is very little risk that the Document such analysis. 45CFR x 164.514(b)(1).}

_{^Four A CE or BA can generally disclose PHI to anyone, regardless of whether the recipient is a HIPAA CE or BA, so long as the patient signs an authorization that meets certain requirements. To be HIPAA compliant, the authorization must include a description of her PHI, the source of the PHI, the recipient of the PHI, and the expiration date or event that may be disclosed. The HIPAA rules are fairly flexible in how these requirements should be implemented. For example, the form does not need to include the specific names of the PHI sender and receiver. Instead, you can list the “person class” on the form. Similarly, the form should include an expiration date or event, but that date or event may occur well in the future. HIPAA also prohibits the use of “combined authorization,” that is, combining an authorization form with another form that the patient is required to sign, such as consent to treatment, into one document.}

_{^Five Psychotherapy notes are treated differently under HIPAA than under PHI and may not be used or disclosed without the patient’s permission. 45CFR x 164.508(2)(a)(2). “Psychotherapy Notes” means notes recorded separately from a session by a mental health professional healthcare provider that document or analyze the content of conversations during an individual counseling session or group, joint or family counseling session. means Remaining personal medical records. Excluded from the definition of “psychotherapy notes” are prescribing and monitoring of medications, times of initiation and termination of counseling sessions, modalities and frequency of treatment provided, results of laboratory tests, and summaries of: : diagnosis, functional status, treatment plan, symptoms, prognosis, progress to date. 45CFR x 164.501. Memos entered and stored in an electronic record system are not considered psychotherapy memos for HIPAA purposes.}

_{⁶ HITECH × 13410(d); 45 CFR 160.404, 401; 45 CFR Part 102, 85 Fed. Registered 2869. January 17, 2020.}

_{⁷ 15 USC x 45(a).}

_{⁸ 740 Ill. Comp. Statistics since 14/1. Texas bus. & Com. Code x 503.001.}

_{⁹ California citizen.code x 1798.100 or later}