Five Quick Fixes for Compliance
1. Modernize Your NPP
THE ISSUE
As public-facing representations, inaccurate Notices of Privacy Pracধces ("NPP") can provide a basis for decepধve or unfair trade pracধces or unfair compeধধon claims, including under the FTC Act. In fact, class acধons and enforcement acধons are on the rise, many of which cite representaধons in NPPs as grounds for substanধal damages, with recent judgments and settlements ranging into the millions of dollars.
THE FIX
Review your organizaধon's NPP to ensure it is consistent with your organizaধon's current operaধons as well as with recent laws and regulaধons.
2. Sanitize Your Social Media
THE ISSUE
HIPAA generally prohibits use and disclosure of health informaধon on social media without the paধent's consent. Issues may arise where a regulated party posts pictures or tesধmonials which idenধfy paধents, or where regulated parধes respond to paধent reviews. Even something as seemingly innocuous as acknowledging a paধent review or thanking a paধent for his/her review, without more, could consধtute a violaধon of HIPAA.
THE FIX
Review your organizaধon's social media accounts to idenধfy paধent engagement which may violate HIPAA. Consider removing all explicit paধent interacধons unless paধent consent is clearly documented, as well as implemenধng policies and procedures to govern use of social media across an organizaধon.
3. Check Your Website for Trackers
THE ISSUE
Tracking technologies, such as analyধcs tools and pixels, ođen prove tremendously helpful by providing insight as to user traăc, interest, and engagement. These technologies have been accompanied by a sharp increase in class acধon lawsuits and regulatory enforcement acধons speci)cally targeধng use of third-party tracking technologies on healthcare websites.
THE FIX
Check your organizaধon's website to idenধfy use of tracking technologies. If such technologies are detected, take steps to ensure that you have implemented the appropriate compliance measures as well as that use of such technologies is consistent with your organizaধon's posted privacy policies. Consider disabling such technologies until all necessary compliance measures are in place.
4. Feed Your AI Good Data
THE ISSUE
AI is data hungry. This is parধcularly true as AI is ordinarily trained on large pools of data. It is vital that your organizaধon ensures that it maintains the appropriate rights and licenses to use data, including paধent data, which is derived from third parধes.
THE FIX
Review your organizaধon's use of AI to determine whether it is processing health informaধon. Consider adopধng policies and procedures which limit use of AI tools to process health informaধon without appropriate approvals and controls.
5. Secure Your Texts and Emails
THE ISSUE
HIPAA requires regulated parধes to safeguard health informaধon, including when communicaধng with paধents. HIPAA generally prohibits communication of health informaধon through unsecure means, which can include text messages and emails, which could trigger a HIPAA violaধon. Beyond HIPAA, texধng and emailing can implicate other authoriধes, such as the TCPA and CAN-SPAM Act.
THE FIX
The safest tacধc is to ask paধents for consent to text or email communicaধons. In addiধon, take steps to reduce security-related risks, such as by verifying the paধent's number or email to ensure accuracy while also limiধng the content of messages to non-sensiধve matters.
DEEPER DIVE
There have been several notable changes to HIPAA and related privacy laws in recent years, including most signi)cantly:
- Privacy Challenges for Arধ)cial Intelligence
- Addiধonal Protecধons of PHI Regarding Reproducধve Health Care
- Recognizing Your Data as an Asset
- Health Care Needs More Hackers
- Emerging Issues in Oøshoring
- Alignment of HIPAA and Part 2
- Use of Tracking Technologies
- Proposed Rule Overhauling the Security Rule
In the following pages, we take a deeper dive into each of these changes to highlight what you and your organizaধon need to know to remain compliant.
Introduction to HIPAA
The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Informaধon Technology for Economic and Clinical Health Act, and the regulaধons promulgated thereunder (collecধvely "HIPAA") is a federal privacy law which regulates use and disclosure of protected health informaধon ("PHI"). PHI generally includes: (i) individually idenধ)able health informaধon that is (ii) created or received by a provider or plan that (iii) relates to health care or payment for health care, which is (iv) maintained or transmitted in any form. Signi)cantly, PHI is generally limited to informaধon about health care or payment for health care, and does not ordinarily include employee informaধon or commercially sensiধve informaধon such as trade secrets or intellectual property.
Notably, HIPAA only applies to: (i) "covered enধধes," which are healthcare providers that perform certain standard transacধons electronically (e.g., insurance eligibility transacধons, submission of claims, etc.), health plans, and healthcare clearinghouses; and (ii) "business associates", which are persons or enধধes that perform certain funcধons or acধviধes that involve use or disclosure of PHI on behalf of, or provide services to, a covered enধty or an upstream business associate. It is important to note that although HIPAA only applies to certain regulated parধes, state medical privacy laws remain an important consideraধon as they can apply to a broader range of situaধons.
HIPAA is comprised of three primary parts, including:
Privacy Rule - Regulates use and disclosure of PHI by regulated parধes and requires implementaধon of certain measures, such as policies, procedures, and Noধces of Privacy Pracধces, as well as execuধon of Business Associate Agreements, among others. See 45 § CFR 164.500 et seq.
Security Rule - Requires regulated parধes to adopt administraধve, technical, and physical safeguards to protect the security of electronic PHI (also known as "ePHI"). See 45 CFR § 164.300 et seq.
Breach Noধ)caধon Rule - Requires regulated parধes to noধfy individuals, certain agencies, and the media of breaches of unsecured PHI. See 45 CFR § 164.400 et seq.
Compliance with each of HIPAA's three parts is criধcal for regulated parধes. Failure to comply with HIPAA may result in civil and criminal penalধes, as well as signi)cant costs associated with furnishing required noধ)caধons, credit monitoring, correcধve acধon plans, and liধgaধon expenses.
Privacy Challenges for Arধ)cial Intelligence
Developments in arধ)cial intelligence ("AI") are transforming day-today life, and the healthcare industry is no excepধon. AI's future in health care is bright with promise as we expect it to drive eăciencies in operaধons by supplemenধng professionals. Such supplementaধon can take diøerent forms. For example, AI can be used to idenধfy abnormaliধes or areas of concern in radiology reports, which a provider can then use as a reference. Similarly, AI also has tremendous potenধal in the remote monitoring space and in the healthcare space. Interesধngly, AI can also work to address provider burnout by automaধng certain clerical and administraধve tasks and allowing providers to focus on paধent care.
Despite the promised bene)ts of AI, adopধon and use of such technologies presents a number of compliance challenges. Chief among such challenges stands HIPAA and other privacy-related authoriধes. In parধcular, AI is data hungry. This is parধcularly true as AI is ordinarily trained on large pools of data to re)ne the AI to more closely mimic human behavior and decision making patterns.
Organizaধons operaধng in the healthcare space will need to ensure that they have the appropriate rights and licenses to use data, including paধent data, which is derived from third parধes. Of parধcular interest, some AI tools may use the data they process to train the underlying AI technology, even without the user's awareness. It is imperaধve that parধes review terms of use, privacy policies, and other contractual provisions carefully to assess how data may be used as well as to ensure that they have secured the appropriate consents.
Separately, healthcare organizaধons will need to ensure that any use of data in correlaধon with AI conforms to applicable privacy laws. This is criধcal, as such laws ođen prohibit commercializaধon of informaধon or otherwise prohibit use of informaধon for product development without paধent consent, noধce, or some measure of anonymizaধon. In fact, parধes leveraging the latest AI tools may not realize that the tools are using health informaধon for training purposes, which may trail into commercializaধon.
Quick Compliance Tips
- Assess your organizaধon's use of AI at both the enterprise and workforce member levels. Even if you do not expect that AI is being used, it likely is at the workforce member level!
- Consider whether vendors providing AI soluধons are using your organizaধon's data to improve their products.
- Adopt policies and procedures providing guidelines for responsible use of AI and which speci)cally address use of personal informaধon.
- Organize a committee or other team to oversee adopধon, use, and development of AI.
The State of Reproducধve Healthcare Privacy
Since the Dobbs v. Jackson Women's Health Organizaࣅon decision (which overturned the landmark Roe v. Wade decision), the healthcare industry has conধnued to grapple with renewed concerns over paধent privacy and reproducধve health care. Legislators and regulators have not been idle, establishing a patchwork of authoriধes which require careful navigaধon and consideraধon.
Federal Treatment of Reproducধve Healthcare Privacy
In April of 2024, the Oăce of Civil Rights ("OCR") issued a Final Rule (the "Reproducধve Final Rule") to expand HIPAA's protecধons around reproducধve health privacy. Under the Reproducধve Final Rule, the use or disclosure of PHI was prohibited where such use or disclosure was for the purpose of a criminal, civil, or administraধve invesধgaধon into, or proceeding against, any person seeking, obtaining, providing, or facilitaধng lawful reproducধve health care. Similarly, the Reproducধve Final Rule also prohibited use or disclosure of PHI to impose criminal, civil, or administraধve liability on any person for seeking, obtaining, providing, or facilitaধng reproducধve health care.
State Treatment of Reproducধve Healthcare Privacy
Several states have taken steps to protect healthcare providers, paধents, and others involved in reproducধve health care. Although state laws vary across jurisdicধons, generally they limit (or outright prohibit) the disclosure of informaধon related to reproducধve health care that was lawfully received by a paধent and furnished by a healthcare provider. For example:
- California amended its Con)denধality of Medical Informaধon Act to prohibit disclosure of medical informaধon related to an individual seeking or obtaining an aborধon in response to a subpoena or even to law enforcement for purposes of enforcing a state's laws that interfere with the paধent's rights under the Reproducধve Privacy Act, among other prohibiধons. Cal. Civ. Code § 56.108.
- In November 2024, New York voters approved Proposiধon One, which amended theNew York State Consধtuধon to explicitly protect against discriminaধon based on reproducধve healthcare decisions and to recognize reproducধve autonomy as a fundamental right in New York. Furthermore, certain New York clerks have refused to enforce out-of-state judgments penalizing providers for oøering legal reproducধve services by ciধng New York's Shield Law (a collecধon of statutes which are broadly intended to provide certain protecধons for providers and paধents furnishing or receiving reproducধve or gender aărming care).
With individual states adopধng their own unique approaches to reproducধve health privacy, regulated parধes must now navigate a web of authoriধes in an already sensiধve environment.
Conclusion
The world of reproducধve healthcare privacy remains increasingly complex due to compeধng federal and state interests, a shiđing poliধcal landscape, as well as evolving technologies and delivery methods. While the Reproducধve Final Rule faces an uncertain future, state laws and consumer privacy regulaধons are )lling the gap by creaধng an overlapping and someধmes con*icধng patchwork of legal authoriধes. It is important for healthcare providers, insurers, and digital health plaĤorms to ensure compliance with both federal requirements and state level regulaধons as well as taking proacধve steps to have clear policies on data sharing and privacy audits, as well as engage in strategic communicaধon with legal counsel.
Quick Compliance Tips
- Implement policies and procedures to address use and disclosure of reproducধve healthcare informaধon consistent with applicable authoriধes.
- Update your organizaধon's Noধce of Privacy Pracধces and privacy policy to assess use and disclosure of reproducধve health informaধon.
Recognizing Your Data as an Asset
Data has emerged as a valuable modern-day asset. While many industries have found data management to be a key factor in business revenue streams and strategy, the healthcare industry has generally hesitated to transiধon from a tradiধonal data protecধon role to one that proacধvely maximizes the potenধal of data. This is especially true in the context of personally idenধ)able informaধon and protected health informaধon (collecধvely "PII"). In recognizing the value of data, Data Programs are intended to formally ensure that certain data, including PII, can be tapped as an asset as well as to operaধonalize steps to maximize its value in a manner consistent with applicable laws, contracts, and ethical standards. This presents unique opportuniধes and challenges, and can be a key factor in how an organizaধon maintains a compeধধve edge and how the public regards its level of corporate ciধzenship.
There is no such thing as a one-size-)ts-all Data Program. Organizaধons collect and receive diøerent forms of data through unique arrangements and from varying sources, and each has customized operaধonal goals and safeguards. In addiধon, diøerent authoriধes may control, each of which will dictate how PII may be moneধzed. In parধcular, federal and state laws, internal policies, and third-party contracts govern what parধes may permissibly do with PII. A good Data Program provides protecধve guardrails to avoid running afoul of applicable prohibiধons related to selling, sharing, or using data. Within those guardrails, there are a number of mechanisms and venues where data may be used as a tangible asset, such as:
Data Sale - Con)gure data in a manner that allows for direct sale to third parধes, resulধng in a revenue stream of cash or other consideraধon (to support organizaধonal iniধaধves/mission). For example, PII may need to be de-idenধ)ed, including through the growing use of HIPAA Expert Determinaধon methodology and the use of third parধes to assist with the HIPAA Safe Harbor methodology. Notably, third-party vendors are ođen engaged to facilitate the processing component of recon)guring PII for use.
Data Leasing and Licensing – Data sets can be leased for a )xed term or for a limited purpose with mandatory destrucধon/return. Such an approach allows an organizaধon to retain full ownership and rights to data and ensures the dataset value does not depreciate due to copies maintained by a third party for perpetuity.
Data Derivaধve Rights - Secure data rights to deidenধ)ed, derived, and residual data where data could be enriched, recon)gured, or otherwise "cleaned" by third parধes for purposes outside of an organizaধon's enterprise. Due to the growth of AI and machine learning, algorithms and sođware built on derivaধve PII are becoming commonplace and, in some cases, valuable. A Data Program may contemplate how to ensure an organizaধon maintains a stake in any pro)table by-product generated by any part of data sourced by the organizaধon.
To view the full pdf, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
