In an effort to reduce barriers to coordination of care, the U.S. Department of Health and Human Services (“HHS”) is considering changes to Federal restrictions on the sharing of substance use disorder (“SUD”) records. The proposed changes would modify 42 C.F.R. Part 2 (“Part 2”) regulations that place restrictive conditions on the disclosure of SUD patient records—limitations that go above and beyond Health Insurance Portability and Accountability Act (“HIPAA”) restrictions.
The barriers imposed by these rules—which have been in place since the 1970s—have become the focus of particular attention in light of the opioid crisis, as members of Congress and other stakeholders have raised concerns about how the Part 2 statute and implementing regulations may inhibit efforts to respond and coordinate care. Members of Congress have called for reform, but have been unsuccessful at seeking legislative fixes thus far.
*This article was first published by the American Bar Association Infrastructure and Regulated Industries in Summer 2019.
Every year, as the calendar turns to June, the legal community looks to the Supreme Court. Eager to get to the Term’s end, the Justices rush to complete all of the outstanding opinions. Since the most difficult and important cases usually take the longest to work out, they are typically the stragglers. June is thus the time when the “blockbuster” opinions are issued—the cases that law professors analyze in their tenure pieces and that law school students study, quite possibly for years to come.
New Annual HIPAA Penalty Tiers
Six months after imposing the largest ever HIPAA fine ($16 million) following a HIPAA data breach, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) has announced that it is exercising its enforcement discretion to lower maximum annual HIPAA penalties.
On January 28, 2019, the Healthcare and Public Health Sector Coordinating Council released the “Medical Device and Health IT Joint Security Plan” (“JSP” or “Plan”)—cybersecurity recommendations for medical device manufacturers, healthcare information technology vendors, and healthcare providers. U.S. Government entities, including the FDA, participated in the development of the Plan. The JSP comes close on the heels of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a similar effort by a public-private partnership to provide cybersecurity guidance to healthcare industry stakeholders. (more…)
On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry. (more…)
On December 14, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published in the Federal Register a request for information (RFI) titled “Modifying HIPAA Rules to Improve Coordinated Care.” The RFI seeks public input on a broad range of potential reforms to Health Insurance Portability and Accountability Act (HIPAA) regulations with a focus on enhancing care coordination. Though only a preliminary step on the path to potential regulatory reform, the RFI’s scope is significant, as is the opportunity it affords stakeholders interested in sharing early input as HHS considers reforms to key health information privacy requirements. (more…)
The Administration is preparing to release a Request for Information (“RFI”) on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) rules. The draft RFI was recently submitted by the Department of Health and Human Services (“HHS”) to the White House’s Office of Management and Budget (“OMB”) for pre-release review.
Rapid advances in automation have the potential to disrupt a number of sectors, perhaps none more so than the automobile industry. The U.S. Department of Transportation (DOT) has accordingly announced its intention to take “active steps to prepare for the future by engaging with new technologies to ensure safety without hampering innovation.” Most recently, on October 4, 2018, DOT issued Preparing for the Future of Transportation: Automated Vehicles 3.0 (AV 3.0), its third round of guidance on the topic. Like its 2017 predecessor, “Automated Driving Systems 2.0: A Vision for Safety,” AV 3.0 emphasizes the development of voluntary, consensus-based technical standards and approaches while noting that there are cross-cutting policy issues where federal leadership may be necessary. AV 3.0 also builds on its predecessors by emphasizing that it reflects the view of all of DOT’s operating administrations; by providing much more detailed guidance on the development and testing of automated vehicle technologies; and by announcing some specific regulatory steps DOT plans to take in the near future. (more…)
On Friday, August 31, the California legislature unanimously passed a host of “clean-up” amendments to the new California Consumer Privacy Act (CCPA), AB 375, as it set about addressing flaws and other concerns in the state’s groundbreaking data privacy law. These amendments are now awaiting Governor Brown’s signature. (more…)
*This article first appeared in the July 2018 issue of Digital Health Legal
Massive data breaches. Threats to medical devices. The Internet of Persons. Healthcare entities are all too familiar with the rising cyber threat. But they are also familiar with the complex array of laws and regulations in the United States that attempt to address the threat and the potentially significant compliance costs and risks caused by that complexity. The US Court of Appeals for the Eleventh Circuit’s recent and long-awaited decision in LabMD v. Federal Trade Commission, which trimmed the sails of one of the primary regulators of the healthcare information security landscape, may thus appear to some, at first blush, to be a necessary corrective. Yet closer inspection shows that the Eleventh Circuit’s decision raises more questions than it answers – and that its true implications will only become clear once we see how federal regulators, the courts, and perhaps Congress respond.