Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.

Guidance on Low Risk General Wellness Devices Is Finalized

On July 29, 2016, the US Food and Drug Administration (FDA) finalized General Wellness: Policy for Low Risk Devices Guidance (Final Guidance) detailing its risk-based regulatory approach to relax certain regulatory requirements for low risk products that promote a healthy lifestyle—coined “general wellness products.” In the Final Guidance, the FDA makes minimal substantive changes to the policies articulated in its January 2015 draft guidance. Notably, however, the Final Guidance added and refined several examples to illustrate the products that are subject to FDA’s enforcement discretion and ultimately outside FDA’s intended scope of regulatory oversight.

Read the full article, FDA Finalizes Guidance on Low Risk General Wellness Devices here.

Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Even though Brexit will likely have the biggest impact on the financial sector, businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations will also be affected. In particular, should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data protection laws, transfers to data processors in the United Kingdom would have to be based on an adequacy decision of the European Commission, standard contractual clauses (model contracts) or binding corporate rules.

Read the full article here.

Digital Health: An Improving Environment for Investors

The integration of technology into health care delivery is exploding throughout the health industry landscape. Commentators speculating on the implications of the information revolution’s penetration of the health care industry envision delivery models rivaling those imagined by celebrated science fiction authors, and claim that the integration of information technology into even the most basic health care delivery functions can reduce cost, increase access, improve quality and, in some instances, fundamentally change the way health care is delivered.

These visions are difficult to refute in the abstract; the technology exists or is being developed to achieve what just a few years ago seemed the idle speculation of futurists. But delivering this vision in an industry as regulated as health care is significantly harder than it may seem. While digital health models have existed for many years, the regulatory and reimbursement environment have stifled their evolution into fully integrated components of the health care delivery system.

Continue Reading

The Rocky Road of Evaluation for Digital Health Tools

Recent comments linking digital health tools to so-called “snake oil” has the channels of social media atwitter.  (Add this post to the noise!)  While some may decry the comparison, there is a lot we can learn from that perspective.

One of the challenges of broad digital health adoption is the simple fact that digital health encompasses such a broad array of technologies, usages and purposes.  There is no one tonic that will cure a list of ailments; rather we are presented with shelves of solutions to even more shelves of challenges waiting to be addressed.  Digital health includes, by my definition, the application of social media tools to preventative health and chronic disease management measures, as well as highly sophisticated data analytics applied to massive amounts of population health data to identify important health trends.  It also includes home monitoring devices that keep health care providers informed of their patient’s at-home health condition, as well as telestroke programs that allow physicians to access needed expertise.  The list is potentially endless, as new technologies created to address health issues and existing technologies are being put to use in the health care context. Continue Reading

AMA Approves New Ethical Guidance Policy and Encourages Telemedicine Training for Students and Residents

New Ethical Guidelines

On June 13, the American Medical Association (AMA) adopted a new ethical guidance policy governing the practice of telemedicine that will be published in the coming months. The policy is based on a report from the AMA Council on Ethical and Judicial Affairs and builds upon the AMA’s 2014 telemedicine guidance.

Consistent with past guidance from AMA and other professional organizations, the AMA notes that the ethical responsibilities of physicians are the same – regardless of whether the physician communicates with a patient in-person or remotely – and encourages providers to recognize the potential uses and limitations of technology when delivering care. “Telehealth and telemedicine are another stage in the ongoing evolution of new models for the delivery of care and patient-physician interactions,” said AMA Board Member Jack Resneck, MD. “The new AMA ethical guidance notes that while new technologies and new models of care will continue to emerge, physicians’ fundamental ethical responsibilities do not change.”

The 2016 policy recommends that once a patient-physician relationship is established, physicians who engage in telemedicine by responding to individual health queries electronically or providing clinical services through telemedicine:

  • Must disclose financial or other interests in certain telemedicine applications or services
  • Must protect patient privacy and confidentiality
  • Should inform patients of the limitations of the telemedicine encounter
  • Should encourage patients to inform their primary care doctor about the encounter
  • Should advise patients how to arrange follow-up care
  • Should, when necessary, recommend the use of a telepresenter or other health care professional at the originating site (e., the patient’s physical location)

Notably, the 2014 guidance required that a patient-physician relationship be established prior to the provision of telemedicine services. The relationship could be established during a face-to-face examination, through a consultation with another physician, or by meeting the evidence-based practice guidelines developed by major medical specialty societies. While the 2014 guidance did not specify whether the face-to-face examination must occur in-person, rather than digitally, many interpreted this requirement to be satisfied via an interactive telemedicine encounter.

In addition, the 2016 policy formally recognizes the importance of a “coordinated effort across the profession,” which includes clarifying standards and promoting access to technology. That said, the 2016 policy still requires the licensure of physicians in the state in which the patient is located. (As a general rule, physicians that practice telemedicine are subject to the licensure rules of both the state in which their patient is physically located and the state in which the provider is practicing.)  One potential avenue for facilitating multi-state licensure is the Federation of State Medical Boards’ Interstate Medical Licensure Compact, which offers a streamlined licensure process in each Compact state. The Compact has been adopted by 17 states thus far and more are expected to join this year and in 2017.

In sum, the AMA’s new ethical guidance should help physicians to better understand how their fundamental ethical responsibilities may play out differently when patient interactions occur through technology, and how this technology can be used to deliver more accessible, efficient and effective care.

Telemedicine Training for Students and Residents

Two days after adopting the ethical guidelines above, the AMA adopted a second telemedicine policy encouraging the inclusion of telemedicine training into undergraduate and graduate medical programs.

Since the vast majority of medical students are not learning about the potential benefits and appropriate uses of telemedicine technologies during medical school and residency, they are learning about telemedicine “on the job,” which may create missed opportunities for its use.  “As innovation in care delivery and technology continue to transform health care, we must ensure that our current and future physicians have the tools and resources they need to provide the best possible care for their patients,” said AMA immediate past president Robert M. Wah, MD  “In particular, exposure to and evidence-based instruction in telemedicine’s capabilities and limitations at all levels of physician education will be essential to harnessing its potential.”

In sum, the hope is that integrating formal telemedicine training into medical education programs will better prepare future physicians to appropriately and effectively integrate telemedicine into their clinical practices.

MaryKathryn Hurd, summer associate in McDermott’s Chicago office, co-authored this post.

Louisiana Joins its Peers in Removing In-State Barriers to Telemedicine

Last week, Louisiana legislators approved the removal of certain restrictions on the delivery of telemedicine services to residents of Louisiana to encourage the provision of telemedicine services in the state.  H.B. No. 570 was signed by the President of the Senate on June 5, 2016 and sent to Governor John Bel Edwards on June 6, 2016.

Notably, the Bill modifies the telemedicine requirements under La. Stat. Ann. § 37:1271, and R.S. 40:1223.3(5) and 1223.4(A) as follows:

  • A physician practicing telemedicine in the state who does not maintain a physical practice location within the state of Louisiana (but who is licensed in the state and has access to the patient’s medical records) is no longer required to first conduct an in-person patient history or physical examination of the patient before engaging in a telemedicine encounter.
  • In sum, La. Stat. Ann. § 37:1271 now requires that telemedicine providers hold an unrestricted license to practice medicine in Louisiana; obtain access to the patient’s medical records upon consent of the patient; create a medical record on each patient and make it available to the Louisiana State Board of Medical Examiners upon request; and, if necessary, provide a referral to a physician or arrange follow-up care in the state, as indicated.
  • The definition of “synchronous interaction” found in S. 40:1223.3(5) is now broadened to allow providers to use audio (without video) for telemedicine encounters if the same standard of care as in-person encounters is maintained.
  • This means that patients will be able to use a phone for telemedicine purposes, which is especially useful for patients who may not have: access to video-based technology, the know-how to connect with a provider using video-based technology, or an appropriate data plan/wireless connection for the simultaneous transmission of video.
  • Each state agency and each professional or occupational licensing board or commission authorized to adopt rules and regulations specific to the practice of telemedicine pursuant to S. 1223.4(A) is now prohibited from adopting any rules or regulations that are more restrictive than the provisions of the present law.

Like Alaska’s recent modifications to its telemedicine requirements, the Louisiana Bill broadens the base of available health care providers through the removal of the in-state restriction, which helps to increase the supply of physicians and competition from lower-cost providers, reduces transportation costs and improves access to quality care.  In addition, this Bill expands the types of technologies that may be used to deliver telemedicine services, which will better accommodate the significant portion of health care consumers who prefer phone consultations to access care.

Mobile Health Tools, Developers Need Better Data Protection Guidance, Attorney Jennifer Geetter Says

After three government agencies collectively created an online tool to help developers navigate federal regulations impacting mobile health apps, McDermott partner Jennifer Geetter was interviewed by FierceMobileHealthcare on the need for mobile health development tools.

Read the full article from FierceMobileHealthCare.

FTC Weighs-in on Telehealth: Providing Comments Regarding Alaska’s Proposed Licensure and Standard of Care Requirements

In March 2016, the US Federal Trade Commission (“FTC”) staff submitted public comments regarding the telehealth provisions of a proposed state bill in Alaska demonstrating the FTC’s continued focus on health care competition and general discouragement of anti competitive conduct in health care markets, with a renewed interest and focus on telehealth.

Continue Reading

Developing and Implementing an Effective Telemedicine Informed Consent Form

The search by consumers, payers and providers for more efficient, effective and convenient care delivery models has led to an explosion of technological innovation in the health care sector. This explosion has supported the increased use of telemedicine by providers to reach patients who were previously out of reach, and to provide more timely and cost-effective care.

With the use of telemedicine technologies comes a responsibility on the part of providers to educate and inform patients on the benefits, and more importantly, on the risks associated with receiving care via telemedicine. Like any other care setting, compliance with this responsibility serves the dual purpose of providing consumers with the information needed to make an informed decision about their care, but also mitigates the provider’s potential liability exposure from medical malpractice claims. Continue Reading

LexBlog