California’s Senate and Assembly unanimously approved AB 375 (also known as the California Consumer Privacy Act of 2018), on June 28, 2018. This new consumer privacy bill will be the most progressive and comprehensive privacy law in the United States, reaching far beyond California’s borders to give California consumers more visibility and control over their personal information.
Daniel F. Gottlieb counsels a wide range of health care industry clients, including health care providers, health plans, health information technology (IT) vendors and life sciences companies. He represents these entities on health IT acquisitions, privacy and data protection, reimbursement, fraud and abuse, and other health care regulatory and transactional matters. Daniel is a co-leader of the Firm’s Global Privacy and Cybersecurity Practice. Read Daniel Gottlieb's full bio.
Earlier this month, more than 45,000 attendees descended on Las Vegas, NV, for the nation’s largest annual health care technology conference: the 2018 HIMSS Conference & Exhibition (HIMSS18). Conversations and educational sessions covered a wide range of health tech topics, with thought leaders, solutions developers, health system executives, patient advocates and care providers coming together to discuss the myriad obstacles and opportunities facing the health care technology industry today.
On Tuesday March 6, during the HIMSS conference, McDermott Will & Emery along with our friends at Capstone Headwaters convened a panel discussion on “Financing High-Growth Healthcare IT Companies, which I had the pleasure of moderating. The seasoned mix of health care finance and private equity professionals discussed the various types and sources of capital available to fuel high-growth health IT organizations and how to choose the right mix of capital to support a company’s growth needs. We also reviewed the legal and regulatory implications for investments in health care IT companies, and discussed considerations for optimal positioning in a value-based care environment. Continue Reading Financing High-Growth Health IT Companies: McDermott and Capstone’s Panel Recap from HIMSS 18
Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading
The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data (Personal Data) about individuals in the European Union (EU) single market countries, and potentially affects the clinical and other scientific research activities of academic medical centers and other research organizations in the United States.
This On the Subject includes frequently asked questions that discuss the extent to which United States research organizations must comply with GDPR when conducting research. Future coverage will address the impact of GDPR on other aspects of the United States health care sector.
On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.
On December 7, 2016, the US Congress approved the 21st Century Cures Act (Cures legislation), which is intended to accelerate the “discovery, development and delivery” of medical therapies by encouraging public and private biomedical research investment, facilitating innovation review and approval processes, and continuing to invest and modernize the delivery of health care. The massive bill, however, also served as a vehicle for a variety of other health-related measures, including provisions relating to health information technology (HIT) and related digital health initiatives. President Barack Obama has expressed support for the Cures legislation and is expected to sign the bill this month.
The HIT provisions of the Cures legislation in general seek to:
- Reduce administrative and regulatory burdens associated with providers’ use of electronic health records (EHRs)
- Advance interoperability
- Promote standards for HIT
- Curb information blocking
- Improve patient care and access to health information in EHRs
As public and private payers increasingly move from fee-for-service payments to value-based payment models, with a focus on maximizing health outcomes, population health improvement, and patient engagement, HIT—including EHRs and digital health tools—will be increasingly relied upon to collect clinical data, measure quality and cost effectiveness; assure continuity of care between patients and providers in different locations; and develop evidence-based clinical care guidelines.
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.
Read full article here.
On January 15, 2016, the U.S. Food and Drug Administration (FDA) published a draft guidance entitled Postmarket Management of Cybersecurity in Medical Devices (Draft Guidance), which outlines FDA’s recommendations for managing postmarket cybersecurity vulnerabilities in medical devices that contain software or programmable logic and software that is a medical device, including networked medical devices. The Draft Guidance represents FDA’s latest attempt to outline principles intended to enhance medical device cybersecurity throughout the product lifecycle.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently transmitted HIPAA pre-audit screening surveys to covered entities that may be selected for a second phase of HIPAA compliance audits (Phase 2 Audits). OCR is required to conduct compliance audits of covered entities and business associates under the 2009 Health Information Technology for Economic and Clinical Health Act.
Unlike the pilot audits conducted in 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR is conducting Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.
OCR had previously planned to issue the pre-audit screening surveys in the summer of 2014, but postponed their release until it completed its implementation of a new web portal that will be used for the submission of audit-related materials.
We will publish a fuller On the Subject regarding the Phase 2 Audits in the coming days.
In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.
This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.