Numerous states—including Illinois, Hawaii, Tennessee, Montana, New Hampshire and Indiana—have been busy finalizing rulemaking and legislation impacting interstate compacts, professional practice standards and COVID-19 licensure flexibilities. What have these states been up to over the last month?
April Trending in Telehealth
Numerous states—including North Dakota, Hawaii, Indiana, Texas and New Hampshire—have been busy finalizing rulemaking and legislation impacting healthcare providers, telehealth and digital health companies, pharmacists and technology companies that deliver and facilitate virtual care. What have these states been up to over the last month?
Healthcare Preview for the Week of May 1, 2023
There has been a flurry of activity in Congress focused on healthcare issues over the last two weeks. Committees in both the US House and Senate held hearings on legislation focused on increasing transparency and competition in the healthcare system that could have significant impacts for certain healthcare providers, healthcare plans and pharmacy benefit managers.
Washington State Legislature Passes My Health My Data Act
The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.
Health Data in the EU and UK: Regulatory Trends and Developments
With the General Data Protection Regulation (GDPR) resulting in a rise in enforcement incidents, it is prudent for organizations operating in the health and life sciences industries across the United Kingdom, European Union (EU) and other European Economic Area (EEA) nations to assess their responsibilities regarding the gathering and handling of health data.
- “Data concerning health” is a wide term; it doesn’t just apply to medical records. Policies and processing records should accurately capture all health data, including inference data.
- Most EEA countries, and the United Kingdom, have national laws that supplement GDPR.
- Consent is not the only legal basis for collecting, storing and using health data; there are other options available, but be aware that “insufficient legal basis for data processing” is a common type of GDPR violation.
- If used, health data consents must be granular, specific and transparent, and they must break down all the purposes for which the data is being processed. Consent must be granted on an “opt-in” basis and not as a result of a pre-filled tick box.
- Health data may be reused for genuine scientific research purposes provided the processing is compatible with the original use, appropriate safeguards are in place and any separate national law conditions are satisfied.
- Privacy policies and transparency notices must be clear about the basis on which health data is processed.
- Proceed carefully and consider reidentification risk when relying on anonymisation to process data; document any reidentification risk assessment and periodically review risk assessment in light of developments in publicly available data and evolving risk environment. Technical measures, such as evolving encryption standards, should be reviewed periodically.
OCR Issues Proposed Rule to Modify HIPAA Privacy Rule to Include Explicit Protections for Reproductive Healthcare
On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.
The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.
Stakeholders may submit comments on the proposed rule on or before June 16, 2023.
Telehealth Trends to Watch: Increased Focus on Privacy and Security
We expect to see continued focus on privacy and security at the federal and state level. For example, California, Virginia, Colorado, Utah and Connecticut have new privacy laws coming into effect in 2023. As part of our State Law Privacy Video Series, McDermott described how these laws will affect health data and healthcare entities—in particular, those entities that are regulated by HIPAA.
In addition, at the end of 2022, the US Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the confidentiality of substance-use disorder patient records under Part 2 of Title 42 of the Code of Federal Regulations (42 CFR Part 2, or Part 2). Specifically, the proposed rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which required HHS to align Part 2 with certain provisions of HIPAA and to make certain changes to the HIPAA Notice of Privacy Practices, the form given to patients and plan members that describes patient privacy rights, covered entity duties, and the covered entity’s uses and disclosures of protected health information.
New 50-State Survey | ID Verification for Telemedicine Encounters
Verifying the identity of a patient prior to delivering telehealth services is important to prevent a range of potential risks, including the creation of fake accounts, insurance fraud and drug abuse/diversion.
A growing number of states and health plans require the verification of a patient’s identity. This verification activity has become a standard practice in the telehealth industry and is expected to continue.
Download our 50-state survey to learn which states require patient identity verification and access links to relevant state laws in one convenient place.
Digital Health: 2022 Year in Review
Digital health is one of the fast-growing segments of the healthcare market, with patients, clinicians and regulators increasingly aligned behind digitization opportunities. Over the last three years, patients and clinicians alike have embraced digitally delivered care and telehealth-related flexibilities.
In this report, McDermott’s Digital Health team takes a close look at the forces shaping the sector in 2023, including:
- Telehealth regulatory trends
- Women’s health
- Increased scrutiny on tracking, privacy and security
- Unwinding from the Public Health Emergency
- State of investing and dealmaking
Drug Discount Review Boards Proposed by Biden Health Agency
The Biden administration recently proposed revising the process behind an outlet for pharmaceutical companies to resolve price fights for those participating in the 340B drug discount program. According to this Bloomberg article, disputes between providers and pharmaceutical companies were in limbo as the industry waited for the Biden administration to replace an administrative dispute resolution (ADR) board. McDermott Partner Emily J. Cook said the proposed US Department of Health and Human Services rule ushers in “some significant changes” from the prior ADR process.