At a recent open Commission meeting, the Federal Trade Commission (FTC) voted unanimously to issue a Notice of Proposed Rulemaking to amend the Health Breach Notification Rule (HBNR). The FTC’s proposed amendment aims to codify the HBNR’s application to digital health and mobile technologies. However, several aspects of the proposed amendment lack clarity and are likely to cause confusion unless further clarified through the ongoing rulemaking process.
Numerous states—including Illinois, Hawaii, Tennessee, Montana, New Hampshire and Indiana—have been busy finalizing rulemaking and legislation impacting interstate compacts, professional practice standards and COVID-19 licensure flexibilities. What have these states been up to over the last month?
Numerous states—including North Dakota, Hawaii, Indiana, Texas and New Hampshire—have been busy finalizing rulemaking and legislation impacting healthcare providers, telehealth and digital health companies, pharmacists and technology companies that deliver and facilitate virtual care. What have these states been up to over the last month?
There has been a flurry of activity in Congress focused on healthcare issues over the last two weeks. Committees in both the US House and Senate held hearings on legislation focused on increasing transparency and competition in the healthcare system that could have significant impacts for certain healthcare providers, healthcare plans and pharmacy benefit managers.
The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.
With the General Data Protection Regulation (GDPR) resulting in a rise in enforcement incidents, it is prudent for organizations operating in the health and life sciences industries across the United Kingdom, European Union (EU) and other European Economic Area (EEA) nations to assess their responsibilities regarding the gathering and handling of health data.
Major Points:
On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.
The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.
Stakeholders may submit comments on the proposed rule on or before June 16, 2023.
We expect to see continued focus on privacy and security at the federal and state level. For example, California, Virginia, Colorado, Utah and Connecticut have new privacy laws coming into effect in 2023. As part of our State Law Privacy Video Series, McDermott described how these laws will affect health data and healthcare entities—in particular, those entities that are regulated by HIPAA.
In addition, at the end of 2022, the US Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the confidentiality of substance-use disorder patient records under Part 2 of Title 42 of the Code of Federal Regulations (42 CFR Part 2, or Part 2). Specifically, the proposed rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which required HHS to align Part 2 with certain provisions of HIPAA and to make certain changes to the HIPAA Notice of Privacy Practices, the form given to patients and plan members that describes patient privacy rights, covered entity duties, and the covered entity’s uses and disclosures of protected health information.
Verifying the identity of a patient prior to delivering telehealth services is important to prevent a range of potential risks, including the creation of fake accounts, insurance fraud and drug abuse/diversion.
A growing number of states and health plans require the verification of a patient’s identity. This verification activity has become a standard practice in the telehealth industry and is expected to continue.
Download our 50-state survey to learn which states require patient identity verification and access links to relevant state laws in one convenient place.
Digital health is one of the fast-growing segments of the healthcare market, with patients, clinicians and regulators increasingly aligned behind digitization opportunities. Over the last three years, patients and clinicians alike have embraced digitally delivered care and telehealth-related flexibilities.
In this report, McDermott’s Digital Health team takes a close look at the forces shaping the sector in 2023, including:
Subscribe
