Doctors across the country are encountering a minefield of legal risks as they navigate a post-Roe reality. In this Axios article, McDermott Partner Scott Weinstein offers perspective on the Health Insurance Portability and Accountability Act (HIPAA) and health information disclosure.
The US Supreme Court’s recent decision to overturn Roe v. Wade in Dobbs v. Jackson Women’s Health Organization has raised many questions about potential efforts by law enforcement agencies to obtain data from healthcare and other service providers to detect the performance of a possibly unlawful abortion. For example, data collected by period-tracking apps, patients’ self-reported symptoms, or diagnostic-testing results might be used to establish the timeframe in which an individual became pregnant, and then demonstrate that a pregnancy was terminated, as part of investigative or enforcement efforts against individuals or organizations allegedly involved in such termination.
On June 29, 2022, the office within the US Department of Health and Human Services (HHS) that is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), the Office for Civil Rights (OCR), issued guidance addressing how HIPAA limits disclosures by covered entities and business associates to law enforcement agencies in the absence of a court order or other legal mandate. The guidance provides helpful insight on how OCR may use HIPAA enforcement to discourage unauthorized disclosures of protected health information (PHI) to law enforcement officials in the wake of new state laws outlawing abortion. The guidance also implicitly confirms, however, that HIPAA does not provide a complete shield against law enforcement and litigation-driven requests for abortion-related information.
On September 15, 2021, the Federal Trade Commission (FTC) voted 3–2 along party lines (with Republican commissioners dissenting) to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach Notification Rule, 16 CFR Part 318 (the Rule). According to the policy statement, the Rule applies to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (HIPAA) but are capable of drawing information from multiple sources—for example, through a combination of consumer inputs and application programming interfaces (APIs).
Telemedicine in the United States is facing an important crossroads. While telehealth services have demonstrated their value as an integral part of care delivery, federal and state waivers instituted during the COVID-19 pandemic are likely to expire soon. As lawmakers and agency officials consider updated or expanded digital health rules, regulators are expected to intensify their scrutiny of providers.
- Privacy considerations beyond the Health Insurance Portability and Accountability Act of 1996, including Federal Trade Commission requirements;
- How to prepare for the Health Breach Notification Rule;
- The ins and outs of advertising telehealth, including claims, endorsements and social media;
- Strategies for engaging with users in the digital environment; and
- Increased fraud enforcement.
Can employers mandate some employees get the vaccine and not others? Is there an obligation to consider requiring a COVID-19 test before coming back to work? What are the potential workers’ compensation claims relating to possible adverse reactions to a vaccine? Should employers mandate vaccinations?
VIDEO: Transfers of Health Data from the European Union to the United States in a Post-Schrems II World
In this video, McDermott Will & Emery partner Amy C. Pimentel explains the significance of health data transfers from the European Union to the United States in a post-Schrems II world. The recent Schrems II ruling invalidated the EU-US Privacy Shield, holding that the US legal regime on access to personal data does not contain adequate limitations and safeguards. Pimentel and McDermott’s Romain Perray recently also wrote for McDermott’s International News about this topic.
On January 7, 2021, the Equal Employment Opportunity Commission (EEOC) issued proposed guidance regarding employer-sponsored wellness programs and the level of incentives employers may offer employees who participate in these programs in the form of two proposed rules. On January 20, 2021, the Biden administration ordered agencies to immediately withdraw most unpublished rules, including the EEOC proposed rules. Agencies may not issue any new regulations until they can be reviewed and approved by agency or department heads appointed or designated by President Biden.
CCPA Amendment Update: California Legislature Approves Exceptions for HIPAA De-Identified Information and Other Health Data
On September 25, 2020, California Governor Gavin Newsom signed into law California AB 713, which amends the California Consumer Privacy Act (CCPA) to except from its requirements certain health information, including information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The bill’s enactment eases some of the CCPA compliance challenges experienced by the health care and life sciences industries by more closely aligning the CCPA with HIPAA and other laws governing human subjects research. The new law also amends the CCPA to except all business associates to the extent that they maintain, use or disclose patient information in the same manner as protected health information under HIPAA.
Because widespread, rapid COVID-19 testing remains unavailable in many locations, universities have had to find innovative ways to implement testing, tracing and isolation protocols to reduce the risk of transmission among students, faculty and staff. There is no one perfect protocol—all universities are in unchartered waters. But there are a few key components university administrators may want to consider and address.
Employers are poised to collect health data from their workforces daily as they adopt temperature checks and other screening protocols to fight the coronavirus, triggering concerns about workers’ privacy and whether the practices will continue beyond the pandemic.
“The temperature checks give employees and customers the feeling of safety and the idea that the company is doing everything possible, even if the screenings don’t protect the workplace,” said Michael Sheehan, a partner with McDermott Will & Emery, in a recent Bloomberg Law article.