We expect many of the trends of 2021 in health data privacy to continue to pick up steam this year. See below for six noteworthy trends that life sciences and healthcare companies should continue to keep an eye on in 2022:
As described below, there are several new and impending interoperability rules and frameworks to facilitate the exchange of electronic health information, including for the purposes of care coordination and case management. Life sciences and healthcare companies should consider revisiting their data sharing policies and procedures to ensure that they are in compliance with applicable requirements, such as:
Prohibition on Information Blocking
Rules released by the Office of the National Coordinator for Health Information Technology (ONC) in the U.S. Department of Health and Human Services (HHS) are now in effect that prohibit health IT developers of certified health IT, healthcare providers, health information networks, and health information exchanges from engaging in information blocking. The 21st Century Cures Act defines “information blocking” as business, technical, and organizational practices that prevent or materially discourage the access, exchange, or use of electronic health information.
Payer to Payer Exchange of Medical Records
Rules released by the Centers for Medicare and Medicaid Services (CMS) require government health plans (such as Medicare Advantage and managed Medicaid plans) to maintain a process for the electronic exchange of electronic health information with other government and commercial health plans at the direction of the individual. While there is “enforcement discretion,” payers are working to comply with this new exchange requirement.
Connecting Health Information Networks
To operationalize the ONC and CMS interoperability rules, the ONC published the Trusted Exchange Framework and the Common Agreement (TEFCA) in January 2022. TEFCA offers a set of non-binding principles for the exchange of health information. Specifically, it establishes a technical and governance infrastructure that connects health information networks together, with the goal of establishing “a universal floor of interoperability across the country” by which healthcare providers, plans and patients may securely exchange patient records.
Final HIPAA Regulations Expected Later this Year
HHS is expected to issue the final changes to the HIPAA Privacy Rule by the end of 2022. The Privacy Rule has not been amended since 2013. The HHS Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking in December 2020 that proposed a number of changes to the Privacy Rule, including changes related to the exchange of protected health information (PHI).
Proposed Changes to Part 2 Regulations Expected Later this Year
The federal Coronavirus Aid, Relief, and Economic Security (CARES) Act amended the federal law that governs the confidentiality of substance use disorder (SUD) treatment records. The statutory change requires the Substance Abuse and Mental Health Services Administration (SAMHSA) to amend 42 CFR Part 2 regulations related to such treatment records. Proposed regulations, likely to be published in early 2022, are expected to align Part 2 more closely to the uses and disclosures of protected health information permitted under the Health Insurance Portability and Accountability Act (HIPAA).
Consistent with the push for the interoperability of health information is the continued focus on the individuals’ right to access their medical records.
Patient Access to Medical Records Held by Governmental Health Plans
Final CMS rules require government health plans to have secure, standards-based application programming interfaces (APIs) that support a patient’s access to core data in their electronic health record (EHR). These APIs allow the patient to direct their electronic health records to a third party, such as an app.
OCR Enforcement Priority
OCR focused its 2021 enforcement efforts on patients' rights to promptly receive copies of their medical records in line with its 2019 HIPAA Right of Access Initiative. Of the thirteen (13) HIPAA settlements in 2021, eleven (11) settlements resulted from right of access violations with penalties totaling $852,150. Covered entities should be mindful of notices received from both OCR and patients related to the right of access to avoid potential liability.
The role of individual consent to data sharing was a focus of litigation and enforcement actions in 2021, and we expect this trend to continue. See, for example, the recent Massachusetts cookie settlement and Federal Trade Commission (FTC) settlement with Flo Health described below.
Massachusetts Cookie Settlement
FTC Flo Health Settlement
It should come as no surprise that we expect to continue to see significant emphasis placed on data breach reporting and security.
Federal Trade Commission Health Breach Notification Rule
In September 2021, the FTC announced its intent to enforce the Health Breach Notification Rule (Rule) and to expand the Rule’s applicability to non-HIPAA regulated entities, such as health apps and connected devices. Under the Rule, vendors of personal health records (PHRs) and PHR-related entities are required to report security breaches to the FTC, individuals, and in some cases, the media. As discussed in Orrick’s earlier guidance, the Rule has been in effect since 2009, but the FTC has never enforced it, and to date, there have only been four instances in which a company provided notice to the FTC under the Rule. Nonetheless, given the FTC’s renewed interest in enforcing the Rule, life sciences and healthcare companies not regulated by HIPAA should be mindful of their potential reporting obligations—which include unauthorized acquisition not only by cybersecurity intrusions but also the sharing of health information without an individual’s consent (again highlighting the importance of patient consent prior to the sharing of their health information).
Part 2 Breach Notification
The CARES Act not only requires the Part 2 regulations governing the confidentiality of substance use disorder (SUD) treatment records to be updated, but includes a new breach notification rule application to SUD treatment records that are not already subject to HIPAA’s breach notification rule.
False Claims Act Liability
Although not directed solely at the healthcare industry, the U.S. Department of Justice announced a Civil Cyber-Fraud Initiative that will target government contractors and federal grant recipients that fail to comply with cybersecurity standards, misrepresent their security controls and practices, and fail to timely report suspected breaches. We expect the scope of the initiative to include life sciences and healthcare companies that contract to provide services and products to the federal government.
To aid with security, the government launched new resources, including the following.
As new state data privacy laws continue to come into effect, life sciences and healthcare companies should consider the extent to which these laws apply to their business and take steps to come into compliance as needed.
U.S. State Consumer Privacy Laws
As discussed in Orrick’s earlier guidance, changes to state consumer privacy laws in California, Colorado, and Virginia will become operative in 2023. These laws include key exemptions that may apply to healthcare or life sciences companies. For example, all three laws contain exemptions for entities or personal information that is regulated by HIPAA, but the scope of the exemption differs from state to state. The California Privacy Rights Act (CPRA) and the Colorado Privacy Act (CPA) contain exemptions for protected health information (PHI) subject to HIPAA but do not exempt HIPAA covered entities or business associates. In contrast, the Virginia Consumer Data Privacy Act (VDCPA) exempts both HIPAA covered entities and business associates, as well as PHI.
Biometric and Genetic Laws
Similarly, we continue to see states adopt biometric and genetic specific privacy laws. These states include California, Illinois, Texas, Utah, and Washington. Similar to the state consumer privacy laws, they have varying exceptions for HIPAA governed data and entities.
Roadblocks Continue for International Health Data Transfers
The global COVID-19 pandemic has shined an even brighter light on the need to smooth the international transfer of health data for research in the aftermath of the Schrems II decision and the absence of a Privacy Shield replacement. In particular, we expect researchers and other public interest groups to continue their focus on the need to find practical solutions for the transfer of pseudonymized health data out of the European Economic Area for research. Advances in vaccines, cancer treatment, and public health requires it.
European Health Data Space
The European Commission (EC) is expected to finalize a proposal for the European Health Data Space (EHDS) in early 2022. EHDS is an initiative to promote the exchange of and access to health data to support health care delivery, research, and policymaking, and to enhance the interoperability of data that is shared between EU Member States. The EC published a public consultation from 2020 to 2021 to gather additional information on the effect of the initiative, including how the General Data Protection Regulation (GDPR) and the data protection initiatives of each EU Member State affect the sharing of health data and the use of artificial intelligence in healthcare.