As we reflect on the flurry of activity in the health care data privacy and security space in 2023 and look ahead to what will continue to be a busy 2024, we are seeing the early stages of federal agency movement to align the regulatory environment with modern health care delivery, cutting-edge technologies, and innovative data-sharing techniques.
Some of this work has been done in the form of federal agency guidance in which health care organizations will be looking for additional updates and there are also a handful of pending U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proposals that call for substantial changes to the HIPAA Privacy Rule.
From these Privacy Rule proposals to Federal Trade Commission (FTC) privacy enforcement trends to privacy considerations related to the use of artificial intelligence (AI) tools in health care, we have outlined below the critical topics in health care data privacy and security to watch in 2024.
The patient and provider communities are eagerly awaiting the finalization of several significant proposed changes to the Privacy Rule that are currently pending at OCR.
For more than five years, OCR has been working on changes to the Privacy Rule that would address regulatory barriers that impede effective delivery of coordinated, value-based care. In 2018, HHS sought public input through a Request for Information on how HHS could modify the Privacy Rule to support coordinated care, case management, and value-based care while protecting the privacy and security of an individual’s Protected Health Information (PHI). That public input led to a Notice of Proposed Rulemaking (NPRM) on January 21, 2021 that includes, among other proposals, changes relating to an individuals’ right to access their record and to more easily direct the sharing of their e-PHI among covered health care providers and health plans. It also would shorten the required time that providers have to respond to a request from an individual for their PHI. Specifically, in furtherance of care coordination, the NPRM would create an exception to the ‘‘minimum necessary’’ standard for individual-level care coordination and case management uses and disclosures. Other changes are aimed at reducing the administrative burden on providers such as the elimination of the requirement to obtain an individual’s written acknowledgment of receipt of a provider’s Notice of Privacy Practices. Although this NPRM is three years old, the other proposed rules discussed below are likely to get higher priority from HHS.
Health care providers who treat patients for substance use disorder (SUD) have had to navigate two complex and divergent sets of federal regulations designed to protect the confidentiality of SUD treatment records. SUD providers are subject to both the federal Confidentiality of Substance Use Disorder Patient Records regulations, commonly known as “Part 2 Regulations”, and the HIPAA Privacy Rule.
Concerned about the impact that two different statutory and regulatory schemes would have on providers and on patients seeking treatment for SUD, Congress included in the CARES Act passed in 2020 a provision that requires the Secretary of HHS to align certain aspects of the Part 2 Regulations with the HIPAA Privacy Rule. As directed, at the end of 2022, OCR in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), issued a NPRM to substantially revise the Confidentiality of Substance Use Disorder Patient Records regulations.
One of the most significant changes that helps to align Part 2 and the HIPAA Privacy Rule is the ability of providers to use and disclose records relating to SUD treatment based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations. Recognizing the heightened sensitivity of SUD records, the NPRM expands prohibitions on the use and disclosure of SUD treatment records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient. The NPRM also would give patients the right to an accounting and request restrictions on certain disclosures to align with individual rights under the HIPAA Privacy Rule.
Given importance of treatment for patients with SUD, finalizing this NPRM should be at the top of the list for HHS. Reproductive Health Care
The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization spurred actions by the Biden Administration focused on ensuring access to reproductive health care generally as well as strengthening the privacy protections for reproductive health information under HIPAA. On April 12, 2023, OCR issued a NPRM aimed at preventing providers and their business associates from using and disclosing PHI where the PHI would be used for criminal, civil, or administrative investigations or proceedings against any person who is seeking, obtaining, providing, or facilitating reproductive health care that is otherwise lawful. In explaining its rationale for the NPRM, OCR noted the expanded state interest after Dobbs in using highly sensitive reproductive health care information for criminal, civil investigations or proceedings targeting patients. OCR also noted the chilling effect that the potential for law enforcement use of this information could have on physician-patient communications and the physician-patient trust necessary for quality care. The NPRM broadly defines “reproductive health care” as “care, services, or supplies related to the reproductive health of the individual” including, contraception, pregnancy-related health care, fertility or infertility-related health care, and other types of care, services, or supplies used for the diagnosis and treatment of conditions related to the reproductive system.
The current Privacy Rule allows for use and disclosure of PHI for health oversight activities, law enforcement, and judicial and administrative proceedings. Under the Proposed Rule, before a covered entity or business associate responds to a request for reproductive health information for health oversight activities, law enforcement, and judicial and administrative proceedings, it must obtain a signed written attestation that the use or disclosure is not for a prohibited purpose.
Given the Biden Administration’s multi-prong approach to ensuring access to reproductive health services, although this NPRM is the most recent, we think it has the best chance for finalization in 2024.
As we’ve covered previously, in December 2022, OCR posted a bulletin addressing the use of online third-party tracking technologies (Tracking Technologies) by HIPAA-regulated entities. The bulletin was followed up in July of 2023 by a joint statement by OCR and FTC warning health care providers and app developers about the “serious privacy and security risks related to the use” of Tracking Technologies. The updated guidance, which may have been issued in response to privacy concerns following the Supreme Court’s overturning of Roe v. Wade, included a significant expansion in OCR’s interpretation of the definition of PHI. Specifically, in certain circumstances, OCR interpreted the act of an individual visiting a website as evidence of a relationship or anticipated future relationship between the individual and the entity, making information related to that website visit PHI subject to HIPAA.
In November 2023, the American Hospital Association (AHA) and others brought a lawsuit challenging OCR’s guidance and outlining the many reasons hospitals use Tracking Technologies and arguing that the December 2022 bulletin improperly restricts providers’ use of the technologies, even when the only information being captured is the IP address of the individual visiting the providers’ website. According to AHA’s website, on January 12, 2023, seventeen state hospital associations and 30 hospitals and health systems filed amicus briefs in support of the AHA, saying that the guidance threatens crucial tools that hospitals use to disseminate reliable health information to the public.
Although the Tracking Technologies guidance is being challenged, there have already been a number of government settlements and class action lawsuits related to the use of the technologies. Google and Meta, two of the largest providers of the Tracking Technologies, have also faced legal action related to their collection and use of health information. The guidance has also presented significant challenges to entities across the health care industry who have depended on the analytics derived from the Tracking Technologies to make key business decisions. In 2024, we can almost certainly expect to see additional enforcement and legal challenges related to the use of Tracking Technologies in the industry.
In May 2023, the FTC proposed changes to its Personal Health Records Breach Rule (PHR Breach Rule) to be consistent with its 2021 guidance broadly interpreting the rule’s applicability to many “health apps” and other similar technologies.
These proposed regulatory changes followed FTC’s enforcement of the PHR Breach Rule for the first time in February 2023 against GoodRx Holdings, Inc. (GoodRx) related use of tracking technologies and alleged failure to notify consumers of its unauthorized disclosures of individually identifiable health information (IHI). According to the FTC, GoodRx also violated Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce” by misrepresenting its privacy practices (including HIPAA compliance) and sharing IHI with third party advertisers without proper consumer notice or authorization. For more information about the GoodRx settlement, see our previous post.
Throughout 2023, the FTC took enforcement actions against a variety of companies in connection with the privacy of IHI. In multiple cases, the FTC alleged that companies deceptively shared IHI for advertising and other purposes (e.g. by using Tracking Technologies), failed to notify consumers of the unauthorized disclosure of their IHI, and otherwise failed to follow their own privacy policies in connection with the use and disclosure of IHI. Among other things, settling these cases with the FTC involved the payment of millions of dollars in penalties and other settlement costs, and also required recipients to delete inappropriately shared data.
Looking forward to 2024, the FTC has made it clear that health privacy is a top priority. According to FTC’s business blog posts this year, biometric, genetic, reproductive, and other forms of highly sensitive IHI are of particular concern to the agency. The new year is likely to bring increased PHR Breach Rule enforcement, continued Tracking Technology related enforcement, and increased scrutiny of website privacy policies for transparency and accuracy, particularly when it comes to IHI privacy practices and applicable legal protections. We anticipate this scrutiny will increase in areas where the FTC believes consumers are particularly vulnerable, for example when practices are unlikely to align with consumer expectations (e.g. certain uses of Tracking Technologies) or when the health information is particularly sensitive in some way (e.g. reproductive health information).
Through enforcement activities and release of guidance documents, HHS and OCR have indicated that cybersecurity hygiene is an enforcement priority in 2024 and moving forward. Recent cybersecurity enforcement actions included OCR’s first-ever phishing cybersecurity attack investigation and settlement, resolving a data breach in which a hacker gained access to a Lafourche Medical Group email account on March 30, 2021, exposing PHI of approximately 35,000 patients. Phishing generally involves the use of impersonation or deception to elicit sensitive information, often via email. OCR found that the Covered Entity never conducted a Security Rule risk assessment, nor did it implement procedures to regularly review information system records prior to the incident, resulting in the settlement with OCR for $480,000.
With respect to guidance, OCR released a Cybersecurity Newsletter in October 2023 covering best practices for HIPAA sanction policies, which are relevant for organizations reviewing their policies and procedures for workforce members handling external cybersecurity threats in 2024. OCR had also previously released a Cybersecurity Newsletter delineating how to defend against common forms of cyber-attacks. In this newsletter, OCR provided cybersecurity best practice recommendations categorized by type of cyber-attack, including phishing attacks, such as training employees to recognize phishing attempts, and network hacks. OCR also recommended the upgrade or replacement of obsolete, unsupported applications and devices where possible.
Additionally, in December 2023, HHS released its strategy for addressing cybersecurity resiliency in a concept paper. As we detailed in a prior post, the concept paper discusses HHS’s action plan to enhance resiliency against cyber-attacks by establishing sector-specific Cybersecurity Performance Goals (CPGs). We will be watching for additional guidance from HHS as well as possible regulatory updates, including the possible addition of new cybersecurity requirements in the HIPAA Security Rule in 2024.
As of January 2024, OCR has settled 46 enforcement actions relating to individuals’ right to access their own PHI under HIPAA. If this relentless enforcement of the right to access PHI wasn’t enough incentive for health care providers to ensure the timely sharing of PHI the HHS Office of the National Coordinator for Health Information Technology (ONC) published a proposed information blocking rule directed at providers (the Proposed Rule) with “disincentives” intended to deter providers from engaging in information blocking.
The Proposed Rule would implement one of the various information blocking provisions of the 21st Century Cures Act (Cures Act) and in addition to “disincentives,” it includes provisions for making information blocking enforcement information public through an ONC website, much like OCR’s publication of reportable HIPAA breaches on OCR’s “wall of shame.”
The “disincentives” under the Proposed Rule are financial. For example, HHS Office of the Inspector General (OIG) would refer hospitals, clinicians and critical access hospitals that OIG identified as information blockers to CMS. CMS would then treat these providers as having failed to meet the requirements necessary to be meaningful users of Certified Electronic Health Record Technology (CERT), leading to reduced Medicare payments. CMS could also bar Accountable Care Organizations (ACOs) or ACO-participating provider information blockers from participating in the Medicare Shared Savings Program for at least one year.
Under the Proposed Rule, ONC would publish on its website information about information blocking providers, including names, a description of the information blocking practice and the financial disincentives applied.
Prior to the Proposed Rule, the federal government made very clear its intent to encourage the timely availability of PHI through its HIPAA right of access enforcement activity. With the potential for additional enforcement, financial penalties and public shaming under the Proposed Rule, it will be interesting to see if providers are now sufficiently incentivized to share PHI when required under the law in a timely way.
As a result of the significant and consistently increasing volume of data required to train and use predictive and generative AI-enabled technologies, data privacy and security considerations are high priorities when evaluating the use of AI in health care in 2024 and moving forward. HHS and other federal agencies had a laundry list of “to-dos” to jump-start the development of a regulatory regime in connection with the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI EO).
The AI EO covered data privacy in the use and development of AI by making certain industry-agnostic directives that would help to mitigate privacy risks potentially aggravated by AI. Among other privacy-related directives, the National Institute of Standards and Technology (NIST) was directed to create guidelines for federal agencies to better use privacy-enhancing technologies (PETs) and evaluate the utility of differential-privacy-guarantee protections, including for AI. In December 2023, NIST released draft Guidelines for Evaluating Differential Privacy Guarantees, SP 800-226 (the Guidelines) as a first step toward meeting these privacy-related obligations. The goal of the Guidelines, according to NIST, was to inform the agencies and the public at large about the concept of “differential privacy”.
NIST defines differential privacy as a PET that quantifies privacy risk to individuals when their data appears in a dataset, with the idea being that outcomes of data analyses or published datasets will be about the same regardless of whether individuals contribute their data. PETs are defined by NIST as “any software or hardware solution, technical process, technique, or other technological means of mitigating privacy risks arising from data processing, including by enhancing predictability, manageability, disassociability, storage, security, and confidentiality.”
Specific to AI, the Guidelines discuss the possible privacy risks in connection with machine learning since neural networks are “particularly susceptible to memorizing training data” and address best practices when using synthetic data to satisfy differential privacy. As HHS contemplates modernization of HIPAA cybersecurity requirements, it will be interesting to see in 2024 and beyond to what extent HHS incorporates elements of the Guidelines (if any) when making additional future updates to the HIPAA Privacy Rule. The FTC, which as noted above has prioritized privacy enforcement, has also made it clear that it has an interest in regulating privacy in connection with AI, as it recently announced it will be monitoring developers of certain AI tools for privacy and security compliance.
The AI EO and the Guidelines are reflective of regulations in many sectors, including health care, catching up with modern technologies, such as AI and large language models (LLMs) that require input of massive datasets. For example, HIPAA allows for de-identification of PHI in certain circumstances. That de-identified data (if not otherwise contractually restricted between the responsible parties) would not currently be restricted from being used for the development and training of AI tools. However, especially given the high volume of readily available data across public domains, this use of de-identified data for AI purposes still presents the possibility that the data can ultimately be re-identified and data privacy compromised.
In practice, based on the need to balance data-sharing needs with the complex nature of differential privacy, agencies and regulated health care entities will likely need some time to begin testing and adopting the concepts addressed in the Guidelines. Comments to the Guidelines were due by January 25, 2024, and will inform a final version to be published later in 2024.
Though it remains to be seen what changes regulated health entities will be required to make in 2024, these organizations can get a head start on implementing any new compliance obligations by reviewing their current privacy and security policies and procedures and conducting data mapping exercises early in the year. We will be monitoring for finalization of pending proposed rules or additional guidance from federal agencies on these important topics.
© 2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.