Hot HIPAA Topics and the Future of

Health Care Privacy Kirk J. NahraWiley Rein LLPWashington, D.C.202.719.7335KNahra@wileyrein.com@kirkjnahrawork

(Oct. 22, 2014)

My Presentation Today

• We are now a full year into the (mostly finished) HIPAA/HITECH Era 

• We’ll discuss a few of the key "holdover" issues from the HIPAA/HITECH rules and some hot topics, including some de-identification issues

• Then focus on the big development – the debate about “non-HIPAA” healthcare data and what it means for the future of health care privacy (and perhaps overall privacy) 

Page 2

Key Remaining HIPAA Challenges

Breaches Generally•Way too many breaches continue to happen•Make sure you are reviewing your overall security practices•Immediate issues about fixing the problem – enormously important

•Pay close attention to problems faced by others – through enforcement, media reports and otherwise.

Page 3

Security Practices

Expect:1. Significant pressure to implement “tougher” 

security standards

2. Real pressure for broader encryption

3. Enforcement and adverse notice publicity to put real pressure on better practices

•Both CEs and BAs have exposure in this area. •Consider whether “cyber-insurance” is right for your company

Page 4

Key Remaining HIPAA Challenges

Enforcement•No noticeable increase to date•Investigations are more thorough and more burdensome•Increasing pressure to do more on both audits and investigations

•Access to records remains a (surprising) focus and problem

Page 5

Key Remaining HIPAA Challenges

Business Associate Enforcement Issues•No real enforcement involving business associates yet•A real challenge for OCR – how to treat companies who deal with much more than health care •Watch this carefully

Page 6

What To Watch For On Enforcement

• The new audit program• Change in leadership at OCR• How OCR handles business associates

• Their approach has been consistent so far – watch for key changes

• Will the FTC put pressure on OCR to do more?

Page 7

De-Identification Issues

• Lots of discussion and debate about the de-identification standards

• Some guidance has been issued, with more likely to come

• Lots of publicity about “re-identification” concerns, but no situation where HIPAA de-identified data has been re-identified

Page 8

De-Identification Issues

• HIPAA standard remains the “gold standard” in terms of detail and effectiveness

• Certain media reports and other “studies” have re-identified health care data – but not data that has been de-identified using a HIPAA standard

Page 9

De-Identification Issues

• Security controls as an adjunct to de-identification (but not a replacement)

• Always consider how best to protect data, even where de-identification steps have been taken

• Effective security can supplement de-identification or make a difference at the margins

Page 10

De-Identification Issues

• Business associate issues – BA contracts now must be explicit

• Covered entities should evaluate whether they want their business associates to be able to de-id and under what limitations (if any)

• For BAs, you must think about whether this matters to you and how you want to address with clients

Page 11

De-Identification Issues

• Allocation of liability in a data chain – think carefully about this

• No clear answers – will depend on who did what and what ultimately happens to data

• If there is a security breach, “breaching” party must act quickly

• Think about whether you want to try to address in contracts – but this complicates things.

Page 12

Next Generation - HIPAA Today

You should pay attention to HIPAA if: •You are in the health care business•You contract with companies in the health care business•You contract with companies who contract with companies in the health care business (and onwards)

•You provide health care benefits to your employees•You use health care information

Page 13

The biggest “next generation” issue

• HOWEVER - HIPAA has always been a limited scope privacy/security rule

• It applies to healthcare information only where a covered entity is involved.

• Accordingly, there always have been gaps where various entities collect or maintain health care data but are not covered by the HIPAA rules.

Page 14

The biggest “next generation” issue

• What is “outside” of HIPAA is growing• Web sites gather and distribute healthcare information

without the involvement of a covered entity. • These range from commercial web sites (e.g., Web

MD) to patient support groups to the growth of personal health records.

Page 15

The biggest “next generation” issue

• We also have seen a significant expansion of mobile applications directed to healthcare data or offered in connection with health information

• Recent announcements from Apple and Google have expanded this large and growing area.

Page 16

The Reaction

• It is clear that there is significant concern, from the Federal Trade Commission, privacy advocates and others, about how this “non-HIPAA” health data is regulated.

• FTC Commissioner Julie Brill in a recent speech - “Big picture, consumer generated health information is proliferating, not just on the web but also through connected devices and the internet of things.”

Page 17

Big Data Implications

• Much of the “Big Data” discussion is outside of the context of health care, BUT

• there is a wide variety of health care information (both HIPAA regulated and not) that is being scrutinized in the context of Big Data

• and there is a growing range of “Big Data” activities being conducted by healthcare entities, again both in and out of HIPAA.

Page 18

De-identification issues

• Growth in “non-HIPAA” health care data presents significant complications for de-identification standards

• Growing ability to gather and analyze data from broader variety of sources

• Ongoing challenges to ensure appropriate de-identification with differing data standards

Page 19

White House Big Data Report

• A significant finding of this report is that big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace.

• The privacy frameworks that currently cover information now used in healthcare may not be well suited to address these developments or facilitate the research that drives them.

Page 20

White House Big Data Report

• This may potentially involve crafting additional protections beyond those afforded in HIPAA and Genetic Information Non-Discrimination Act as well as streamlining data interoperability and compliance requirements.

• Modernizing the health care data privacy framework will require careful negotiation between the many parties involved in delivering health care and insurance to Americans, but the potential economic and health benefits make it well worth the effort.

Page 21

The biggest “next generation” issue

• An emerging (and related) issue - bringing “outside” HIPAA information “inside” HIPAA

• CEs are gathering all kinds of data about their patients/customers/insureds from outside the health care system and using it for “health care purposes”

Page 22

Recent Headlines

• “Your Doctor Knows You’re Killing Yourself. The Data Brokers Told Her.” (Bloomberg)

• “You may soon get a call from your doctor if you’ve let your gym membership lapse, made a habit of picking up candy bars at the check-out counter or begin shopping at plus-sized stores.”

Page 23

Recent Headlines

• “When a Health Plan Knows How You Shop.” (New York Times)

• Health plan prediction models using consumer data from data brokers (e.g., income, marital status, number of cars), to predict emergency room use and urgent care.

Page 24

The Key Issue

• Through the White House Big Data report, the FTC’s Data Broker report and otherwise, substantial concerns have been raised about how this data is being used, in contexts that raise questions about how health care services are provided and appropriate rights and protections for individuals in connection with their healthcare and their privacy.

Page 25

The biggest “next generation” issue

• Coupled with ongoing debates about “big data,” both in and out of health care, these issues may lead to a complete restructuring of the healthcare privacy and security world.

• Could be the driver on national privacy legislation

Page 26

What has Happened so Far?

• The FTC is part of the front lines on this• Ongoing hearings and evaluation about this “non-

HIPAA” health care data • Some current role because of HITECH breach

notification rule for personal health records• FTC has limited leeway to enforce “privacy” standards

Page 27

The FTC and Health Care

• The Lab MD case• FTC used general security enforcement approach, to go

after what seems to be a HIPAA covered entity• FTC role in general is under challenge (Wyndham and

LabMD)• What are they doing with Lab MD?

Page 28

The FTC and Health Care

• FTC is already looking at mobile applications, with a significant focus on healthcare

• Very concerned, looking at aggressive action• Health care is clearly a part of this review• Mobile applications can be “in” and “out” of HIPAA –

watch this carefully. • FTC concern about de-identification issues – but so far

outside of HIPAA standards

Page 29

Patient Interests

• Complexity of the regulatory structure (where protections depend on sources of data rather than “kind” of data), and the difficulty of determining data sources (which it is often difficult, if not impossible, to determine), has led to an increased call for broader but simplified regulation of healthcare data overall.

• This likely will call into question the lines that were drawn by the HIPAA statute, and easily could lead to a re-evaluation of the overall HIPAA framework.

Page 30

What’s Next?

• The debate about “non-HIPAA” healthcare data is not going away

• There is too much data being used by too many people in too many risky contexts

• Therefore . . .

Page 31

What’s Next

• FTC will push for legislation and/or issue some kind of guidance with potential for enforcement (as they have done with data security)

• Will these standards be “like HIPAA” or something else (including for de-identification)?

• What will this mean for “non-HIPAA” entities?

Page 32

What’s Next

• Then, what will this mean for HIPAA entities? • Will the rules simply be transferred over? Will they be

changed for “non-HIPAA” data? • If so, will that lead to a push to make the rules the

same across all health care data?

Page 33

New Legislation

• The Cyber debate AND the Target breach are leading to new (and revived) proposals about data security and data breach notification

• Combination of Target breach and possible negative impact on FTC enforcement increases likelihood of new federal legislation

Page 34

Tentative Predictions

• This HIPAA/non-HIPAA issue is not going away• Lots of pressure from many fronts to “do something”

about this non-HIPAA health care data• There will quickly be debate and proposals about

regulating this non-HIPAA data

Page 35

Tentative Predictions

• First issue will be whether to regulate “like HIPAA” or do something else

• This will be an extended and contentious debate• We are a long way from an agreement/consensus on

any of these principles – other than the growing consensus that there is a need for something.

Page 36

Tentative Predictions

3 Main Options:•Something specific for this non-HIPAA health care data•Something that covers all health care data (a “general” HIPAA)•A broader overall privacy law (with or without a HIPAA carve-out)

Page 37

Suggestions

• Understand where your company fits into this debate• Think about your views on how this should evolve• Think about the business implications of the various

choices• Think about your role (if any) in the debate

Page 38

Questions?

For further information, contact:

Kirk J. Nahra

Wiley Rein LLP

202.719.7335

knahra@wileyrein.com

@kirkjnahrawork

Subscribe (for free) to Privacy in Focus - http://www.wileyrein.com/publications.cfm?sp=newsletters

Page 39