ONCHHS Announces Last-Minute Changes to Compliance Deadlines

HHS Announces Last-Minute Changes to Compliance Deadlines

The US Department of Health and Human Services’ (“HHS”) Office of National Coordinator for Health IT (“ONC”) recently extended a few key compliance deadlines relevant to developers of certified health IT products, healthcare providers, and health information networks and exchanges (HIEs/HINs). Specifically, ONC pushed back certain requirements related to certification of certified health IT products and Information Blocking found in the ONC Cures Act Final Rule (ONC Rule), a rule that promotes seamless and secure access, exchange, and use of electronic health information through standardized health IT requirements. HHS stressed that it has extended these compliance deadlines to provide the healthcare industry additional time to implement the ONC Rule as the healthcare industry continues to grapple with the myriad challenges presented by COVID-19.

Developers of certified health IT are required to certify their products under the ONC Health IT Certification Program (“Program”). The Program now incorporates numerous new administrative and technical requirements outlined in the ONC Rule. The updated compliance deadlines give developers of certified health IT more time to update their currently certified products or build new products to comply with the new certification requirements, as well as more time to test those products. These developers also have additional time to attest under the Program that their products are compliant with specific conditions (known in the industry as the Conditions and Maintenance of Certification (“COC”)) that were updated by the ONC Rule.

Additionally, under the updated deadlines, developers of certified health IT, as well as healthcare providers and HIEs/HINs, have more time to comply with the new Information Blocking obligations required under the ONC Rule. Information Blocking is defined as any practice that is likely to “interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” There are eight narrow exceptions to these practices that allow an entity to engage in this type of behavior, most notably where the practice is intended to prevent harm, safeguard the security of electronic health information, or safeguard the privacy of the individual’s electronic health information.

The following is a summary of some key deadlines: 

Requirement Deadline 
Developers of certified health IT, healthcare providers, and HIEs/HINs cannot engage in Information Blocking. April 5, 2021 
Developers of certified health IT must attest that they comply with the CoC that were updated by the ONC Rule. May 1, 2022 
All products certified under the Program must align with the ONC Rule’s new technical certification requirements. December 31, 2022 (except with respect to a requirement related to electronic health information exports, which is not required until December 31, 2023) 
Developers of certified health IT must successfully test their certified health IT under real world conditions.Initial Plan for testing due December 14, 2021; Initial Results of testing due March 15, 2023 

For more information regarding the specific deadline updates, please see HHS’s official press release regarding the changes.

We anticipate that the updated compliance deadlines will be a welcome change given the many technical and compliance challenges presented by the ONC Rule. With this extra breathing room, now is the ideal time for companies to evaluate their compliance posture with respect to the ONC Rule and begin to develop strategies for adopting and implementing the new requirements under the ONC Rule, as implementation will require consultation with technical and legal teams. Beckage attorneys will continue to follow the evolving regulatory compliance guidance on deadlines and substantive requirements to assist clients in the health IT and healthcare industry as they navigate these and other new regulatory requirements. Beckage attorneys are uniquely experienced to help health organizations and tech companies of all sizes to navigate the complicated maze of legal and practical considerations raised by these and other health law regulations. Please do not hesitate to reach out if you are interested in discussing the ONC Rule’s potential impact on your business.

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter.

Apple Privacy UpdateMobile App Developers Take Notice Of New Apple Privacy Requirements

Mobile App Developers Take Notice Of New Apple Privacy Requirements

Companies that have, or are in the process of developing, mobile applications that are connected to the Apple Store should be aware of recent privacy updates and should take steps to prepare your business for these new privacy requirements in 2021. 

Apple’s Announcement

Beginning on December 8, 2020, Apple will impose specific requirements for the disclosure of privacy practices for all applications on the product page in the Apple Store.  This change will help users understand an app’s privacy practices before they download the app on any Apple platform.  The App Store product page will now feature a new privacy information section to help users understand an app’s privacy practices, such as data collection practices, the types of data collection, the data linked to the user, user tracking, and privacy links.  More details about Apple’s announcement can be found at the privacy details page and additional guidance on how to provide app privacy information can be found in Apple’s App Store Connect.

In addition to providing information about some of your app’s data collection practices on your product page, on iOS 14, iPadOS 14, and tvOS 14, apps will be required to receive user permission (opt-in consent) to track users across apps or websites owned by other companies or to access the device’s advertising identifier. This change allows users to choose whether they permit an app to track them or access their device’s advertising identifier.

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes.  Tracking also refers to sharing user or device data with data brokers.  To provide developers time to make necessary changes, apps will be required to obtain permission to track users starting early next year.  Additional guidance can be found at the Apple developer’s blog page.

What To Do Now

Businesses should take steps to make sure their current practices are legally compliant and address Apple’s new guidelines.

Now is an ideal time to work with your tech legal counsel to review your privacy policy and the App Store guidelines as well as applicable laws to confirm that the statements made throughout your policy are true and accurate representations of your data collection and sharing practices. Apps will need to create standardized privacy disclosures for the App Store to meet format and content requirements, but these responses should be carefully reviewed as not to conflict with any existing privacy statements.  Your internal business practices and collection protocols may change from time to time, which is why Beckage recommends an annual review of your privacy policy and related practices.  

Additionally, business should consult with their tech legal counsel to review and update consent language and disclosures for pop-up and any related consent forms that are utilized.  There may be specific regulatory or statutory requirements for obtaining consent through a mobile application that may need to be evaluated.  For example, although there are not currently opt-in requirements under the CCPA, there are specific requirements for consent under the GDPR and that may need to be met should the GDPR apply to your application.

Beckage lawyers have worked with numerous mobile app developers on privacy matters.   The Beckage team of lawyers is made up of technologists and certified privacy professionals who can help develop and review new and existing privacy policies to ensure compliance with Apple’s new privacy requirements. To reach a Beckage attorney, call 716.898.2102.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

CPRACalifornia Passes Proposition 24 on Consumer Privacy

California Passes Proposition 24 on Consumer Privacy

Businesses that have worked hard to implement California Consumer Privacy Act (CCPA) compliance initiatives will have a whole new set of privacy standards to comply with in the very near future.  California’s Proposition 24, also known as the California Privacy Rights Act (CPRA), has passed, expanding the state’s consumer privacy regulations. 

The CCPA, which passed only two years ago, the final regulations of which were just released earlier this year, will remain in effect until the CPRA becomes effective on January 1, 2023.  The CPRA expands the CCPA, adding new privacy rights aimed at strengthening consumer privacy. 

Among the changes introduced by the CPRA is the creation of a new, five-member agency with regulatory authority for enforcement of both the CCPA and CPRA.  The California Privacy Protection Agency will take over enforcement authority from the California Attorney General and dramatically change the way privacy rights are handled.  The Agency will be empowered to issue guidelines and impose fines on businesses who fail to comply. The Agency is slated to take over on July 1, 2021.

What is new in the CPRA? 

The CPRA modifies the CCPA in some meaningful ways by introducing new privacy rights and obligations pertaining to certain categories of personal information.  The updates will likely have a significant impact on companies that do business in California.  

New provisions of the CPRA include:

  • Sensitive Personal Information. The CPRA introduces a newly defined category of personal information that includes things like social security number, driver’s license number, passport number, sexual orientation, biometric data, health and financial information, and precise geolocation.
  • Additional Consumer Rights.  In addition to the rights conferred upon consumers under the CCPA, under the CPRA consumers will have additional rights, including the right to:
    • correct personal information;
    • know the length of data retention;
    • opt-out of geolocation utilization;
    • limit businesses from collecting more data than necessary;
    • restrict usage of sensitive personal information;
    • know what personal information is sold or shared and to whom;
    • prevent retaliation for exercising privacy rights.
  • Sharing of Data.  Of note, the CPRA allows consumers to opt out of the sharing of their personal information (rather than sale) for “cross-context behavioral advertising.”  This change is intended to close a perceived loophole in the CCPA that some businesses have relied on to avoid compliance.  This means businesses who do not sell data but share for digital advertising purposes may have to comply.
  • Expanded Breach Liability.  The CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.
  • Disclosure Obligations.  Businesses will be required to disclose the duration they will retain each category of personal information, the purpose for which they retain the personal information, and the volume collected.  Misrepresentations would constitute a statutory violation.
  • Increased Penalties for Children’s Personal Information.  The CPRA triples the maximum penalties for any violations concerning children’s personal information (under the age of 16).  The new penalties may go up to $7,500 per intentional violation.
  • Third Party Requirements.  Businesses that share personal information with third-party service providers are required under the CPRA to enter into contracts extending the CPRA privacy requirements to the third parties.
  • Covered Business.  The CPRA also slightly updates who is a covered business required to comply, increasing the threshold from buying, selling, or sharing personal information from 50,000 California consumers/households to 100,000.

Certain exemptions from the CCPA are retained in the CPRA, including exemptions for medical information or protected health information covered by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).  In addition, the CPRA extends the CCPA’s exemption for employee information and business to business data until January 1, 2023.

What impact will the CPRA have?

The CPRA becomes effective on January 1, 2023.  The CPRA will apply to personal information collected on or after January 1, 2022.  While many details still need to be clarified and defined through regulation, the impact of the CPRA will likely be significant as the concept of sharing is much broader in scope than selling.  The passage of another stringent privacy law in California may boost the likelihood of a comprehensive federal privacy law in the near term.

Beckage’s California Privacy Team continues to actively monitor the updates to the privacy landscape and the impacts the new data privacy law will have. The CPRA underscores the importance of operationalizing robust data security and privacy practices that can stand the test of time and adapt to the evolving consumer privacy landscape.  To learn more about the impact the CCPA and the CPRA may have on your business reach out to our team of attorneys.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney advertising. Past outcomes do not predict future results.

Subscribe to our Newsletter.

AccessibilityOnline Accessibility Act Seeks to Clarify Accessibility Guidelines for Private Businesses’ Digital Presence

Online Accessibility Act Seeks to Clarify Accessibility Guidelines for Private Businesses’ Digital Presence

The Beckage Accessibility Team is closely following bipartisan legislation introduced into the U.S. House of Representatives on October 2, 2020. The Online Accessibility Act, sponsored by Congressmen Lou Correa (D-CA) and Ted Budd (R-NC), would add language to the existing Americans with Disabilities Act (ADA) and provide much-needed clarity on the legal requirements for consumer-facing websites and mobile applications to be considered accessible to individuals with disabilities, particularly blind and visually-impaired persons.

If passed, this legislation would have clear benefits for both disabled individuals and online businesses that operate consumer websites, defined as “any website that is purposefully made accessible to the public for commercial purposes.” The Online Accessibility Act would limit the number of predatory lawsuits filed against business owners while helping them improve accessibility for their disabled customers.

Beckage continues to monitor the state and federal dockets daily and the number of lawsuits that are filed continue at record speed.  On average we see about eight new lawsuits a day. These website accessibility lawsuits are filed by plaintiffs alleging unequal access to services on companies’ digital platforms due to incompatibility with assistive technology, like screen-reading software. While the Department of Justice (DOJ) has consistently held that the ADA applies to websites and mobile apps, it has fallen short of clarifying the precise requirements, leaving businesses confused as to whether their digital platforms are compliant. As result, a very high number of these cases are settled out of court to avoid gambling with high litigation costs in such uncertain legal terrain.

“This bill solves the problem by providing guidance to businesses on how to bring their websites into compliance. If our bill is passed, job-creators will be able to avoid costly lawsuits and be given a roadmap for how to help their disabled customers access online content,” said Rep Budd in a statement about the Act.

“We are optimistic that this bill will provide some much-needed clarity in the ADA legal landscape,” says Beckage Accessibility Team Leader, Kara Hilburger. “It is so important to have universal standards for accessibility to level the playing field and help businesses best serve their customers while avoiding lawsuits.”

This legislation is coming at a crucial time given the rapid increase in online shopping due to the COVID-19 pandemic, as consumers choose to avoid brick-and-mortar stores in favor of e-commerce options. However, the future of the Online Accessibility Act is still uncertain given its introduction during a particularly polarized election season and an unpredictable political landscape hanging in the balance.

“Beckage continues to advise clients to be proactive when it comes to website accessibility,” Hilburger confirmed.  “There are many low-cost, high impact steps companies can take immediately, such as publishing an Accessibility Statement, that can place them in a legally defensible position while they work to implement accessibility by-design into their new online products and offerings.”   

Beckage remains hopeful that the Online Accessibility Act will gain traction and provide much needed relief for the business community.  Beckage works with businesses from all sectors and industries as they navigate the uncertain legal landscape surrounding website accessibility.  Through collaborating with in-house technologists, outside developers, members of the disability community, and internal assistive technologies, Beckage attorneys work under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility, and oversee implementation of recommended remedial or accessibility-enhancement measures.  Our team helps companies develop and implement a sustainable accessibility programs that contemplates compliance with the WCAG guidelines while monitoring the development of website accessibility standards and best practices that can protect your business.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

1 2 3 14