0
COVID-19Insights Into the COVID-19 Health Data Bill

Insights Into the COVID-19 Health Data Bill

This update concerns the COVID-19 Health Data Bill, recently introduced to the New York State Senate by State Senator Kevin Thomas (S8448A), and in the State Assembly by Assemblywoman Linda B. Rosenthal (AB 10583). The COVID 19 Bill could have significant implications on businesses that collect information as part of their federal and state COVID-19 compliance measures, including the NYS-Required Safety Plans.  

The COVID-19 Bill applies to any company/person that collects, uses, or discloses “emergency health data,” which is defined to include data that is “linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device from other collected data” and that “concerns the public COVID-19 health emergency.”  

Emergency health data includes information that reveals past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual including:

• data derived from testing or examination;

• whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, such disease or disorder; or

• genetic data, biological samples, and biometrics.

Emergency health data also includes “other data collected in conjunction with other emergency health data that can be used to infer health status, health history, location or associations”. This includes: geolocation data, proximity data, demographic data, contact information, and other data collected from a personal device.  

The Bill requires businesses that collect, process, or use emergency health data in connection with the COVID-19 crisis to:

1. Obtain Affirmative Opt-In Consent: The Bill requires that businesses obtain an individual’s “freely given specific, informed, and unambiguous opt-in consent” to process individual emergency health data and prohibits collection without such consent except in certain narrow circumstances.

2. Comply with Data Retention Requirements: The Bill contains rigid data retention time periods (30 days or 14 days for proximity tracing or exposure notification data). If a business stores emergency health data for more than 30 days, The Bill requires the business to “reengage consent” from the individual from whom the information was collected in the first instance.

3. Maintain Written Privacy Policies and Transparency Reports: The Bill requires the posting of Privacy Policies which detail the business’s collection and use of emergency health data and the preparation of written Transparency Reports describing the business’s collection of emergency health data every 90 days.  

4. Limit Use: Data collected for responding to the COVID-19 public health emergency (e.g., tracking, screening, monitoring, contact tracing) must be collected “at a minimum level of identifiability reasonably needed for tracking COVID-19”. The Bill clarifies that for covered entities using proximity tracing or exposure notification, this includes changing temporary anonymous identifiers “at least once in a 10-minute period.” The Bill also prohibits the use of emergency health data for any purpose beyond what is adequate, relevant, and necessary to perform the transaction consented to by the individual, or for any purpose not authorized by The Bill (e.g., commercial purposes, advertising, selling, etc.).

5. Provide Individual Right to Access and Correction: The Bill gives individuals the right to access and correct their emergency health data.

6. Maintain Reasonable Security Measures: An entity that collects emergency health data must have reasonable administrative, physical, and technical controls in place to safeguard the information from misuse and unauthorized disclosure.

7. Maintain Minimum Necessary Access Restrictions: The entity must have access restrictions in place limiting access to the emergency health data to authorized essential personnel only.

8. Complete Compliance Audits: Covered entities are subject to data protection audits, which include the requirement for risk assessments and evaluation of the technologies used in connection with the information gathering. The results of the compliance audits shall be made available to the public.

The Bill also has notable enforcement teeth, authorizing the State Attorney General to bring enforcement actions and seek civil penalties of up to $25,000 per violation or up to 4% of a business’s annual revenue. As The Bill is for the purposes of the COVID-19 public health crisis, it purports to expire and be repealed on January 1, 2023.

To date, the bill is not on a committee agenda and there is no scheduled testimony for the COVID-19 Health Data Bill. It is not clear whether the bill will move through committee to the floor for a vote before the legislative session ends. However, we anticipate that legislators will be back in Albany at least a few more times this year, and Senator Thomas has been vocal in his desire to make progress on the Bill.

Beckage will monitor the progress on this and other relevant data privacy bills. Beckage is in communication with lobbyists and is closely monitoring for opportunities to provide input on behalf of the business community. Please do not hesitate to reach out if you are interested in discussing the bill’s potential impact on your business. Beckage is privileged to work with clients in a variety of sectors and industries in building efficient, repeatable, and scalable privacy and security programs.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

DoctorLegal and Practical Implications of the CMS and ONC Interoperability Rules – Part One

Legal and Practical Implications of the CMS and ONC Interoperability Rules – Part One

Beckage attorneys have been busy helping clients understand and prepare for the two rules concerning interoperability issued on March 9, 2020 by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively referred to as the “Final Rules”). The Final Rules implement interoperability and record access requirements intended to help patients obtain health records and payment data so they can make informed decisions about healthcare. To help de-mystify these technical rules, Beckage will be releasing a blog series outlining how the Final Rules will impact different organizations in the health sector.  

While future blogs will tackle some of the technical nuances of the Final Rules, this blog will provide some context by answering a few high-level questions:

1. Who should pay attention to these Final Rules? Healthcare providers, health IT developers, health information exchanges, health information networks, electronic health record (EHR) vendors, and insurers participating in CMS programs (for purposes of this blog, these stakeholders are collectively referred to as “health care organizations,” although as discussed in future posts, they often have different interests and obligations under the Final Rules).

2. What is an API? ”API” stands for application programming interface. An API is essentially a software intermediary that allows two applications to talk to each other using standardized language.

3. What does the CMS Final Rule cover? The CMS Final Rule requires states and certain health care organizations to develop APIs that allow patients, medical providers, and insurers to access specific categories of data. The rule is intended to improve patient access to health information and standardize the types of health information that can be shared. For example, patients will be able to request access to their medical records via third-party apps, and payers may deny access only under specific circumstances. The CMS Rule also requires payers to provide information about in-network providers and exchange information with other insurers in the event a patient enrolls with a new insurance company.

4. What does the ONC Final Rule cover? The ONC Final Rule imposes standardized protocols to allow networks and software applications to talk to one another. Basically, the ONC Final Rule requires insurers, medical providers, IT vendors, and health exchanges to speak the same language. This is accomplished through updated and standardized health IT certification requirements, data classifications, and systematic requirements for APIs. The ONC Rule also implements the information blocking provisions of the 21st Century Cures Act.

5. When will the rules take effect? United States Department of Health and Human Services (HHS) recently issued guidance stating that it was extending some enforcement deadlines. Below are just a few of the new compliance deadlines relevant to hospital and payer organizations:

·        Spring 2020: Hospitals must be able to demonstrate that they comply with patient admission, discharge, andtransfer (ADT) event notification procedures required by the CMS Rule.

·        July 1, 2021: Payers must make a PatientAccess API available so patients’ third-party apps can access medical records via the API.

·        July 1, 2021: Payers must make a Provider Directory API available, so patients know which providers are in network.

The Final Rules represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with compliance deadlines as early as Spring 2021. Now is the ideal time for health care organizations to assess compliance requirements, contract with vendors, and develop a compliance framework. Beckage attorneys are uniquely experienced to help health organizations and tech companies of all sizes to navigate the complicated maze of legal and practical considerations raised by these and other health law regulations. Be sure to check back regularly for part two of this blog. 

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

TelemedicineOffice of Civil Rights Empowers Health Care Providers to Provide Telehealth Services

Office of Civil Rights Empowers Health Care Providers to Provide Telehealth Services

On March 17, 2020, in light of the COVID-19 nationwide public health emergency, the Office of Civil Rights (OCR) announced that it will refrain from imposing penalties for noncompliance with HIPAA regulations in the context of good faith provision of telehealth. This significant Notification of Enforcement discretion allows health care providers to use“non-public facing” remote communications, such as audio or video communication technology, to provide telehealth to patients during this emergency environment. OCR clarified that the exercise of discretion applies to telehealth provided for any reason, not just for diagnosis or treatment of COVID-19. Providers may use video chat applications via phone or desktop computer, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. However, “public facing” applications such as “Facebook Live,Twitch, TikTok, and similar video communication applications . . . should not be used in the provision of telehealth.” 

OCR encouraged providers to notify patients that these third-party applications potentially introduce privacy risks, and that they should enable all available encryption and privacy modes when using these applications. Although OCR will not impose penalties against providers for failing to execute a Business Associate Agreement (BAA) with the video communication vendors, OCR suggested that providers should nevertheless seek to provide telehealth services through HIPAA-compliant technology vendors that will enter into a BAA.

For more information about the telehealth Exercise of Discretion, see: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

Note that this is just one example of the discretion federal agencies may exercise in the context of a national emergency. See also: https://www.phe.gov/Preparedness/legal/Pages/phedeclaration.aspx for more information about regulatory discretion in the context of the Department of Health and Human Service’s recent Public Health Emergency Declaration.

Beckage attorneys, including our seasoned health care attorneys, are at the ready to help your organization navigate the use of telehealth services during these unprecedented times. Our experienced team understands the nuances associated with the intersection of healthcare, law and technology and can provide practical know-how related to the provision of telehealth services.  

*Attorney Advertising. Prior Results Do Not Guarantee A Similar Outcome.

Subscribe to our newsletter.

COVID-19Data Security Considerations as the Coronavirus Spreads

Data Security Considerations as the Coronavirus Spreads

There has been an increased awareness of the Coronavirus here in the United States since the virus first impacted China in late 2019. This has caused concern for individuals and organizations and, in some instances, led to the temporary suspension of travel for employees of several well-known international corporations. As the virus continues to grow worldwide, businesses face a series of questions regarding the impact the virus could have on their operations. Fortunately, businesses do not have to wait until disaster strikes before putting a plan of action in place and are wise to take data security measures well in advance.

What areas are top of mind as businesses of all sizes continue to monitor and prepare for the Coronavirus? Below are some considerations:

1. Review Your Business Continuity Plan: This is a very timely opportunity for organizations to review their current business practices and policies, including the Business Continuity Plan (BCP). Whether it is the Coronavirus, Influenza, or something else the BCP is top of mind for many and it is a good time to evaluate the “what if” scenario. A BCP details how an organization will recover interrupted critical business functions after a disaster or disruption has occurred. Armed with a BCP, executives can respond in an orderly, rational way. A BCP allows decisions to be made along predetermined guidelines and will answer potential questions such as:

a. How many absences can we handle before business operations are interrupted?

b. How do we keep operations running during an interruption?

c. What changes can we make to keep the business operating effectively?

2. Pay Attention to the Pandemic Section: Companies should confirm that the BCPs in place are adequate to address business needs in the event of a pandemic. Often a BCP will have a section that specifically addresses a Pandemic, including such topics as:

a. Workplace safety precautions.

b. Employee travel restrictions.

c. Provisions for stranded travelers unable to return home.

d. Mandatory medical check-ups, vaccinations or medication.

e. Mandatory reporting of exposure, such as employees reporting to employers and employers reporting to public health authorities.

f. Employee quarantine or isolation.

g. Faculty Shutdowns.

3. Review Existing Employee Policies: Now is a great time to review your workplace management policies with a particular focus on the data security provisions you have in place that address such areas as telecommuting, IT use policies, and paid time off. Are you equipped to permit employees to work remotely from home without compromising the data security of your infrastructure or confidential information? Are the appropriate technical and administrative controls in places? Adopting some of these work from home and/or remote options may make sense but could lead to operational challenges and unforeseen data security risks to a business. Some other areas that may need to be addressed include the procedure for sending symptomatic employees home, implementing quarantines for employees returning from high-risk areas, limiting face-to-face meetings, and temporarily shutting down operations.

a. Special Labor Relations Consideration: Be aware of existing agreements and any labor relations issues that may come in to play. For example, businesses operating in a union environment may be impacted by collective bargaining agreements that have special provisions regarding paid time off to union workers in the event of an emergency when employees are prohibited from reporting to work. Always check with counsel before unilaterally implementing any changes to existing policies.

4. Consider the Impact on IT Service Providers: Review your contracts and keep in mind that an outbreak or epidemic can not only affect normal business operations, but also service providers and suppliers. Be familiar with key provisions that could impact your business operation. Review Service Level Agreements and understand how data can be accessed remotely if needed.

5. Remind Employees on Data Security Best Practices & Remote Data Access: With increased concern of the Coronavirus we continue to see scammers utilizing email phishing attempts to target victims. Remind employees to be vigilant when receiving emails, for example not clicking on links or attachments within emails from senders they do not recognize. These attachments and links can contain malicious content, such as ransomware, that can infect your device and steal personal information.

6. Stay Up to Date on CDC Recommendations: Businesses are wise to regularly monitor the CDC website for current recommendations regarding travel restrictions and other precautions that affect business decisions. Regularly communicate updates and changes to your workforce.

7. Educate Your Workforce: Create a culture that understands the potential IT implications when working from home and how their corporate IT and other technical policies apply to home work conditions.  

Beckage is working with global clients and brands on low cost, high impact changes to policies and rolling out policies to address IT and remote working conditions. As a leader in this space, we assist companies in proactively preparing for unforeseen circumstances and business scenarios such as those caused by the Coronavirus. It is much better to be over prepared for these unpredictable circumstances than under prepared.  

*Attorney Advertising. Prior Results Do Not Guarantee A Similar Outcome.

Subscribe to our newsletter.

2019 Year in Review_ Beckage Blog Top 52019 Year in Review: Beckage Blog Top 5

2019 Year in Review: Beckage Blog Top 5

The end of the year is finally upon us. As the year draws to a close, we look back over our most popular blog posts of 2019. From understanding New York’s SHIELD Act to website accessibility claims under the Americans with Disabilities Act and gearing up for the California Consumer Protection Act (CCPA), it has certainly been a great year for the Beckage team. We pride ourselves on producing informative and timely content to our community in this fast-moving legal landscape. For this reason, we have picked out our very best blog posts from 2019 just in case you missed any of our top posts. We thank you all for your continued support, Happy Holidays from all of us!

Read More
1 2