Important Lessons for Protecting Patient Data in Recent FTC Action on Vendor's "Encryption" Claims
As new technologies and delivery models create challenges for health care providers in regard to protecting patients' personal health information, many have incorporated or are incorporating encryption tools into their electronic health records and technology platforms to help ensure compliance with the privacy and security requirements of HIPAA and similar state statutes. Most encryption products convert readable text into encoded text by means of an algorithm, and although not uniformly required by law (and not always successful in practice), properly implemented encryption can be a fundamental first step in protecting patient data and can provide the user with a safe harbor from certain breach notification requirements.
A recent enforcement action by the Federal Trade Commission ("FTC"), however, suggests that health care providers should perform careful diligence when selecting an encryption product, and those software providers should ensure their "encryption" claims actually afford the level of security purported in their marketing campaigns.
Last month, the Consumer Protection Bureau of the FTC released details of an enforcement action against a provider of office management software for dental practices. In its complaint, the FTC had alleged the company falsely advertised the level of encryption provided to protect patient data. Specifically, the FTC alleged the company advertised its software as providing "industrystandard encryption" despite the fact that the company used a less complex method of "data masking" or "data camouflage"—what the FTC described as a "weak obfuscation algorithm"—to protect patient data, rather than the Advanced Encryption Standard recommended by the National Institute of Standards and Technology ("NIST"). Under the terms of the proposed consent order, the company must pay $250,000 to the FTC and agree to stop certain marketing practices deemed misleading.
In addition, the company must notify all customers who purchased the software product during the relevant period and must update the FTC regarding its notification program. The proposed consent order was made available for public comment.
This action represents continued regulatory scrutiny into the marketing practices of software vendors, especially on data privacy and security issues. In particular, the proposed settlement highlights the risk of using phrases like "industry standard," indicating that when regulators investigate such claims, they often rely on NIST standards not merely as guidance but as the formative framework for the investigation. Likewise, as health care providers look to adopt new software products, they should evaluate their security needs and have technical staff examine the software's encryption functions prior to contracting with a vendor.
President Obama Forms Federal Privacy Council
On February 9, 2016, President Obama issued an executive order to establish a Federal Privacy Council as the "principal interagency forum" for improving the federal government's privacy practices. The Privacy Council will be led by a deputy director of the Office of Management and Budget ("OMB") and include representatives from major departments and agencies of the federal government. Among other functions, the Privacy Council is tasked with making recommendations to OMB regarding government privacy policies, enabling crossagency information sharing, and addressing development needs of the government's privacy professionals.
FTC Staff Guidance Addresses Active Supervision of State Regulatory Boards
In late 2015, the FTC released a guidance document titled FTC Staff Guidance on Active Supervision of State Regulatory Boards Controlled by Market Participants. The guidance responds to requests from state officials for clarity on the state action immunity doctrine in the wake of the recent U.S. Supreme Court decision in North Carolina State Board of Dental Examiners v. FTC, where the Court refused to shield the dental board from a lawsuit alleging that the board's prohibition on nondentist providers of teeth whitening services unlawfully restrained competition. Recently, a federal district court denied the Texas Medical Board's motion to dismiss a private plaintiff's antitrust challenge to the board's new rules on telemedicine (see Jones Day Antitrust Alert). Also, as reported in our last issue of the Digital Health Law Update, the Alabama Board of Medical Examiners repealed its telehealth rules, citing concerns posed by the Supreme Court's decision. Although nonbinding, the FTC staff guidance discusses the N.C. Dental case and provides the agency staff's perspective on the clear articulation and active supervision elements of the state action defense. Among other things, the guidance states that active supervision is required when a controlling number (not necessarily a majority) of decisionmakers on a professional regulatory board comprises active market participants. The guidance also references several structures that do not constitute active supervision, such as a state official participating in deliberations of a professional regulatory board but lacking actual authority to disapprove anticompetitive acts.
LongTerm Care Facilities Rule Could Open Opportunities for Telehealth
Last year, the Centers for Medicare & Medicaid Services ("CMS") received public comments on a proposed rule to revise the requirements that longterm care facilities must meet to participate in the Medicare and Medicaid programs. Among other matters, the proposed rule purports to require physicians or designated professionals to evaluate nursing home patients inperson before transfer to a hospital. The American Telemedicine Association submitted a comment urging CMS not to restrict such pretransfer evaluations to "inperson" context or alternatively to recognize other ways to achieve the intended purpose.
Recent HIPAA Actions Help Inform Security Practices of Digital Health Providers
The U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") recently released details about a $750,000 HIPAA settlement, emphasizing the importance of risk analysis and device and media control policies. The OCR found a cancer care provider in widespread noncompliance with the HIPAA security rule, and it specifically attributed a security breach to the fact that (i) the provider had not conducted an enterprisewide risk analysis, and (ii) the provider did not have a written policy in place specific to the removal of hardware and electronic media containing protected information into and out of its facilities. In an unrelated matter, OCR also launched a new portal for mobile health developers to ask questions about HIPAA privacy and security. According to a press release, anyone may browse the site, and although users must log in with an email address to submit questions, all users will remain anonymous to OCR, and posting information will not subject anyone to enforcement action.
Group of Senators Discuss Chronic Care and Introduce Bills to Promote Innovative Telehealth Models and Expand VA Services Across State Lines
The Senate Finance Committee's Bipartisan Chronic Care Working Group recently issued a policy document presenting various proposals and initiatives to help Americans manage chronic illnesses. With respect to digital health, the policy document proposes expanding telehealth access to fulfill the monthly visit requirement for Medicare home dialysis patients, relaxing geographic and originating site restrictions on the use of telehealth by accountable care organizations, and allowing greater access to telestroke diagnostic services, among other things.
These proposals follow various legislative efforts in 2015 to address telehealth. In December 2015, Sens. Cory Gardner (RCO) and Gary Peters (DMI) introduced S2343, the Telehealth Innovation and Improvement Act of 2015, which would require CMS to use telehealth services in certain Medicare accountable care and bundled payment models. Also, Sens. Joni Ernst (RIA) and Mazie Hirono (DHI) introduced S2170, the Veterans EHealth and Telemedicine Support Act of 2015, a bill, similar to prior efforts, to improve health care access for veterans by expanding telehealth services across state lines. Under current law, health professionals affiliated with the U.S. Department of Veterans Affairs ("VA") may perform telehealth services across state lines only if both the patient and physician are located in federally owned facilities. The new bill would enable VA health professionals to engage in interstate practice even when patients are located in their own homes. Both Senate bills have yet to be considered in committee. Other bills related to digital health, including HR2799, the FAST Act, and HR2948, the Medicare Telehealth Parity Act, were introduced last year in the House of Representatives.
New Federal Law to Ease "Meaningful Use" Burden on Doctors, Address Other Policies
On December 28, 2015, President Obama signed into law the Patient Access and Medicare Protection Act, legislation that gives CMS broader authority to exempt physicians and other eligible professionals from penalties for not meeting "Meaningful Use" targets regarding the use of electronic health records. Under the new law, CMS will be able to review applications for hardship exemptions for 2017 payment adjustments in a batch process instead of a casebycase basis, making it easier for doctors to seek exemptions. In addition, among other policies, the new law establishes a program for data sharing among federal Medicare and state Medicaid programs and authorizes transitional payments for certain radiation therapy and imaging services, as well as a study to assess alternative payment models for such services furnished in nonfacility settings.
Final CMS Rule for Medicaid Home Health Services Rule Provides Opportunity for Telehealth
As part of a number of revised CMS requirements for the provision of Medicaid covered home health services pursuant to a final rule, effective July 2, 2016, physicians and other authorized providers engaging in a "facetoface" encounter required for the provision of home health services can satisfy this requirement using telehealth for such facetoface assessment.
Arkansas Defines Boundaries of Doctor–Patient Relationships
On November 4, 2015, an advisory committee of the Arkansas State Medical Board met to discuss a draft policy proposal that, under certain circumstances "utilizing technology and peripherals," would allow a doctor to establish a relationship with a patient through a realtime, audio and visual telemedicine encounter. Under current statute, an inperson examination is generally required for a valid patient– physician relationship, but the medical board has authority to promulgate rules recognizing exceptions to this standard. The advisory committee's policy proposal must be approved by the full medical board to have legal effect.
Florida Bill Addresses Telemedicine Treatments
Proposed bill HB1353 (and companion SB1686) would create a telehealth task force to gather information about telehealth in Florida and define "telehealth" as synchronous or asynchronous telecommunications technology by a health care practitioner licensed under Florida law.
Indiana Bill Would Define Telemedicine Delivery
HB1263, introduced January 11, 2016 in Indiana, would define "telemedicine" as a delivery of health care services using electronic communications, including secure video conference and interactive audiousing store and forward technology. Additionally, a physician need not have prior inperson contact if the prescriber has "established a provider–patient relationship with the patient," satisfied the standard of care requirements, and generated and maintained a medical record.
New Jersey Proposes Allowing Patient–Provider Relationship to be Established Remotely
S291, introduced on January 12, 2016, could permit New Jersey licensed doctors to provide telemedicine services to remote patients in the state. The bill would also allow physicians to establish a professional relationship through telemedicine, while upholding the same standard of care and recordkeeping requirements as inperson treatment.
Pennsylvania Law Affects OutofState Pharmacists Practicing Pharmacy
Effective December 6, 2015, Pennsylvania became the last state to require nonresident pharmacies to be licensed before delivering prescriptions to patients. The governor approved the legislation in September 2015. This development affects outofstate pharmacists wishing to practice telepharmacy in the state.
Interstate Nursing Compact Allows Nursing Across State Lines
The Nurse Licensure Compact ("NLC"), a multistate initiative to allow registered nurses and licensed practical nurses to practice nursing across compact states using the license of their home state, has undergone significant revisions, resulting in new model legislation for NLC members. Currently, 25 states participate in the NLC through the original model legislation. Other states interested in joining must introduce the new version of model legislation, adopted on May 4, 2015. While the compact has been in place since November 6, 1998, the growing number of states participating in the NLC has important implications for the continued growth of telehealth, given the strong nursing involvement in telehealth services provided across state lines. Follow updates on the status of the NLC. A similar initiative is underway for APRNs, or advanced practice registered nurses.
Multiple States File 2016 Bills Regarding Telehealth Coverage
Several states recently had bills presented in committee or prefiled regarding the reimbursement of telemedicine cost. HB234 in Alaska would require health care insurers to provide coverage for mental health benefits provided through telemedicine but would not require inperson contact prior to the services; AB8200 in New York would provide for general telemedicine coverage services, among several other bills in relation to the facilitation of home health telemedicine; and SB1363 in Arizona, SB2469 in Hawaii, HB95 in Kentucky, S652 in New Jersey, H543 in Vermont, and HB1923 (also, SB621) in Missouri would require telemedicine coverage consistent with inperson coverage. All such bills would require the health provider to be licensed by the state.
Idaho Department of Health & Welfare Publishes Proposed Rule on Reimbursement
In October 2015, the Idaho Department of Health & Welfare published a proposed rule that would provide Medicaid reimbursement of synchronous telehealth interactions, subject to existing primary care provider communication requirements and the Idaho Medicaid Provider Handbook, which will be revised at a later date.
Massachusetts Bills Could Define State Telemedicine Reimbursement Parameters
Two legislative bills could provide for reimbursement of telemedicine services in Massachusetts: SB529, which includes reimbursement requirements for health insurance plans, health maintenance organizations, and other private payors; and SB617, which would allow insurers to limit reimbursement coverage to approved providers and provide for a deductible, copayment, and coinsurance requirement. Both bills would define "telemedicine" as the use of audio, video, or other electronic media for medical services, excluding telephoneonly or fax services. These proposed measures coincide with recent meetings by the Massachusetts governor and the state Health Policy Commission to discuss new policies for health care savings and improved patient care, including telemedicine.
Telehealth Reimbursement Bill Introduced in Michigan
On October 1, 2015, HB4935 was introduced in the Michigan legislature, passed the House on November 10, 2015, and is now in committee. This bill would authorize reimbursement for telemedicine services without facetoface contact, as long as services are performed by a health care professional licensed in Michigan. The measure would define "telemedicine" as examinations via realtime, interactive audio and/or video communications.
EU–US Medical Device Regulations Pose Potential Issues for Telemedicine
Jones Day partners Alexis Gilroy, Colleen Heisey, and Cristiana Spontoni and associate Indra Bhattacharya recently coauthored an article titled "Telemedicine: Comparing EU and US Application Regulation," published in the journal eHealth Law & Policy. The article focuses on potential implications of medical device regulations on various telemedicine modalities and delivery models, with a comparative examination of policies under the European Union and United States.
EU and U.S. Agree to New Privacy Shield for Data Transfers
Earlier this month, the European Commission announced it had agreed with the United States to a new framework for addressing certain privacy concerns associated with transatlantic data flows. The new EU– US Privacy Shield includes provisions subjecting U.S. authorities' access to personal data transferred to clear conditions, limitations, and oversight and allowing Europeans to have the possibility to raise concerns to a new ombudsperson. These developments will have widespread implications, including for digital health companies working across national borders. The EU–US Privacy Shield follows an October 2015 ruling by the European Court of Justice, which had invalidated the European Commission's Safe Harbor Decision because it failed to provide an adequate level of protection to personal data transferred from the EU to the United States, as required by the EU Data Protection Directive 95/46/EC (see the Jones Day Alert for more information).
Trillium Bridge Project Promotes eHealth Cooperation
The EUfunded Trillium Bridge project published its final project brochure, which includes key recommendations for EU and U.S. politicians on eHealth cooperation. The project was launched in order to implement the Transatlantic eHealth/Health IT Cooperation Roadmap and other initiatives between HHS and the European Commission's Directorate General for Communications Networks, Content and Technology. The project involved a feasibility study based on a validation exercise in three European countries and two U.S. providers. At the conclusion of the project, Trillium Bridge delivered 20 recommendations and a draft action plan to be refined and implemented for eHealth innovation. In particular, project leaders recommend EU and U.S. policymakers to advance an International Patient Summary ("IPS") standard with the aim of enabling people to access and share their health information for emergency or unplanned care anywhere and as needed. At a minimum, they propose that the IPS include immunizations, allergies, medications, clinical problems, past operations, and implants.
UK Ofcom Delays Plans to Increase Radio Spectrum
On December 3, 2015, Ofcom, the telecommunications regulator for the United Kingdom, announced its decision to delay the release of mHealth spectrum (in the 2.3 and 3.4 GHz bands) in response to mounting pressure from UK mobile network operators. Ofcom had previously announced its intention to release the spectrum during an auction at reserved prices. However, the agency received letters from Telefónica UK Limited and Hutchison 3G UK Limited, stating their intention to bring judicial review proceedings against Ofcom's decision to commence the auction process before the outcome of the European Commission's review of the two companies' proposed merger. Given these circumstances, Ofcom decided to delay commencing the auction process until the European Commission makes a determination regarding the proposed merger, a decision expected in April 2016.