White House Announces New Actions in Response to Roe v. Wade

Posted by Steve Alder

To mark what would have been the 51st anniversary of Roe v. Wade, the White House Task Force on Reproductive Healthcare issued a fact sheet announcing new actions to strengthen access to contraception and medication abortions, and ensure that patients receive the emergency medical care they need.

The Task Force explained that the overturning of Roe v. Wade resulted in extreme state abortion bans. “These dangerous state laws have caused chaos and confusion, as women are being turned away from emergency rooms, forced to travel hundreds of miles, or required to go to court to seek permission for the health care they need,” wrote the Task Force.

The fact sheet explains some of the actions that have been taken by federal agencies in response to President Biden’s three Executive Orders and a Presidential Memorandum on access to reproductive health care, strengthening access to contraception and affordability for women with health insurance, reinforcing obligations to cover affordable contraception, educating patients and care providers about rights and obligations for emergency medical care, and protecting access to safe and legal medication abortion.

The Task Force has confirmed that while the overturning of Roe V. Wade removed the Federal right to abortion, it did not prohibit women from traveling to another state to seek the care they need. The Alabama Attorney General had threatened to prosecute people who provided assistance to women seeking lawful out-of-state abortions, and in November 2023, the Department of Justice filed a statement of interest in two lawsuits challenging the Alabama Attorney General’s threats stating that “prosecutions infringed the constitutional right to travel and made clear that states may not punish third parties for assisting women in exercising that right.”

The HHS has written to U.S. governors to invite them to apply for Section 1115 waivers to expand access to care under the Medicaid program to women who are prohibited from receiving abortion care in the states where they live and may be denied care under the Medicaid program. The HHS continues to encourage state leaders to consider and develop new waiver proposals to support access to reproductive health care services.

In April 2023, the HHS issued a notice of proposed rulemaking that strengthened reproductive health privacy under HIPAA. The proposed rule prevents an individual’s information from being disclosed to investigate, sue, or prosecute an individual, a health care provider, or a loved one simply because that person sought, obtained, provided, or facilitated legal reproductive health care, including abortion. The new rule will strengthen patient-provider confidentiality and help healthcare providers give complete and accurate information to patients.

The Federal Trade Commission (FTC) is taking steps to prevent the illegal use and sharing of sensitive health information, such as reproductive health information, and has already taken action against companies that are alleged to have disclosed sensitive data without consumers’ consent, including precise geolocation information that could indicate a visit to a reproductive health center. In 2022, the FTC sued Kochava over the collection and sale of precise location data and settlements have recently been proposed that prohibit the data companies X-Mode Social/Outlogic and InMarket Media from selling precise location data.

The The Federal Communications Commission (FCC) has recently published a new guide for consumers on best practices that can be adopted to protect personal data, including geolocation data on mobile phones and the HHS has also guidance for consumers on how to protect data on personal cell phones or tablets when using mobile health apps such as period trackers, which are generally not protected by HIPAA.

Guidance has also been issued by the HHS that affirms that doctors and other medical providers can take steps to protect patients’ electronic health information, including reproductive health care information, and confirms that patients have the right to ask that their electronic health information generally not be disclosed by a physician, hospital, or other health care provider. The HHS has also launched a website –  ReproductiveRights.gov – that provides individuals with timely and accurate information about their rights concerning reproductive healthcare.

The Department of Education has issued guidance to school officials reminding them of their obligations to protect student privacy under the Family Educational Rights and Privacy Act (FERPA) and that they must obtain written consent from eligible students or parents before disclosing personally identifiable information from students’ educational records, including student health information. The department has also created a new resource for students to explain their rights with respect to health information privacy.

The post White House Announces New Actions in Response to Roe v. Wade appeared first on HIPAA Journal.

Is Gmail HIPAA Compliant?

Posted by Steve Alder

Gmail is HIPAA compliant, and can be used to receive, store, or send Protected Health Information (PHI) when Google’s email service is used as part of an Enterprise Workspace Plan supported by a Business Associate Addendum to the Workspace Terms of Service. To ensure Gmail is used compliantly, it is necessary to configure Workspace controls correctly, apply user policies, and train members of the workforce on how to use Gmail in compliance with HIPAA.

Gmail is the most popular personal email service in the world; and, because most employees are accustomed to how Gmail works, Google’s email service is widely used in business behind customized domain names (i.e., DrJoe@AAAhealth.com, rather than DrJoe@gmail.com). Although several methods exist to operate a Gmail account behind a customized domain name, the simplest method for larger businesses is to subscribe to a Google Workspace account.

There are several levels of Workspace subscription ranging from the “Business Starter” package – which includes Gmail for Business, Drive Storage, Meet Videoconferencing, and Shared Calendars – to the feature-rich Enterprise package. Businesses can often pick the most suitable subscription level based on the number of users, types of services, and features required. This is not the case for all businesses in, or providing services to, the healthcare industry.

Using Email Services in the Healthcare Industry

Because most healthcare providers are required to comply with the HIPAA Administrative Simplification Requirements (which include the Privacy, Security, and Breach Notification Rules), there are two ways to use email services in the healthcare industry. You can either prohibit uses and disclosures of PHI in emails (except when patients exercise their right to request confidential communications by email), or ensure the email service is HIPAA compliant.

Prohibiting uses and disclosures of PHI in emails is impractical unless email is replaced with an equally compliant communication system that integrates with other productivity and collaboration services in the same way as Gmail integrates with other Workspace services. Even then, although an alternative communication system might be suitable for inhouse operations, it could create HIPAA compliance challenges for payers and business associates who do not have a compatible communication system.

Realistically, the only viable option for businesses covered by HIPAA and their business associates is to implement a HIPAA complaint email service. In order for an email service to be  HIPAA compliant, it has to support compliance with the Administrative, Physical, and Technical Safeguards of the Security Rule via series of controls and monitoring capabilities. The vendor of the service also has to be willing to enter into a Business Associate Agreement. So, is Gmail HIPAA compliant?

Is Gmail HIPAA Compliant? It Depends!

Gmail’s compliance with HIPAA depends on the type of Workspace subscription and what other security mechanisms a business already has in place. For example, if a business already has account access and monitoring software from another vendor, it may be possible to get away with subscribing to a Business Starter, Standard, or Plus Plan depending on the size of the workforce and the amount of storage space required by each user or pooled group.

If, however, no other security mechanisms are in place, it will be necessary to subscribe to a Workspace Enterprise Plan in order for Gmail to be HIPAA compliant. However, in addition to having the necessary access controls and monitoring capabilities, the Enterprise Plan includes a Vault feature for securely archiving and retrieving emails, endpoint management for emails sent and received remotely, and DLP capabilities to prevent data breaches by internal bad actors.

In the context of email security, possibly the most useful tool in the Workspace Enterprise Plan is the Security Center. The unified security dashboard can be configured to alert system administrators and security teams to email borne malware attacks, phishing, and spam. It can also help identify, triage, and take action on privacy and security issues, and examine file sharing activities to prevent data exfiltration from both internal and external bad actors.

The Google BAA and Workspace Terms of Service

Before any emails containing PHI are sent or received via Gmail, it is necessary for a Business Associate Agreement to be in place between Google and the covered entity or business associate. Google has a standard one-size-fits-all Business Associate Agreement (BAA) for core services with “covered functionality”; which, rather than being a separate BAA is a Business Associate Addendum to the Workspace Terms of Service.

For businesses familiar with BAAs, the Google Business Associate Agreement holds no surprises and complies with the BAA requirements of the Privacy Rule (45 CFR §164.504(e)) and the Security Rule (45 CFR §164.314(a)). However, before digitally signing the Business Associate Addendum, system administrators are advised to review the Workspace Terms of Service – particularly clause #3 relating to Customer Obligations.

This clause requires businesses to assume responsibility for user behavior when using Workspace services, requires businesses to prevent and terminate unauthorized access to accounts, and stipulates businesses must notify Google when passwords have been compromised or when Workspace services  are used or accessed without authorization. The failure to comply with the Terms of Service can result in a loss of service and the removal of content – including PHI.

Making Gmail HIPAA Compliant

To help businesses make Gmail HIPAA compliant, Google has produced a HIPAA Implementation Guide for all Workspace services with covered functionality. The Guide explains the controls available to ensure (for example) messages are only opened by their intended recipients and that messages containing PHI are not forwarded to third party recipients (which will be useful if the proposed HIPAA changes relating to Attestation are finalized).

In addition to configuring the controls to make Gmail HIPAA compliant, it is also necessary to train members of the workforce on how to use Gmail in compliance with HIPAA. As mentioned previously, most employees are accustomed to how Gmail works; but they are unlikely to be as conscious of privacy and security when emailing friends and family members. HIPAA training on how to use Gmail in compliance with HIPAA will help prevent bad habits being carried over into the workplace.

Finally, if you are unsure about whether Gmail is a suitable email solution for your business, or have concerns about the technical knowledge you will need to make Gmail HIPAA compliant, Google offers all businesses a 14 day free trial of Workspace for up to ten users. The free trial should give your business an opportunity to test Gmail for Business in your own environment with on-call support from Google’s technical team should you require it.

The post Is Gmail HIPAA Compliant? appeared first on HIPAA Journal.

FTC Proposes Settlement Prohibiting InMarket from Selling Consumers’ Precise Location Data

Posted by Steve Alder

The Federal Trade Commission (FTC) has proposed a settlement with the digital marketing platform provider and data aggregator InMarket Media LLC that resolves allegations the company’s business practices violated the Federal Trade Commission (FTC) Act.

According to the FTC complaint, InMarket Media obtains vast amounts of consumer data including information from mobile devices about consumers’ movements, purchasing habits, demographic data, and information on their socioeconomic background. InMarket Media retains consumer data for 5 years and uses that data to facilitate targeted advertising on consumers’ mobile devices through its InMarket Software Development Kit (SDK). InMarket Media categorizes consumers into advertising audiences and allows its clients to target consumers on third-party advertising platforms. The FTC alleges that InMarket Media failed to notify consumers that their personal data will be used to serve targeted advertisements and did not verify that mobile applications that incorporate the InMarket SDK have notified consumers about such uses of their personal data.

Apps that incorporate the InMarket SDK request access to location data from the mobile device’s operating system. If the user gives the app those permissions, their precise latitude and longitude will be collected and transmitted back to InMarket Media along with a timestamp and a unique mobile device identifier. When a user is moving, the location data is sent every few seconds. According to the FTC, between 2016 and the present, around 100 million unique devices have transmitted location data to InMarket Media each year.

The location data reveals where the user lives and works, where their children go to school or obtain child care, and where medical treatment is provided, which can reveal the existence of medical conditions. The location data can also reveal other sensitive information such as where they go to rallies, demonstrations, or protests, which can reveal political affiliations. The location data can also be used to determine how long an individual is present in a particular location.

The FTC alleges InMarket Media misled consumers by providing “misleading half-truths” about its data uses. For instance, the consent screens for the CheckPoints and ListEase apps state that consumers’ data will be used for the app’s functionality such as earning points and keeping lists, but the consent screens do not state that users’ precise location will be collected and transmitted along with data collected from multiple other sources and that the data will be used to build extensive profiles on users to precisely target them with advertising.

While InMarket Media states in its privacy policy that consumer data will be used for targeted advertising, the consent screen does not link to the privacy policy language, and misleading prompts do not inform consumers of the apps’ data collection and use practices. InMarket is alleged to do very little to verify that third-party apps incorporating its SDK obtain informed consumer consent before granting InMarket access to their sensitive location data and does not require apps that incorporate the SDK to obtain informed consumer consent.

Consequently, InMarket does not know whether users of hundreds of third-party apps that incorporate the InMarket SDK have been informed that their data is being collected and used for targeted advertising. The FTC alleges InMarket Media violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a) which prohibits unfair or deceptive acts or practices affecting commerce, given that misrepresentations or deceptive failures to disclose a material fact constitute deceptive or unfair practices under Section 5(a) of the FTC Act and the acts are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves.

The complaint alleges four counts of FTC Act violations: unfair collection and use of consumer location data; unfair collection and use of consumer location data from third-party apps; unfair retention of consumer location data; and deceptive failure to disclose InMarket’s use of consumer location data. A settlement has been proposed that prohibits InMarket Media from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data. “All too often, Americans are tracked by serial data hoarders that endlessly vacuum up and use personal information. Today’s FTC action makes clear that firms do not have free license to monetize data tracking people’s precise location,” said FTC Chair Lina M. Khan. “We’ll continue to use all our tools to protect Americans from unchecked corporate surveillance.”

A spokesperson for InMarket Media said the company disagrees with the FTC’s allegations and is expanding its existing sensitive location protections. Also, in December 2023, the company engaged a nonprofit to identify location information close to reproductive healthcare clinics to remove that information from its databases. InMarket Media also confirmed that it is working with its partners to ensure that their notice and consent processes are clear.

The FTC has recently proposed a similar settlement with the data broker X-Mode Social (Outlogic) that also prohibits the sale of precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics. The FTC also sued the data broker Kochava for selling geolocation data that could identify visits to sensitive locations.

The post FTC Proposes Settlement Prohibiting InMarket from Selling Consumers’ Precise Location Data appeared first on HIPAA Journal.

HHS-OIG Excludes Theranos Founder and CEO from Federal Health Programs for 90 Years

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has added the founder and CEO of the health technology firm Theranos, Inc. to the OIG exclusion list, which means Elizabeth Holmes is prohibited from participation in Federal health care programs for 90 years.

The Theranos Scandal

Theranos was a blood testing startup founded by Elizabeth Holmes in 2003. The company claimed to have developed revolutionary technology that could be used to perform hundreds of blood tests from a single blood sample. Instead of requiring a vial of blood, the technology could perform more than 200 blood tests using a single pinprick of blood. The company claimed its technology automated blood testing and that tests were inexpensive and fast. Holmes was able to raise $700 million in investment and the company was valued at around $9 billion at its peak, with Holmes owning more than half of the company’s shares.

The Wall Street Journal Pulitzer Prize-winning journalist John Carreyrou received a tip that the company’s technology was not what it claimed to be. Carreyrou spoke with members of the Theranos board who claimed they were lied to, there was a culture of intimidation and secrecy, and the company’s technology repeatedly failed quality assurance and sent incorrect test results to patients on which medical decisions were based.

Carreyrou published the story in 2015 that revealed the company was using third-party technology rather than its own, as its own technology was inefficient. The FDA launched an investigation into Theranos that found that the allegations in Carreyrou’s article were correct. The company was investigated by the Federal Bureau of Investigation and shut down.

Theranos and Homes denied the allegations and threatened to sue Carreyrou; however, in 2018, Homes stepped down from her position as CEO, and following an FBI investigation the company was shut down. Holmes, along with former company president Ramesh Balwani, were charged with criminal fraud for making false claims about the company’s technology and misleading investors.

In her trial, prosecutors claimed that the company’s technology could only perform a handful of the advertised tests themselves and the few tests that the technology could perform did not provide accurate results. Holmes was also alleged to have destroyed evidence before the company was shut down. Holmes admitted to making mistakes but she continued to protest her innocence and claimed that she never knowingly defrauded investors or patients.

In January 2022, Holmes was found guilty on four charges of defrauding investors and was sentenced to more than 11 years in jail from where she is attempting to appeal the convictions. Holmes was also ordered to pay $452,047,200 in restitution. Balwani was convicted of conspiracy to commit wire fraud against Theranos’s patients and investors and was sentenced to 12 years and 11 months in prison.

HHS-OIG Issues Notice of Exclusion

HHS-OIG Inspector General Christi A. Grimm announced on January 19, 2023, that Holmes had been added to the exclusion list due to her January 2022 conviction for wire fraud and conspiracy to commit wire fraud against Theranos investors.

The HHS-OIG has the authority under 1128(a) of the Social Security Act to exclude individuals from participation in Medicare, Medicaid, and other Federal health care programs. The minimum exclusion period for convictions of this nature is 5 years; however, Grimm explained that there were several aggravating factors that warranted a lifelong exclusion, including the length of time that the criminal acts were committed, the incarceration, and the amount of restitution that was ordered to be paid. Balwani had previously been excluded for 90 years due to his convictions.

“Accurate and dependable diagnostic testing technology is imperative to our public health infrastructure. False statements related to the reliability of these medical products can endanger the health of patients and sow distrust in our health care system,” said Grimm. “As technology evolves, so do our efforts to safeguard the health and safety of patients, and HHS-OIG will continue to use its exclusion authority to protect the public from bad actors.”

The post HHS-OIG Excludes Theranos Founder and CEO from Federal Health Programs for 90 Years appeared first on HIPAA Journal.

Is HIPAA Training is a Federal Requirement?

Posted by Steve Alder

Yes, HIPAA training is mandated by the Health Insurance Portability and Accountability Act (HIPAA) and is a federal requirement for healthcare providers, insurance companies, and their business associates in the United States to ensure the confidentiality, integrity, and security of protected health information. HIPAA training is mandated by both the HIPAA Privacy Rule (45 CFR § 164.530) and the HIPAA Security Rule (45 CFR § 164.308(a)(5)), requiring healthcare entities to provide regular, role-specific training on handling protected health information (PHI) and electronic PHI (ePHI) to all workforce members, ensuring ongoing awareness and compliance with privacy and security measures.

HIPAA Training Required under HIPAA Privacy Rule (45 CFR § 164.530)

The HIPAA Privacy Rule mandates that covered entities – which include healthcare providers, health plans, and healthcare clearinghouses – must train all members of their workforce on the policies and procedures with respect to PHI. The HIPAA training must be provided to each new member of the workforce within a reasonable period after they join the entity, and also when there are material changes in the policies or procedures. The purpose of this training is to ensure that every individual who handles or has access to PHI is aware of the privacy practices and the legal obligations for safeguarding patient information. The HIPAA Privacy Rule emphasizes that training should be appropriate to the functions performed by each workforce member.

HIPAA Training Required under HIPAA Security Rule (45 CFR § 164.308(a)(5))

Under the HIPAA Security Rule, covered entities are required to implement a security awareness and training program for all members of its workforce, including management. This involves regular updates regarding the safeguards for protecting ePHI, which could include procedures for guarding against, detecting, and reporting malicious software; procedures for monitoring log-in attempts and reporting discrepancies; and procedures for creating, changing, and safeguarding passwords. The HIPAA training should be ongoing to address the evolving nature of security threats and to reinforce the importance of every individual’s role in protecting ePHI.

 

Both these sections collectively ensure that HIPAA training is not a one-time requirement but an ongoing process, integral to the compliance strategy of all entities handling PHI. The training should be tailored to the specific roles of the workforce members and must be documented. Non-compliance with these training requirements can result in significant HIPAA penalties like the $1,500,000 fine for Athens Orthopedic Clinic PA in 2020 that included failure provide HIPAA Privacy Rule training in the list of HIPAA breaches.

The post Is HIPAA Training is a Federal Requirement? appeared first on HIPAA Journal.