New state privacy laws can affect hospital operations but might be overlooked when the focus is on HIPAA compliance. Risk managers and compliance officers should make sure they are complying with both obligations, says Sharon R. Klein, JD, partner with the Blank Rome law firm in Los Angeles.
Enforcement from the Federal Trade Commission is a new issue, since it focuses on tracking of online data that is not necessarily protected health information (PHI).
“When you’re thinking about healthcare, you think about the federal acts like HIPAA. But from a state law perspective, you have these new comprehensive privacy laws that are applying to not-for-profits, and of course a lot of healthcare is not-for-profit,” she says. “New Jersey, Colorado, Delaware, and Oregon have privacy laws that directly affect hospitals, so you have that combination with some of those state privacy laws that do extend to PHI.”
Many of the state laws focus on mobile apps and consumer health, such as health trackers that count daily steps. That is not PHI covered by HIPAA, but it still can create problems for healthcare providers, Klein says.
“So why is that a problem? It’s a problem because HIPAA does not have a private right of action. You’re not going to get a class action under HIPAA,” she explains. “But under the state laws, you have the [attorneys general] who can bring regulatory action, and you have the threat of individual plaintiffs in class actions against healthcare institutions. That’s like a sea change.”
As onerous as HIPAA privacy and security and breach obligations can be, they largely are enforced by the Office of Civil Rights and not the private plaintiffs’ bar, Klein says. The possibility of state action and class action lawsuits brings an additional level of risk.
“Most of my clients, hospitals and physician groups, are using mobile devices and digital apps. You need to really understand that and try to avoid online tracking,” she says. “Think of that as the pixels that follow you around, and cookies and geolocation. And post-Dobbs, the Supreme Court decision, there is a concern over reproductive rights and the protection of sensitive information on where that person lives. That is getting a huge focus in healthcare.”
The FTC warned hospitals after Dobbs last year that they were going to look at online tracking and geolocation as a regulatory priority, Klein says.
“To the extent you’re collecting that data, they’re going to require a specific consent for sensitive data. Now, why is that a sea change? Because under HIPAA, traditionally if you’re talking about treatment, payment and operations, you don’t need a patient consent,” she says.
Healthcare institutions that collect certain kinds of like data, including geolocation data, may need to go back to their patients and get consent, she says.
“It used to be that [Health and Human Services] was the main enforcer on the federal side,” Klein says. “Now we’re seeing the Federal Trade Commission is getting into enforcing privacy on healthcare information.”
Source
- Sharon R. Klein, JD, Partner, Blank Rome, Los Angeles, CA. Telephone: (949) 812-6010. Email: [email protected].
New state privacy laws can affect hospital operations but might be overlooked when the focus is on HIPAA compliance.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.