chevron-down Created with Sketch Beta.

ABA Health eSource

Health eSource | November 2024

Six Current Data Privacy Challenges

Shannon B Hartsfield and Jeremy Shapiro-Barr

Summary

  • The healthcare and life sciences industries have been affected significantly by the emergence of new threats and the costs of keeping up with regulatory change.
  • 20% of cybercrime complaints in 2023 came from the healthcare industry.
  • Various forms of AI will undoubtedly bring myriad benefits, as well as risks, to healthcare.
Six Current Data Privacy Challenges
SimpleImages via Getty Images

Jump to:

There is never a dull moment when it comes to keeping up with legal developments in data privacy and security, but the last year has been a particularly bumpy ride. The healthcare and life sciences industries have been affected significantly by the emergence of new threats and the costs of keeping up with regulatory change. Healthcare and life sciences entities should focus on a number of areas when updating their compliance programs, including the following.

Continued Threats from Bad Actors

Scattered Spider, BlackCat, and KillNet may sound like names of comic book villains, but the threats they pose are all too real. The FBI’s Internet Crime Complaint Center reportedly received 1,193 cybercrime complaints in 2023, and more than 20% of those came from the healthcare industry. The U.S. Department of Health and Human Services (HHS) reported a 93% increase in large breaches from 2018–2022. The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services has observed that “[t]here is no single action that can protect an organization from cyber threat groups,” but instead companies must implement a number of countermeasures to try to protect against threats.

This year, we saw what may be one of the largest healthcare breaches of all time. Change Healthcare, a clearinghouse for nearly 40% of all health claims, experienced a cyberattack in February 2024, and even though its parent company, United Health Group (UHG), paid a ransom, the protected health information of millions of Americans may have been leaked to the dark web as a result of the attack. HHS has announced that covered entities can delegate their notification obligations to Change Healthcare and UHG, but affected covered entities must still “ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule.” The “Frequently Asked Questions” on the HHS website regarding this incident suggest that although Change Healthcare and UHG are the primary targets of its investigation, there is a possibility of future enforcement action against covered entities that were affected. Specifically, HHS’s guidance states that while it “prioritized and opened investigations of Change Healthcare” and UHG, the HHS Office for Civil Rights’ (OCR’s) “interests in other entities that partnered with Change Healthcare and UHG is secondary.”

Artificial Intelligence (AI)

Sophisticated forms of machine learning, including ChatGPT (text); Dall-E, Midjourney, and Stable Diffusion (images); AlphaCode (code); and Synthesia (video), and many others, will undoubtedly bring myriad benefits, as well as risks, to the healthcare industry. At least one federal regulator has gone so far as to say that use of health data to train AI is prohibited, but AI is already being used in the healthcare space. When AI is used to evaluate, analyze, and predict health-related information and behavior, there are risks of discrimination and unintended outcomes. Federal and state governments are trying to manage risk and keep up with the rapid use of large language models and AI development. For example, noting that AI “holds extraordinary potential for both promise and peril,” President Biden issued an October 30, 2023, Executive Order that announced eight guiding principles for AI and directed the National Institute of Standards and Technology (NIST), in coordination with certain other agencies, to establish guidelines and best practices for AI. In response, NIST released four publications in July 2024 aimed at improving AI safety, security, and trustworthiness. HHS in 2021 issued the Trustworthy AI (TAI) Playbook, which addresses key privacy considerations, including data sensitivity, privacy rights, applicable laws and rules, and data sharing.

Federal Regulatory Changes and Guidance

Sensitive Exams

So far in 2024, healthcare providers have seen a number of regulatory changes and guidance on the federal level. For example, in April, HHS issued a letter to U.S. teaching hospitals and medical schools regarding new informed consent guidelines from the Centers for Medicare and Medicaid Services. The letter discusses patient privacy rights regarding pelvic examinations and indicated that providers and trainees performing such examinations must first obtain and document informed consent.

Substance Use Disorder Information

HHS issued a final rule updating the Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2) regulations in February 2024. Pursuant to the updated regulations, patients may consent to all future uses and disclosures of their SUD records for treatment, payment or healthcare operations (TPO) purposes in accordance with a single, broad consent, thereby relieving the administrative burden on the provider of having to obtain separate consent for each future use or disclosure for TPO purposes. The updated regulations also introduced a new term, “SUD counseling notes,” defining it as a provider’s notes analyzing the contents of conversation during a SUD counseling session that are separated from the rest of the patient's medical record. Such SUD counseling notes may not be used or disclosed based on the broad consent mentioned above and, except in limited circumstances, may only be used and disclosed if a patient provides a separate consent. These updates (among others included in the final rule) align the Part 2 regulations somewhat more closely with HIPAA and will require providers of Part 2 Programs to adjust their policies and practices.

Reproductive Health Information

OCR issued a final rule, effective on June 25, 2024, and enforceable on December 23, 2024, providing additional protection to information relating to reproductive health (RHI). OCR added new definitions and revised existing ones. “Reproductive health care” is healthcare affecting “the health of an individual in all matters relating to the reproductive system and its functions and processes.” The new provisions prohibit covered entities and business associates from using or disclosing PHI to conduct criminal, civil, or administrative investigations into any person merely because the person was seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Even if a disclosure is otherwise required by law, covered entities and business associates may not disclose RHI for purposes of health oversight activities, judicial or administrative proceedings, law enforcement, and disclosures regarding decedents and to coroners and medical examiners without obtaining a valid attestation that the use or disclosure is not for a prohibited purpose. OCR has drafted a model attestation and other guidance regarding the RHI changes.

The RHI rules have already come under fire. The State of Texas, in September 2024, filed a complaint arguing that not only the 2024 RHI rules, but the Privacy Rule provisions finalized 24 years ago that establish limitations on disclosing PHI to state investigators, exceed statutory authority and are arbitrary and capricious.

HHS’s Authority Post-Loper Bright

Lawsuits similar to the above-mentioned action by the State of Texas against HHS in September 2024 will undoubtedly proliferate in the near future in the wake of the U.S. Supreme Court’s June 28, 2024, landmark Loper Bright decision. In Loper Bright, the Court invalidated the long-standing Chevron deference doctrine under which courts were to follow a two-step framework when reviewing a federal government agency’s interpretation of a statute. Per step one of the framework, a court was to consider whether the statute at issue was clear, and if it was, to give effect to the statute as written. If the statute was ambiguous or silent on the issue in question, then per step two, the agency’s statutory interpretation was to be given deference by the court so long as that interpretation was reasonable. Loper Bright did away with this framework, reasoning that a court, when reviewing agency action, should (except in limited circumstances) exercise independent judgment when deciding issues of law rather than deferring to an agency’s interpretation of an ambiguous statute.

Loper Bright will likely embolden plaintiffs such as the State of Texas to challenge agency regulations implementing ambiguous statutes and enforcement involving interpretation of law and, as has already been made apparent, HHS will not be immune to such challenges with regard to HIPAA rules. The potential implications of Loper Bright are substantial and could result in the upending of certain HIPAA Privacy and Security Rules to which covered entities and business associates have grown accustomed. It will be critical for healthcare organizations to monitor relevant litigation and be prepared to adapt quickly in light of decisions that will impact their privacy and security programs.

State Laws

The number of states that have enacted consumer privacy legislation continued to grow in 2024. Currently, twenty states have adopted consumer privacy laws, with Rhode Island, Minnesota, Maryland, and New Hampshire being among the most recent to do so. These laws (which are of particular relevance to those not governed by HIPAA operating in the healthcare and life sciences industries) impose numerous requirements aimed at providing transparency to individuals about how their personal data will be processed and affording them certain rights, including rights to access, correct, and delete their personal data.

In April 2024, lawmakers introduced a new proposed comprehensive federal privacy bill called the American Privacy Rights Act (APRA), the purpose of which was to “establish a uniform national data privacy and data security standard in the United States” and preempt state consumer privacy laws. The APRA bill appears to have stalled, though, with several legislators expressing concerns about certain aspects of the bill. Without a federal comprehensive privacy law becoming law in the foreseeable future, state consumer privacy laws will remain relevant and will fill the void left by the absence of a national consumer privacy law.

New Enforcement and Litigation Trends

Plaintiff class actions regarding HIPAA privacy and security have exploded in recent years. Although there is no private right of action for violating HIPAA, every large breach seems to trigger an avalanche of lawsuits. Some of these class actions involve allegations that use of website tracking tools like pixels, web beacons, or cookies can result in PHI being disclosed to unauthorized third parties. OCR issued guidance on the privacy risks relating to these tracking technologies. The Federal Trade Commission and OCR issued a joint letter in July 2023 to over 130 companies regarding the dangers of tracking technologies. The American Hospital Association challenged portions of the OCR guidance, and in June 2024, the U.S. District Court for the Northern District of Texas declared portions of the guidance unlawful to the extent the guidance indicates that connecting an individual’s IP address with a visit to an unauthenticated webpage constitutes an improper use or disclosure of PHI.

Regarding enforcement likely to come in the near future, in an interview in May 2024, OCR Director Melanie Fontes Rainer indicated that OCR is making HIPAA Security Rule compliance an enforcement priority. She said that OCR has re-opened the HITECH Act audit program and that these audits will focus on security risk analyses and risk management.

Global Updates

Healthcare and life sciences entities operating globally will also contend with substantial developments in data protection laws around the world. For example, in Australia, the “Privacy and Other Legislation Amendment Bill 2024” was introduced in Parliament on September 12, 2024, proposing certain reforms, including a prohibition on doxxing (i.e., publicly disclosing personal data about an individual without consent), giving children stronger privacy protections online, requiring greater transparency be given to individuals regarding automated decision-making with the use of their data, and empowering Australia’s data protection authority with more extensive enforcement authority.

In Canada, it is anticipated that the Consumer Privacy Protection Act (CPPA) will soon replace the existing federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA introduces new rights that may be exercised by individuals over their personal data, including rights to deletion and data portability. The CPPA would also establish a new tribunal to oversee decisions made by Canada’s Privacy Commissioner and would permit individuals to bring private rights of action for injuries sustained as a result of violations of the law.

In Israel, on August 5, 2024, the Knesset approved the enactment of Amendment No. 13 to the Privacy Protection Law. Amendment No. 13 includes several changes to align the Privacy Protection Law’s standards more closely with those under the European Union’s General Data Protection Regulation (GDPR). For example, per Amendment No. 13, the definition of “personal information” subject to the law’s protections was expanded to include any information relating an identified or identifiable person (similar to GDPR’s definition of “personal data”). Amendment 13 also imposes a new requirement for certain entities to appoint a privacy protection officer to ensure the entity’s compliance with the law (similar to GDPR’s requirement for certain organizations to appoint a data protection officer).

Conclusion

Undoubtedly, stakeholders in the healthcare and life sciences industries will have to tackle further regulatory changes and compliance challenges when it comes to information privacy and security. These challenges are brought about by numerous factors, including technological advances, shifting regulatory and enforcement paradigms, and the increasingly global nature of information privacy and security practices. Meeting such challenges will require from stakeholders an acute awareness of recent changes and those on the horizon.

    Authors