Federal Regulatory Changes and Guidance
Sensitive Exams
So far in 2024, healthcare providers have seen a number of regulatory changes and guidance on the federal level. For example, in April, HHS issued a letter to U.S. teaching hospitals and medical schools regarding new informed consent guidelines from the Centers for Medicare and Medicaid Services. The letter discusses patient privacy rights regarding pelvic examinations and indicated that providers and trainees performing such examinations must first obtain and document informed consent.
Substance Use Disorder Information
HHS issued a final rule updating the Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2) regulations in February 2024. Pursuant to the updated regulations, patients may consent to all future uses and disclosures of their SUD records for treatment, payment or healthcare operations (TPO) purposes in accordance with a single, broad consent, thereby relieving the administrative burden on the provider of having to obtain separate consent for each future use or disclosure for TPO purposes. The updated regulations also introduced a new term, “SUD counseling notes,” defining it as a provider’s notes analyzing the contents of conversation during a SUD counseling session that are separated from the rest of the patient's medical record. Such SUD counseling notes may not be used or disclosed based on the broad consent mentioned above and, except in limited circumstances, may only be used and disclosed if a patient provides a separate consent. These updates (among others included in the final rule) align the Part 2 regulations somewhat more closely with HIPAA and will require providers of Part 2 Programs to adjust their policies and practices.
Reproductive Health Information
OCR issued a final rule, effective on June 25, 2024, and enforceable on December 23, 2024, providing additional protection to information relating to reproductive health (RHI). OCR added new definitions and revised existing ones. “Reproductive health care” is healthcare affecting “the health of an individual in all matters relating to the reproductive system and its functions and processes.” The new provisions prohibit covered entities and business associates from using or disclosing PHI to conduct criminal, civil, or administrative investigations into any person merely because the person was seeking, obtaining, providing, or facilitating lawful reproductive healthcare. Even if a disclosure is otherwise required by law, covered entities and business associates may not disclose RHI for purposes of health oversight activities, judicial or administrative proceedings, law enforcement, and disclosures regarding decedents and to coroners and medical examiners without obtaining a valid attestation that the use or disclosure is not for a prohibited purpose. OCR has drafted a model attestation and other guidance regarding the RHI changes.
The RHI rules have already come under fire. The State of Texas, in September 2024, filed a complaint arguing that not only the 2024 RHI rules, but the Privacy Rule provisions finalized 24 years ago that establish limitations on disclosing PHI to state investigators, exceed statutory authority and are arbitrary and capricious.
HHS’s Authority Post-Loper Bright
Lawsuits similar to the above-mentioned action by the State of Texas against HHS in September 2024 will undoubtedly proliferate in the near future in the wake of the U.S. Supreme Court’s June 28, 2024, landmark Loper Bright decision. In Loper Bright, the Court invalidated the long-standing Chevron deference doctrine under which courts were to follow a two-step framework when reviewing a federal government agency’s interpretation of a statute. Per step one of the framework, a court was to consider whether the statute at issue was clear, and if it was, to give effect to the statute as written. If the statute was ambiguous or silent on the issue in question, then per step two, the agency’s statutory interpretation was to be given deference by the court so long as that interpretation was reasonable. Loper Bright did away with this framework, reasoning that a court, when reviewing agency action, should (except in limited circumstances) exercise independent judgment when deciding issues of law rather than deferring to an agency’s interpretation of an ambiguous statute.
Loper Bright will likely embolden plaintiffs such as the State of Texas to challenge agency regulations implementing ambiguous statutes and enforcement involving interpretation of law and, as has already been made apparent, HHS will not be immune to such challenges with regard to HIPAA rules. The potential implications of Loper Bright are substantial and could result in the upending of certain HIPAA Privacy and Security Rules to which covered entities and business associates have grown accustomed. It will be critical for healthcare organizations to monitor relevant litigation and be prepared to adapt quickly in light of decisions that will impact their privacy and security programs.
State Laws
The number of states that have enacted consumer privacy legislation continued to grow in 2024. Currently, twenty states have adopted consumer privacy laws, with Rhode Island, Minnesota, Maryland, and New Hampshire being among the most recent to do so. These laws (which are of particular relevance to those not governed by HIPAA operating in the healthcare and life sciences industries) impose numerous requirements aimed at providing transparency to individuals about how their personal data will be processed and affording them certain rights, including rights to access, correct, and delete their personal data.
In April 2024, lawmakers introduced a new proposed comprehensive federal privacy bill called the American Privacy Rights Act (APRA), the purpose of which was to “establish a uniform national data privacy and data security standard in the United States” and preempt state consumer privacy laws. The APRA bill appears to have stalled, though, with several legislators expressing concerns about certain aspects of the bill. Without a federal comprehensive privacy law becoming law in the foreseeable future, state consumer privacy laws will remain relevant and will fill the void left by the absence of a national consumer privacy law.
New Enforcement and Litigation Trends
Plaintiff class actions regarding HIPAA privacy and security have exploded in recent years. Although there is no private right of action for violating HIPAA, every large breach seems to trigger an avalanche of lawsuits. Some of these class actions involve allegations that use of website tracking tools like pixels, web beacons, or cookies can result in PHI being disclosed to unauthorized third parties. OCR issued guidance on the privacy risks relating to these tracking technologies. The Federal Trade Commission and OCR issued a joint letter in July 2023 to over 130 companies regarding the dangers of tracking technologies. The American Hospital Association challenged portions of the OCR guidance, and in June 2024, the U.S. District Court for the Northern District of Texas declared portions of the guidance unlawful to the extent the guidance indicates that connecting an individual’s IP address with a visit to an unauthenticated webpage constitutes an improper use or disclosure of PHI.
Regarding enforcement likely to come in the near future, in an interview in May 2024, OCR Director Melanie Fontes Rainer indicated that OCR is making HIPAA Security Rule compliance an enforcement priority. She said that OCR has re-opened the HITECH Act audit program and that these audits will focus on security risk analyses and risk management.
Global Updates
Healthcare and life sciences entities operating globally will also contend with substantial developments in data protection laws around the world. For example, in Australia, the “Privacy and Other Legislation Amendment Bill 2024” was introduced in Parliament on September 12, 2024, proposing certain reforms, including a prohibition on doxxing (i.e., publicly disclosing personal data about an individual without consent), giving children stronger privacy protections online, requiring greater transparency be given to individuals regarding automated decision-making with the use of their data, and empowering Australia’s data protection authority with more extensive enforcement authority.
In Canada, it is anticipated that the Consumer Privacy Protection Act (CPPA) will soon replace the existing federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA introduces new rights that may be exercised by individuals over their personal data, including rights to deletion and data portability. The CPPA would also establish a new tribunal to oversee decisions made by Canada’s Privacy Commissioner and would permit individuals to bring private rights of action for injuries sustained as a result of violations of the law.
In Israel, on August 5, 2024, the Knesset approved the enactment of Amendment No. 13 to the Privacy Protection Law. Amendment No. 13 includes several changes to align the Privacy Protection Law’s standards more closely with those under the European Union’s General Data Protection Regulation (GDPR). For example, per Amendment No. 13, the definition of “personal information” subject to the law’s protections was expanded to include any information relating an identified or identifiable person (similar to GDPR’s definition of “personal data”). Amendment 13 also imposes a new requirement for certain entities to appoint a privacy protection officer to ensure the entity’s compliance with the law (similar to GDPR’s requirement for certain organizations to appoint a data protection officer).
Conclusion
Undoubtedly, stakeholders in the healthcare and life sciences industries will have to tackle further regulatory changes and compliance challenges when it comes to information privacy and security. These challenges are brought about by numerous factors, including technological advances, shifting regulatory and enforcement paradigms, and the increasingly global nature of information privacy and security practices. Meeting such challenges will require from stakeholders an acute awareness of recent changes and those on the horizon.