UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

The UK Government has opened a consultation, running until September 7, 2016, regarding how UK National Health Service (NHS) patient data should be safeguarded, and how it could be used for purposes other than direct care (e.g. scientific research).

The consultation comes after two parallel-track reviews of information governance and data security arrangements in the NHS found a number of shortcomings, described below.  The  Care Quality Commission (CQC) and the National Data Guardian (NDG, led by Dame Fiona Caldicott) made a range of recommendations, including new security standards, stronger inspection and enforcement around security lapses and re-identification of anonymized patient data, and an eight-point process around assuming and respecting patient consent decisions.

Following the public consultation, the new security standards could eventually be required and audited by government inspectors from the CQC, and imposed under revised standard NHS England contract terms.  CQC inspectors could potentially act on tip-offs from NHS Digital (formerly known as the NHS Health and Social Care Information Centre, ‘HSCIC’).  Those tip-offs could be based on low scores obtained by organizations in their annual NHS Information Governance Toolkit (IGT) self-assessments.  The IGT, which the reviewers said should be redesigned, applies both to NHS bodies and their commercial vendors.

The new consent model, meanwhile, could provide more streamlined, system-wide consents for use of patient data for purposes including quality assurance and research.

The CQC and the NDG’s findings and twenty-four recommendations were jointly presented in a covering letter to the UK government, available here, and fuller reports, available here and here (CQC and NDG, respectively).  This post provides a brief summary of their main findings and recommendations.  For the consultation questions themselves, see here. Continue Reading

New EU Medical Device Guidance on Standalone Software

On 15 July 2016, the European Commission updated MEDDEV 2.1/6 (the “MEDDEV Guidance), its medical device guidance on the qualification and classification of stand alone software used in the healthcare setting. The updated version replaces an earlier version of MEDDEV 2.1/6 issued by the European Commission in January 2012.

MEDDEV 2.1/6 generally stands as a valuable resource to assist software developers in the assessment of whether software is a medical device. However, some have expressed disappointment that the updated guidance did not go further in clarifying the picture, particularly those operating within the mobile health (mHealth) space.

Indeed, the main changes consist of additions to the definitions section of the MEDDEV Guidance. There is now a definition to clarify that “software” is a “set of instructions that processes input data and creates output data“. There are also accompanying definitions of “input data” and “output data”. Continue Reading

ONC Report to Congress Identifies Gaps in Oversight of Privacy and Security of mHealth Technologies and Health Social Media

Earlier this month the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC), released a report to Congress highlighting “large gaps” in policies and oversight surrounding access to and security and privacy of health information held by certain “mHealth technologies” and “health social media.”

mHealth technologies may include wearables, such as fitness trackers, as well as personal health records and other cloud- or mobile-based tools that collect health information from consumers. The report defines health social media to include websites providing consumers with “specific opportunities” to share their health information and experiences, such as patient support portals or sites allowing patients to share their experiences with a particular health condition.  The report notes that 27 percent of internet users have tracked their personal health indicators online (such as weight, diet, exercise, or symptoms).

The ONC report highlights a number of concerns with mHealth technologies and health social media, primarily centered around the fact that many entities offering these technologies are not subject to the Health Insurance Portability and Accountability Act (HIPAA). These “non-covered entities” (NCEs) therefore need not comply with HIPAA privacy and security requirements and need not provide individuals with the same level of access to and control over their health information as that guaranteed by HIPAA.  The report also notes that non-covered entities are not subject to HIPAA limitations on the re-use and further disclosure of health information, such as HIPAA limitations on the use of such information for marketing.

With respect to data security, the report notes that many non-covered entities do not appropriately secure their users’ information. Specific concerns included lack of encryption, lack of methods to verify users’ identities, and inconsistent or inappropriate risk assessment and audit capabilities.  Although not a central focus, the report also notes that the expanded collection of health information by numerous entities without consistent security protections increases the risk of cybersecurity attacks targeting health information.

Finally, the report highlights gaps in information and understanding. For example, consumers using technologies offered by non-covered entities may not realize that the health information they provide is not protected by HIPAA.  The report also expressed concern that many NCEs lack “appropriate and understandable” privacy policies and notices, citing a study suggesting that only 30% of the most common mHealth apps have a privacy policy.  When non-covered entities do have privacy policies, the report states that the policies may be difficult to understand, may use undefined or imprecise terminology, or may change without notice.

The report does not recommend specific actions, but urges that gaps identified by the report “should be filled.” In a blog post announcing the report’s publication, the National Coordinator for Health Information Technology, Karen DeSalvo, described the report as “the first step in a conversation about these important issues.”  She noted that ONC looks forward to engaging with stakeholders in the coming weeks about how to address the gaps the report identifies.

Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

Continue Reading

CMS Marks Success with Fraud Prevention System’s “Big Data” Effort

Over the past five years, the Centers for Medicare & Medicaid Services (“CMS”) has used “big data” and predictive analytics approaches to fight fraud, waste, and abuse in the Medicare fee-for-service program.

According to a recent post on the official CMS blog, the Fraud Prevention System’s “big data” effort has given CMS the ability to better connect with predictive analytics experts and data scientists, and collaborate more closely with law enforcement. Through the Fraud Prevention System, CMS has “moved beyond the reactive ‘pay and chase’ approach” toward a more proactive approach aimed at preventing illegitimate payments in the first place.

As described in the CMS post, the Fraud Prevention System’s “big data” effort “has had a profound impact on fraudulent providers and illegitimate payments by allowing [CMS] to quickly identify issues and take action.” The technology has contributed to more than $1 billion in savings in 2014 and 2015. And, in 2015, CMS realized a national return-on-investment of $11.60 for every dollar the federal government spends on this effort.

CMS is now working to develop next-generation predictive analytics and a new system design to further improve the usability and efficiency of the Fraud Prevention System.

Obama Administration Releases Final Data Security Policy Principles and Framework for Its Precision Medicine Initiative

Last week I published an article on the Inside Medical Devices Blog, discussing eight data security principles that companies participating in the Precision Medicine Initiative should aim to meet.  The Administration’s guidance document additionally recommends a basic framework that organizations collecting, storing, and sharing patient information should adopt as current best practices.  The full post can be read here.

CMS Issues Guidance Encouraging the Use of Commercial Off-the-Shelf Technology and Software-as-a-Service for Medicaid Eligibility and Enrollment Systems

In March, CMS issued a State Medicaid Directors Letter (SMDL) about the availability of enhanced federal funding for state Medicaid programs’ eligibility and enrollment (E&E) systems. This SMDL represents CMS’s most recent effort to encourage States to use commercial “off-the-shelf” technology and “software as a service,” instead of customized electronic systems developed and built specifically for individual States.

Continue Reading

LexBlog