By Bob Belfort, Manatt Phelps & Phillips, LLP
Integrating observations of daily living with clinical practice workflow raises a number of legal and policy issues. Manatt, along with Deven McGraw at the Center for Democracy and Technology, is excited to be serving as legal and regulatory compliance consultants for Project HealthDesign to help navigate these challenges. The lessons we learn from analyzing these and other issues will help to inform the ever-evolving federal and state policy landscape governing exchange of ODLs and other information through PHRs. We will be identifying, collaboratively, a series of policy issues - and potentially crafting solutions to those issues - that will help to ensure more robust integration of patient-generated data into clinical workflow in the future.
Our analysis is currently focusing on:
Privacy and Security
In Project HealthDesign, ODLs are flowing from the patient through portable electronic devices to data repositories maintained by research institutions or PHR vendors such as Microsoft or Google. Providers are then accessing the ODLs in these repositories in different ways. In addition, the reliance by many of the projects on portable devices maintained by patients means paying special attention to minimizing security risks in environments that are outside of the researchers’ control, an area most health care providers have not previously confronted.
To address these and other privacy and security issues, we will be evaluating the implications of existing state and federal laws governing the privacy of health information. Some of the key legal issues applicable to the grantees’ research studies include:
- Ensuring patient authorization forms satisfy HIPAA and the patchwork of state laws.
- Minimizing security risks associated with loss or theft of, or improper access to, portable devices.
- Properly verifying subject identity.
- Ensuring transmission security of information between portable devices and other computer systems.
- Facilitating compliance with potential mandatory reporting obligations triggered by receipt of ODLs.
Concerns beyond Legal Compliance
Our obligation, however, goes beyond pure legal analysis. It includes providing policy advice even when there is no specifically applicable law. For example, it may be prudent to apply the same security standards to unregulated data that are applied to data that is subject to HIPAA. After all, in the event of a security breach, it is unlikely that the lead paragraph of the news story will be that the HIPAA security rule was inapplicable.
Risk Management
We will also be providing guidance on the risk management issues faced by providers in using ODLs. Providers are concerned about an implied obligation to review ODLs that might be available to them. What if they overlook something critical? Can they rely on this type of information to make treatment decisions? This is a new issue for providers, where standards of care are still evolving.
As we work through these issues we’ll be writing monthly blog posts. In the meantime, if there are any legal or regulatory concerns nagging at you, please comment below so we can have a look!
Comments