E-health, privacy, and security law / editor-in-chief W. Andrew H. Gantt III, Cooley LLP Washington DC.
2016
KF3827.R4 E34 2016 (Map It)
Available at Cellar
Formats
| Format | |
|---|---|
| BibTeX | |
| MARCXML | |
| TextMARC | |
| MARC | |
| DublinCore | |
| EndNote | |
| NLM | |
| RefWorks | |
| RIS |
Items
Details
Title
E-health, privacy, and security law / editor-in-chief W. Andrew H. Gantt III, Cooley LLP Washington DC.
Published
Arlington, VA. : Bloomberg, BNA Books, [2016]
Call Number
KF3827.R4 E34 2016
Edition
Third edition.
ISBN
9781682670095 (hbk. ; alk. paper)
1682670090 (hbk. ; alk. paper)
1682670090 (hbk. ; alk. paper)
Description
1 volume (various pagings) ; 26 cm
System Control No.
(OCoLC)958876642
Note
"American Bar Association, Section of Labor and Employment Law, Railway and Airline Labor Law Committee."
Bibliography, etc. Note
Includes bibliographical references and index.
Available in Other Form
Online version: E-health, privacy, and security law. Third edition. [Chicago] : American Bar Association Health Law Section ; Arlington, VA. : BNA Books, [2016] 9781682671085 (DLC) 2016043056
Record Appears in
Gift
Purchased from the income of the Silver Fund
Added Author
Added Corporate Author
Gift
The Arthur W. Diamond Law Library
Purchased from the income of the Silver Fund
Table of Contents
Foreword
vii
Preface
ix
About the Contributors
xiii
ch. 1
E-Health Explosion-An Analysis of Legal and Market Trends
1-1
I.
Introduction
1-1
II.
What Is E-Health?
1-2
III.
Growth of the E-Health Industry
1-3
A.
E-Health Product Developments
1-4
1.
Wireless Medical Devices and Mobile Applications
1-4
2.
Telemedicine
1-7
3.
Social Media
1-9
4.
Cloud Computing
1-10
B.
Corporate Transactions
1-11
1.
Government and Venture Capital Investment in E-Health Innovation
1-11
2.
Recent E-Health Merger and Acquisition Activity
1-12
C.
Other Government Support
1-13
IV.
Privacy Concerns and Enforcement
1-17
V.
Conclusion
1-22
ch. 2
E-Health Industry Overview
2-1
I.
Introduction to E-Health
2-2
II.
E-Health Industry
2-4
A.
Traditional Health Care Delivery Model
2-4
B.
E-Health's Underlying Technology
2-5
C.
Participants in E-Health Industry
2-6
1.
Health Care Providers
2-6
2.
Internet Pharmacies
2-7
3.
Vendors of HIT
2-8
4.
Telemedicine Providers
2-9
D.
E-Health Industry Business Models
2-10
E.
Improvement for E-Health
2-10
F.
Challenges Confronting E-Health
2-11
III.
Government Role in E-Health
2-12
A.
HITECH Act and Health Care Reform
2-12
B.
State of EHRs Adoption
2-14
C.
EHR, E-Prescribing Incentives, and Key Regulations
2-15
D.
Government Role as a Payor
2-17
IV.
E-Health Improvement to Health Care Delivery
2-18
V.
Conclusion
2-22
ch. 3
Health Information Technology
3-1
I.
Introduction
3-1
II.
Government HIT Initiatives
3-2
III.
Development of Standards for EHRs
3-4
A.
Standards Development for EHRs
3-4
B.
Barriers to Adoption of EHRs
3-8
IV.
Key to Transition From Fee-for Service Medicine to Payment for Quality and Cost-Effectiveness
3-10
V.
Emerging Consumer HITs and PGHD
3-12
VI.
HIEs
3-15
A.
Implementation of RHIOs
3-15
B.
Lessons Learned From Early RHIO Efforts
3-17
C.
RHIO Technology Providers Are Fragmented
3-19
VII.
ACOs
3-20
VIII.
Analysis of Health Care Data to Support Improvements and Comparative Effectiveness
3-21
A.
Data Aggregation for Analysis
3-21
B.
Issues With Aggregation
3-22
C.
Interoperability and the Aggregation of Data
3-24
D.
Risks of Electronic Health Care Data
3-24
IX.
Conclusion
3-26
ch. 4
Privacy, PHRs, and Social Media
4-1
I.
Introduction
4-2
II.
What Is a PHR?
4-2
III.
Background
4-3
A.
Paradigm Shift to EHRs
4-3
B.
Market Forces Spurring the Use of Electronic PHRs
4-5
C.
Web 2.0-What Is Social Media?
4-6
IV.
Types of PHRs
4-8
A.
Untethered Versus Tethered
4-8
B.
Attributes of PHRs
4-8
C.
PHRs Distinguished From EMRs and EHRs
4-9
V.
Unique Risks Associated With Internet-Based PHRs
4-11
VI.
Federal Privacy and Breach Notification Protections of PHRs
4-12
A.
Privacy Statutes
4-12
1.
HIPAA Entities
4-12
2.
Privacy Protection for Non-HIPAA Vendor Information
4-14
B.
Security/Breach Notification
4-16
1.
HIPAA Breach Notification Rule
4-16
a.
What Is a Breach?
4-16
b.
Did the Breach Cause Threshold Harm?
4-17
c.
To Whom Must the Breach Be Reported and When?
4-17
d.
Enforcement
4-17
2.
HITECH Health Breach Notification Rule for Non-HIPAA Vendors
4-18
a.
What Is a Reportable Breach?
4-18
b.
To Whom Must the Breach Be Reported and When?
4-19
i.
Vendors
4-19
ii.
Individuals
4-19
iii.
Media Outlets
4-19
iv.
FTC
4-19
v.
Third-Party Service Providers
4-19
C.
Content of Notice of Disclosure
4-20
D.
Dual Reporting Obligations Under HIPAA Breach Notification Rule and Health Breach Notification Rule
4-20
E.
Enforcement
4-21
VII.
State Privacy Statutes
4-21
A.
Confidentiality of Patient Medical Records
4-21
B.
State Breach Notification Statutes
4-22
VIII.
Conclusion and Recommendations
4-22
ch. 5
Privacy Issues in U.S. Health Care
5-1
I.
Introduction
5-3
A.
Privacy Laws and Standards-Domestic and International
5-3
II.
Federal Privacy Protections
5-5
A.
U.S. Constitution
5-5
1.
Fourteenth Amendment
5-5
2.
Whalen v Roe
5-6
3.
Scope of Constitutional Protection
5-6
B.
Statutes and Regulations
5-6
1.
Protection of Specified Health Information
5-7
a.
Freedom of Information Act
5-7
b.
Confidentiality of Records
5-7
c.
Medicare/Medicaid Conditions of Participation
5-9
2.
Protection of Specified Groups
5-9
a.
Children's Online Privacy Protection Act of 1998
5-9
b.
Human Subjects in Research
5-11
c.
Public Health Service Act
5-11
3.
Protection of Specific Segments of the Health Care Industry
5-11
a.
Privacy Act of 1974
5-11
b.
Gramm-Leach-Bliley Act
5-12
c.
Health Insurance Portability and Accountability Act of 1996-Privacy Regulations
5-12
i.
Individual Rights
5-15
ii.
Required and Permitted Uses and Disclosures
5-19
iii.
"Minimum Necessary" Standard
5-20
iv.
De-Identified Information and Limited Data Sets
5-20
v.
Business Associates and Business Associate Contracts
5-21
vi.
Enforcement
5-23
vii.
Conflicts With State Law
5-24
d.
Health Information Technology for Economic and Clinical Health (HITECH) Act
5-24
i.
Summary of Subtitles A, B, and C
5-25
ii.
Subtitle D-Amendments to HIPAA's Privacy Rule
5-28
a.
Definitions
5-28
b.
Breach and Notification of Breach
5-28
c.
Business Associates and Business Associate Agreements
5-31
d.
Changes to Individual Rights Granted Under HIPAA's Privacy Rule
5-32
e.
Changes to Marketing and Fundraising Provisions
5-34
f.
Prohibition on the Sale or Marketing of EHRs and PHI
5-35
g.
Improved Enforcement
5-35
e.
Health Insurance Portability and Accountability Act Omnibus Final Rule (HIPAA Omnibus Rule)
5-36
i.
Individual Rights
5-38
a.
Right of Access
5-38
b.
Right to Request Privacy Protection
5-38
c.
Notice of Privacy Practices
5-39
ii.
Uses and Disclosures Requiring Authorization
5-39
a.
Marketing
5-40
b.
Sale of Protected Health Information
5-41
c.
Compound Authorizations
5-41
iii.
Business Associates
5-41
a.
Definition
5-42
b.
Liability of Business Associates
5-43
c.
Subcontractors
5-43
d.
Business Associate Agreements
5-43
e.
Compliance Required
5-44
III.
State Privacy Protections
5-44
A.
Model Privacy Laws
5-44
1.
Health Information Privacy Model Act
5-45
2.
Uniform Health Care Information Act
5-45
B.
State Laws and Regulations
5-45
1.
Common Privacy Protections
5-46
a.
Consents and Authorizations
5-46
b.
Individual's Right of Access
5-46
c.
Individual's Cause of Action for Unauthorized Disclosures
5-47
2.
Common Disclosure Restrictions and Their Effects
5-47
a.
What Type of Entity Is Disclosing?
5-48
b.
What Type of Health Information Is to Be Disclosed?
5-48
c.
Mandatory Versus Permitted Disclosures
5-49
IV.
Professional Organizations and Groups
5-50
A.
Professional Organizations
5-50
1.
American Medical Association
5-50
2.
American Hospital Association
5-50
3.
JCAHO/Joint Commission on Accreditation of Healthcare Organizations
5-50
B.
Other Privacy Protection Guidelines
5-51
V.
Conclusion
5-51
ch. 6
European Data Privacy Regime
6-1
I.
Introduction
6-2
A.
European Union Legislation
6-4
B.
Importance of National Laws
6-6
C.
National Regulators, Article 29 Working Party, and the EDPB
6-6
II.
Key Concepts
6-9
A.
Personal Data
6-9
B.
Processing
6-12
C.
Data Controller and Data Processor
6-13
D.
Anonymization and Pseudonymization
6-13
III.
Jurisdiction
6-14
A.
EEA Establishment
6-15
B.
Non-EEA Established Entities
6-16
C.
GDPR
6-17
IV.
European Data Protection Principles
6-18
A.
Fair and Lawful Processing
6-19
B.
Particular Conditions for Sensitive Personal Data
6-20
C.
Valid Consent and Explicit Consent
6-22
D.
Data Subject Rights
6-24
E.
Data Security
6-25
V.
Appointing a Data Processor
6-27
VI.
Export of Personal Data Outside the EEA
6-29
A.
Adequate Level of Protection
6-30
1.
European Commission Findings of Adequacy
6-30
2.
U.S. Safe Harbor
6-31
B.
Adequate Safeguards
6-32
1.
Model Clauses
6-32
2.
Binding Corporate Rules
6-33
C.
Exceptions to the General Prohibition
6-34
D.
Personal Data Export Flow Chart
6-36
VII.
Administrative Requirements
6-37
A.
Data Protection Impact Assessments
6-40
B.
Privacy by Design
6-40
VIII.
Enforcement Under the GDPR
6-41
A.
Enforcement
6-41 VIX. The E-Pri
A.
Unsolicited Communications
6-41
B.
Cookies
6-42
C.
Reform of the E-Privacy Directive
6-43
X.
On the Horizon
6-44
XI.
Consumer Laws and Other Relevant Laws
6-45
ch. 7
Information Security and Breach Notification Under HIPAA and HITECH
7-1
I.
Introduction
7-2
II.
HIPAA Security Rule Requirements
7-3
A.
Information Security Program Development and Management
7-7
1.
Confidentiality
7-9
2.
Integrity and Availability
7-9
3.
Accountability
7-9
4.
Balancing the Objectives
7-10
B.
Implementing HIPAA Security Safeguards
7-12
C.
HIPAA Enforcement
7-12
1.
Public OCR Investigations of Alleged Security Rule Infractions Resulting in Resolution Agreements
7-17
a.
University of Washington Medicine
7-17
b.
Triple-S Management Corporation
7-17
c.
Lahey Hospital and Medical Center
7-18
d.
Cancer Care Group, P.0
7-18
e.
Anchorage Community Mental Health Services
7-19
f.
New York and Presbyterian Hospital and Columbia University
7-19
g.
Concentra Health Services
7-20
h.
QCA Health Plan, Inc. of Arkansas
7-20
i.
Skagit County, Washington
7-21
j.
Affinity Health Plan, Inc.
7-21
k.
Idaho State University
7-22
l.
Hospice of Northern Idaho
7-22
m.
Massachusetts Eye and Ear Infirmary
7-23
n.
Alaska Department of Health and Social Services
7-23
o.
Phoenix Cardiac Surgery
7-24
p.
Blue Cross Blue Shield of Tennessee
7-24
q.
General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Collectively, Mass General)
7-25
2.
Public OCR Investigations of Alleged Security Rule Infractions Resulting in Corrective Action Only
7-26
a.
Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books
7-26
b.
Large Medicaid Plan Corrects Vulnerability That Resulted in Disclosure to Non-BA Vendors
7-26
c.
Health Plan Corrects Computer Flaw That Caused Mailing of EOBs to Wrong Persons
7-26
d.
National Pharmacy Chain Extends Protections for PHI on Insurance Cards
7-27
e.
Dentist Revises Process to Safeguard Medical Alert PHI
7-27
f.
Physician Revises Faxing Procedures to Safeguard PHI
7-27
g.
Private Practice Implements Safeguards for Waiting Room
7-27
D.
HIPAA Security Violation Penalty Risks
7-28
E.
Business Associates and Business Associate Contracts Under the Security Rule
7-30
III.
HIPAA Security Breach Requirements
7-34
IV.
State Security Breach Notification Legislation
7-38
A.
Economic Logic of Information Security Breach Disclosure
7-38
B.
Brief History of Information Security Breach Notification Laws
7-40
C.
Analysis of State Data Breach Notification Laws
7-42
D.
State Data Breach Notification Laws as of December 2015
7-44
Appendix 7-A: Sample HITECH/HIPAA Security Gap Analysis Checklist
7-46
ch. 8
Enforcement of the Health Insurance Portability and Accountability Act of 1996
8-1
I.
Introduction
8-2
II.
Key HIPAA Features
8-3
A.
Standards and Requirements
8-3
B.
Guidance
8-7
C.
Violations
8-8
III.
Investigations, Breach Reports, and Audits
8-9
A.
Complaint Process and Compliance Reviews
8-10
B.
Breach Reports
8-12
C.
HHS Audits of HIPAA Compliance
8-13
D.
Voluntary Compliance and Resolution Agreements
8-14
IV.
HIPAA Civil Monetary Penalties
8-15
A.
In General
8-15
B.
Enforcement Rule
8-17
C.
CMP Limitations and Lenience Provisions
8-18
D.
What Is a "Violation"?
8-20
E.
Industry-Wide HIPAA Compliance
8-22
F.
Procedures for Imposition of Civil Monetary Penalties
8-23
G.
Distinctive Features in the Imposition of Civil Monetary Penalties
8-25
1.
Imposition of Penalties
8-25
2.
Public Notice
8-26
3.
Statistical Sampling
8-26
4.
Liability for Violations by Agents
8-26
5.
Aggravating and Mitigating Factors
8-27
H.
Actions by State Attorneys General
8-29
V.
HIPAA Criminal Provisions
8-31
A.
In General
8-31
B.
Intent Standard
8-33
C.
Aiding and Abetting
8-36
D.
Conspiracy
8-36
E.
Other Potential Theories of Indirect Criminal Liability of Covered Entities and Business Associates
8-37
F.
Statute of Limitations
8-38
VI.
Enforcement Under Other Federal Statutes
8-38
A.
Federal Trade Commission Act
8-38
B.
False Claims and False Statements Statutes
8-40
C.
Mail and Wire Fraud
8-41
D.
RICO
8-42
E.
HIPAA as a Standard of Care
8-42
VII.
State-Law Preemption
8-43
VIII.
Compliance: Establishing a Plan to Avoid Enforcement Actions
8-45
IX.
Conclusion
8-47
ch. 9
E-Health Liability
9-1
I.
Introduction
9-2
II.
Professional Licensure and Credentialing
9-4
A.
Licensure Generally
9-4
B.
Penalties for Violating Licensure Laws
9-7
C.
Pharmacogenetics
9-10
D.
Public Health Emergencies
9-11
E.
Practice of Telemedicine Without Full Licensure
9-11
1.
Consultation Exception
9-12
2.
Endorsement
9-13
3.
Reciprocity
9-13
4.
Special License
9-14
5.
Telehealth Networks
9-14
F.
Credentialing
9-15
III.
Initiatives Regarding Regulation of Telemedicine
9-15
A.
Joint Working Group on Telemedicine
9-16
B.
Federation of State Medical Boards Model Act
9-17
C.
Federation of State Medical Boards Model Policy
9-18
D.
Nurse Licensure Compact
9-18
IV.
Malpractice
9-19
A.
Existence of Physician-Patient Relationship
9-19
B.
What Is the Legal Duty?
9-24
C.
Informed Consent and the Duty to Disclose
9-25
D.
Vicarious Liability
9-27
E.
Patient Abandonment
9-29
F.
Availability of Insurance for Telemedicine Encounters
9-29
1.
Malpractice Insurance and Gaps in Coverage
9-29
2.
Disclaimers of Liability
9-30
3.
What Malpractice Does Cover
9-31
a.
"Specified-Risk" or "Specified-Perils" Coverage
9-31
b.
"All-Risk" or "Open-Perils" Coverage
9-31
c.
Recommendation
9-31
V.
International Practice of Medicine
9-32
A.
Telemedicine
9-32
B.
Medical Tourism
9-32
C.
Medicaid and Medicare Reimbursement
9-33
D.
International Legal and Licensing Issues
9-34
VI.
Electronic Health Information
9-36
A.
Physician-Patient Relationship
9-38
B.
Certifications
9-38
C.
Liability
9-39
VII.
Mobile Medical Applications
9-42
VIII.
Conclusion
9-45
ch. 10
FDA Regulation of E-Health Technology and Services
10-1
I.
Introduction
10-2
II.
FDA Regulation of Online Activities
10-3
A.
Internet Drug Sales
10-4
1.
FDA Enforcement Activities
10-4
2.
Consumer Education
10-4
B.
Online Direct-to-Consumer Advertising
10-5
1.
Sponsored Links
10-5
2.
DTC Promotion of Genetic Testing Services
10-6
3.
Social Media
10-7
III.
FDA and Electronic Health Records
10-11
A.
FDA Authority to Regulate EHR
10-11
B.
ONC Regulation of EHR
10-12
C.
Increased Scrutiny and Oversight of EHR Systems
10-13
1.
FDA Working Group
10-13
2.
Legislative Inquiries
10-13
D.
FDA and ONC Collaboration
10-14
1.
HIT Policy Committee Recommendation
10-14
2.
Concerns
10-15
3.
Future Collaboration
10-15
IV.
FDA Regulation of Telemedicine
10-15
A.
What Is Telemedicine?
10-16
B.
mHealth Technologies
10-16
C.
FDA Regulation of Mobile Medical Devices
10-17
1.
Overview
10-17
2.
"Intended Use" of Mobile Medical Devices
10-18
a.
"Accessory" and "Component" Devices
10-18
b.
Regulatory Class
10-19
D.
Why Regulate Telemedicine?
10-20
1.
Safety Concerns
10-20
2.
Legislative Interest
10-20
3.
Industry Growth
10-21
E.
FDA and Telemedicine in the Early 2000s
10-21
1.
Early Guidance
10-22
2.
Further Guidance Documents
10-22
F.
Recent Developments in FDA Telemedicine Regulation
10-23
G.
FDA Final Rule on Medical Device Data Systems
10-25
1.
Exclusion of EHR
10-25
2.
Uncertain Applications
10-25
3.
Enforcement Discretion
10-26
H.
Final Guidance: Mobile Medical Applications
10-26
1.
Scope
10-28
2.
Classification of Mobile Platforms and Applications
10-28
3.
Definition of Mobile Application "Manufacturer"
10-29
4.
Direct Regulatory Oversight
10-30
5.
Enforcement Discretion
10-31
I.
Future Direction of Telemedicine Regulation
10-32
J.
Collaboration With the Federal Communications Commission
10-33
V.
Sentinel Initiative
10-36
A.
Structure and Objective of the Initiative
10-37
B.
Current Status and Future Plans
10-39
C.
Privacy and Security Concerns
10-40
ch. 11
Obligations in Response to a Health Care Data Security Breach
11-1
I.
Introduction
11-2
II.
Background
11-3
III.
"Breach" Defined
11-6
IV.
Risk Assessment
11-9
A.
Nature of Breach
11-12
B.
Identity of Any Known Recipient
11-13
C.
Actual Acquisition or Viewing of Data
11-14
D.
Mitigating Actions
11-15
E.
Covered Entity Obligations When Probability of Compromise Is Low
11-16
V.
Exceptions to the Definition of "Breach"
11-17
A.
Good-Faith Disclosures Within the Scope of Employment
11-17
B.
Inadvertent Disclosures by Otherwise Authorized Individuals
11-18
C.
Information Disclosed Not Reasonably Retained
11-20
D.
Disclosures of the Limited Data Set Excluding Certain Identifiers
11-21
VI.
Identity of Breaching Party
11-22
A.
Obligations for Covered Entities When Multiple Entities Transfer PHI and/or Breach Security Requirements
11-24
B.
Business Associate Requirements
11-25
C.
Agency Relationship Considerations
11-28
VII.
Notification Requirements
11-31
A.
Timing Requirements
11-31
B.
Method of Providing Notice
11-33
C.
Contents of Notice
11-35
VIII.
Potential Liabilities Created by the HITECH Act
11-36
A.
Civil Penalties
11-38
B.
Criminal Penalties
11-41
IX.
Recent Security Breach Settlements and Implications
11-41
A.
Breach Notification Rule-Related Settlements
11-42
B.
Other Notable Breach Settlements
11-43
C.
Implications of Recent Settlements
11-44
X.
Recent Trends in Security
11-44
XI.
Conclusion
11-45
ch. 12
Due Diligence in E-Health Transactions
12-1
I.
Introduction
12-2
II.
Nature of Due Diligence and Its Purposes
12-4
III.
Standard for Due Diligence Review
12-6
IV.
Composition of the Due Diligence Team
12-7
V.
Procedure for the Due Diligence Review
12-8
A.
Planning
12-8
B.
Confidentiality Agreements
12-9
C.
Checklists
12-9
D.
Location
12-10
E.
Reporting the Results
12-11
VI.
Contents of the Due Diligence Review
12-12
A.
Disclosure Controls
12-13
B.
Internal Controls
12-13
C.
Audit Committee Activities
12-14
D.
Code of Ethics
12-14
E.
Off-Balance-Sheet Transactions
12-15
F.
Implications of Sarbanes-Oxley for the Due Diligence Review
12-15
G.
Meaningful Use Due Diligence
12-16
H.
Data Security and Privacy
12-17
1.
Ownership of Data
12-17
2.
Use of Data Overseas and Restrictions Thereon
12-17
3.
Custodial Issues With Medical Records
12-18
4.
Data Security and Privacy
12-18
I.
Due Diligence Requirements for Government Contractor Entities
12-19
1.
Anti-Assignment Acts
12-19
2.
Valuing Government Contracts
12-19
3.
Organizational Conflicts of Interest
12-20
4.
Cost Allowable and Indirect Rate Determinations, Audits, and Investigations
12-20
5.
Risk Associated With Intellectual Property
12-21
6.
Foreign Operations
12-21
7.
Conclusion
12-21
VII.
Focus of the Due Diligence Review
12-21
A.
Assets
12-22
B.
Liabilities
12-24
1.
Liability for Target Company Employment Practices
12-27
2.
Immigration Reform and Control Act of 1986
12-28
3.
Liability Arising-Out of Exclusivity Contracts
12-28
C.
Agreements
12-28
D.
Capabilities and Protections
12-29
1.
Disaster Recovery and Business Continuity
12-30
2.
Audit and Inspection Rights
12-30
3.
Insurance Coverage Review
12-30
E.
Interviews
12-31
VIII.
Eight Common Pitfalls in Due Diligence
12-32
IX.
Understanding Health Care Entities and Operations
12-33
A.
Tax-Exempt Status
12-34
B.
Accreditation and Certification Issues
12-34
C.
Protected Health Care Information
12-35
D.
Health-Planning Approvals
12-37
E.
Conditions for Reimbursement
12-37
F.
Research or Grant Considerations
12-37
G.
Obligations to Provide Notice
12-37
X.
Laws and Regulations Specific to the Health Care Industry
12-38
XI.
Conclusion
12-42
ch. 13
Contracts in the Digital Age: Adapting to Changing Times
13-1
I.
Introduction
13-1
II.
Jurisdiction
13-3
III.
Relevant Statutes and Principles of Contract Law
13-14
A.
Electronic Signatures in Global and National Commerce Act
13-14
B.
Uniform Electronic Transactions Act
13-19
C.
Uniform Computer Information Transactions Act
13-25
IV.
Litigation: Courts Continue to Cope With Electronic Means of Contracting
13-29
A.
Browse Wrap Agreements
13-30
B.
Click Wrap Agreements
13-35
C.
Shrink Wrap Agreements
13-37
D.
Common Principles
13-41
V.
Conclusion
13-41
ch. 14
Evaluating Antitrust Concerns in the Electronic Marketplace
14-1
I.
Introduction
14-2
A.
Electronic Marketplaces
14-2
B.
Overview of Antitrust Law
14-3
C.
Antitrust Issues in the E-Commerce Setting
14-5
II.
Collaborations With Competitors
14-6
A.
Guidance
14-6
B.
Market Definition
14-7
C.
Facilitating Collusion
14-8
1.
Inherent Risks of Sharing Information
14-8
2.
Controlling the Risks
14-10
3.
Heightened Standard for Circumstantial Evidence
14-12
D.
Group Boycott
14-12
E.
Group Purchasing and Sales
14-13
1.
Traditional Analysis
14-13
2.
New Issues Created by the Electronic Marketplace
14-15
III.
Legal Analysis of Vertical Integration Issues
14-15
A.
Competitor Control of Vertically Related Entity
14-15
B.
Practical Limitations of the Theory
14-18
IV.
Exclusionary Practices
14-19
A.
Network Effects
14-19
B.
Exclusive Use Requirements
14-20
C.
Most-Favored-Nation Requirements
14-21
V.
Standards and Certification
14-25
A.
Significance to Electronic Health Care
14-25
B.
Historical Analysis
14-25
C.
Health Care Experience With Private Standard-Setting
14-28
VI.
Conclusion
14-31
ch. 15
Intersection of Health Law and Intellectual Property Law
15-1
I.
Introduction
15-4
II.
Federal Acts and Agencies
15-5
A.
HIPAA
15-5
1.
Background
15-5
2.
Privacy and Security Rules
15-6
3.
Identifier Standards
15-6
4.
TCS Standards
15-6
5.
Enforcement Rule
15-7
B.
HITECH Act
15-7
1.
Background
15-7
2.
Health Information Technology Standards
15-8
3.
Incentive Payments
15-8
4.
Strengthened Privacy Rules and Breach Notification
15-9
5.
Strengthened Penalties
15-9
C.
Standards for Privacy of Individually Identifiable Health Information
15-10
1.
Background
15-10
2.
What Is Protected
15-10
3.
Who Is Subject to the Privacy Rule
15-11
4.
Disclosures of PHI
15-12
a.
Required Disclosures
15-12
b.
Permissible Disclosures for Public Health, Law Enforcement, and Oversight Purposes
15-13
c.
Disclosures for Research Purposes
15-13
d.
Disclosures for Marketing Purposes
15-14
e.
Minimum Necessary Requirement
15-14
5.
Administrative Safeguards of the Privacy Rule
15-15
D.
Hatch-Waxman Act
15-15
1.
Introduction
15-15
2.
Abbreviated New Drug Application
15-16
3.
Generic Drugs and Patent Infringement
15-17
4.
Safe Harbor
15-18
5.
Patent Term Extension and Market Exclusivity for Pioneer Drug Companies
15-18
III.
Copyrights and Health Law
15-19
A.
What Is a Copyright?
15-19
B.
Exclusive Rights of Copyright Ownership
15-20
C.
Derivative Works and Substantial Similarity
15-20
D.
Obtaining a Copyright
15-21
E.
Duration of Copyrights
15-21
F.
Berne Convention
15-22
G.
Section 117 of the Copyright Act: Computer Programs
15-22
H.
Medical Materials and Copyright Law
15-22
1.
Protection for Medical Documents and Images, and Commercial Labels
15-23
2.
European and U.S. Database Protection
15-23
I.
Proprietary Databases and Copyright
15-24
IV.
Impact of Computer-Related Legislation on Medical Record Privacy
15-25
A.
Computer Privacy Acts
15-25
B.
Health Insurance Portability and Accountability Act
15-25
C.
Computer Fraud and Abuse Act
15-27
D.
Digital Millennium Copyright Act
15-29
E.
Other Relevant Computer Privacy Acts
15-31
1.
Electronic Communications Privacy Act
15-31
2.
Semiconductor Chip Protection Act
15-32
3.
Children's Online Privacy Protection Act
15-32
V.
Medical Codes and How They Affect Privacy
15-33
A.
HCPCS/CPT
15-34
B.
ICD-9-CM
15-35
C.
DRG
15-37
D.
Medical Codes and the Re-identification Problem
15-37
VI.
Trademark-Protecting Indicia of Ownership
15-40
A.
Trademarks in General and Identification With a Source of Goods
15-40
1.
What Can Be Trademarked9
15-40
2.
Trademark Remedies
15-41
3.
Trademark Laws
15-42
4.
Dilution
15-43
B.
How Are Trademarks Used?
15-45
1.
Purple Gloves
15-45
2.
How Trademarks Can Protect a Surgical Product or Medicine
15-46
3.
Aspirin Story
15-46
C.
Domain Names
15-47
1.
Protect Domain Name
15-47
2.
Secure Domain Name
15-48
VII.
Patents and Patent Law for the Health Attorney
15-48
A.
Patent Drafting, Patent Prosecution, and Patent Rights and Enforcement
15-49
1.
Parts of a Patent Application
15-49
2.
Patent Prosecution
15-52
3.
Patent Rights and Enforcement
15-52
B.
Patent Statutes in Detail and Some Commonly Misunderstood Concepts of Patent Law
15-53
1.
Four Requirements for Obtaining a Patent: "Idea" Versus "Invention"
15-53
2.
Section 112, First Paragraph: Written Description and Enablement
15-53
3.
Section 101: Statutory Class of the Invention
15-54
4.
Section 102: Novelty Versus Originality
15-57
5.
Unobviousness and Invalidity
15-58
C.
Bringing a Product to Market
15-60
1.
Freedom to Operate
15-60
2.
Filing and Acquiring Patents
15-63
D.
Nuances in the Medical Field
15-65
1.
Enablement and Written Description Requirements for Claiming Multiple Configurations of Drugs and Materials
15-65
2.
HIPAA Regulations and Patent Claim Strategy
15-67
VIII.
Trade Secrets-Protecting Essential Information
15-70
A.
Sources of Trade Secret Law
15-70
B.
Uniform Trade Secrets Act
15-71
C.
Establishing Ownership of a Trade Secret
15-71
1.
Nature of the Information
15-71
2.
Preserving Secrecy
15-72
3.
Proper and Improper Means of Acquisition of a Trade Secret
15-72
IX.
Preliminary Transactional Agreements and Proprietary Rights
15-73
A.
Modern Applications in the Health Care Industry
15-73
1.
Protected Health Information and Electronic Health Records
15-73
a.
Health Services Contracting
15-74
i.
Software Vendors
15-75
ii.
Warranties in Technology Transfers
15-76
iii.
Regulatory Compliance Covenants
15-77
iv.
Foreign Contractors
15-78
b.
Health Research
15-78
c.
Health Information Exchange and State Practices
15-79
d.
ACOs and Data Sharing
15-79
2.
Proprietary Rights in Product Development
15-80
a.
Collaboration Agreements
15-80
b.
Trade Secrets
15-81
B.
Suggested Drafting Provisions for the Creation of Effective Nondisclosure Agreements
15-82
1.
Access to Confidential Information
15-82
2.
Restricted Use of Confidential Information
15-82
3.
Nondisclosure of Confidential Information
15-83
4.
Nonsolicitation of Customers and Employees
15-83
5.
Reservation of Proprietary Rights
15-83
X.
Managing Exposure to Intellectual Property Litigation
15-83
A.
Due Diligence
15-84
1.
Identifying Potential Rights Holders
15-84
2.
Identifying the Scope of Existing Rights
15-85
3.
Determining How to Proceed: Licenses, Workarounds, and Declaratory Relief
15-85
B.
Strategic Intellectual Property Acquisitions
15-87
1.
Strategic Intellectual Property Filings
15-87
2.
Cross-Licensing Agreements and Patent Pools
15-88
C.
Corporate Policies and Employee Education
15-89
1.
Policies for Existing Employees and Independent Contractors
15-89
2.
Policies Addressing Concerns Relating to Nonemployees
15-91
3.
Ensuring Policies Are Properly Implemented
15-92
D.
Minimizing Exposure to Unavoidable Intellectual Property Litigation
15-92
1.
Insurance
15-92
2.
Industry and Government Outreach
15-93
3.
Alternative Dispute Resolution
15-94
E.
Conclusion
15-94
ch. 16
Allocation and Mitigation of Liability
16-1
I.
Introduction
16-2
II.
Status-Based Risks
16-3
A.
E-Content Providers
16-3
1.
Consumer-Oriented E-Content Providers
16-3
a.
Unauthorized Use of Copyrighted Material
16-4
b.
Unauthorized Use of a Trademark or Service Mark
16-6
c.
Liability for Erroneous Information/Defamation
16-10
d.
Unlicensed/Unauthorized Practice of Medicine
16-14
2.
Business-Oriented E-Content Providers
16-15
B.
E-Product Vendors
16-16
1.
Consumer-Oriented E-Product Vendors
16-16
a.
E-Prescribing Risks
16-16
b.
Privacy and Data Security Issues-Excluding HIPAA
16-20
i.
State Data Breach Notification Statutes
16-21
ii.
PCI Data Security Standard
16-21
iii.
Federal Trade Commission Section 5 Actions
16-22
iv.
Red Flags Rule
16-24
v.
FTC Health Breach Notification Rule
16-25
vi.
State Consumer Protection Laws and Court's "Inherent Powers"
16-26
2.
Provider/Business-Oriented E-Product Vendors
16-27
a.
Employee Access to Health Insurance Accounts
16-27
b.
Provider Publication Tools
16-27
C.
E-Connection Providers
16-28
1.
Unauthorized Use of Copyrighted Material
16-28
2.
Unauthorized Use of Trademark/Service Mark
16-29
3.
Infringement of Proprietary Rights in Technology
16-29
4.
Privacy and Data Security
16-29
5.
Liability for Erroneous Information/Defamation
16-30
D.
E-Care Providers
16-31
1.
Unlicensed/Unauthorized Practice of Medicine
16-31
2.
Malpractice
16-32
3.
Technology Performance Issues
16-33
4.
Privacy and Data Security
16-33
5.
FDA Regulation of Telemedicine
16-34
6.
FCC Regulation of Telemedine
16-35
E.
EHR System Providers
16-36
1.
Privacy and Data Security-HIPAA and HITECH
16-36
2.
Medicare and Medicaid Incentive Programs and Achievement of Meaningful Use
16-39
3.
Allocation of Rights and Obligations Among HIE Participants
16-40
III.
Allocation and Mitigation of Risk
16-43
A.
Risk: Unauthorized Use of Copyrighted Material
16-43
1.
Before a Claim Occurs-Mitigation
16-43
2.
Before a Claim Occurs-Allocation
16-44
3.
When a Claim Occurs-Mitigation
16-45
B.
Risk: Unauthorized Use of a Trademark or Service Mark
16-46
1.
Before a Claim Occurs-Mitigation
16-46
2.
Before a Claim Occurs-Allocation
16-47
3.
After a Claim Occurs-Mitigation
16-48
C.
Risk: Publication of Erroneous or Defamatory Information
16-49
1.
Before a Claim Occurs-Mitigation
16-49
2.
Before a Claim Occurs-Allocation
16-49
3.
When a Claim Occurs-Mitigation
16-50
D.
Risk: Unlicensed or Unauthorized Practice of Medicine
16-50
1.
Before a Claim Occurs-Mitigation
16-50
2.
Before a Claim Occurs-Allocation
16-51
3.
When a Claim Occurs-Mitigation
16-51
E.
Risk: E-Prescribing and Malpractice
16-52
1.
Before a Claim Occurs-Mitigation-E-Prescribing
16-52
2.
Before a Claim Occurs-Mitigation-Telemedicine Technology
16-53
F.
Risk: Privacy and Data Security Compliance
16-53
1.
Before a Claim Occurs-Mitigation
16-53
2.
Before a Claim Occurs-Allocation
16-54
3.
When a Claim Occurs-Mitigation
16-55
ch. 17
Recent Cybersecurity Developments in Health Care
17-1
I.
Introduction
17-1
II.
HIPAA and HHS
17-5
III.
Federal Trade Commission Act
17-7
IV.
FDA Issues Draft Cybersecurity Guidance to Medical Device Manufacturers
17-10
A.
Key Elements
17-11
B.
Evaluating Risks of Essential Clinical Performance
17-12
C.
Risk Management and Vulnerability Assessment
17-12
D.
Remediation and Reporting
17-13
V.
Cybersecurity Information Sharing
17-14
A.
Sharing Cyber Threat Indicators and Defensive Measures With the Federal Government
17-16
B.
Protection From Liability
17-17
C.
Health Care Industry Cybersecurity Task Force
17-18
VI.
Conclusion
17-18
ch. 18
Legal Ethics and E-Health
18-1
I.
Introduction
18-3
II.
Use of Technology in the Practice of Health Law
18-5
A.
Attorney E-Competence in Managing Technology and Communications
18-5
1.
Confidentiality and Privacy of Electronic Information
18-7
a.
Misdirected Facsimiles or E-Mail
18-7
b.
Managing Compliance with HIPAA and the HITECH Act
18-7
c.
E-Mail Security
18-8
d.
Mobile Security
18-8
2.
Security of Electronic Information
18-9
a.
Back-Up
18-9
b.
Viruses
18-9
c.
Internet E-Mail and Encryption
18-9
i.
Duty of Confidentiality
18-10
ii.
Waiver of Attorney-Client Privilege
18-11
iii.
Malpractice Liability
18-11
iv.
HITECH Act Violations
18-11
d.
Hardware Risks
18-12
i.
Hard Drive or Remote Disk Drive Use
18-12
ii.
Deleting Data
18-12
e.
E-Mailed Documents
18-12
f.
Service of Process by Dropbox
18-13
g.
Other Issues
18-13
i.
Security Compliance
18-14
ii.
Disaster Planning
18-14
iii.
Cybercrimes and Data Breaches
18-15
iv.
Government Responses
18-16
3.
E-Discovery
18-17
a.
Scope of Discovery
18-18
b.
Ethical Requirements
18-18
c.
Social Media and Professional Communications
18-19
i.
Ethical Considerations
18-19
ii.
Admissibility
18-19
iii.
Special Issues
18-19
4.
Electronic Filings and Submission of Evidence
18-20
a.
Affecting the Practice of Law
18-20
b.
Affecting Health Care Laws
18-20
5.
Use of Cellular Phones, PDAs, and Apps
18-21
6.
Cloud Computing
18-22
7.
Virtual Law Office
18-22
B.
Ethical Issues With Technology Use
18-23
1.
Web Sites.
18-23
2.
Social Media
18-24
a.
Blogs
18-24
b.
Wiki Pages
18-25
c.
Facebook
18-26
d.
Facebook and LinkedIn
18-27
e.
Twitter
18-27
f.
Use of Social Media by Attorneys-Use Caution
18-27
g.
Listservs
18-29
3.
Dealing With Negative Online Reviews
18-29
4.
Inappropriate E-Mails
18-30
5.
Other Information Portals
18-30
C.
Other Ethical Considerations
18-31
1.
Solicitation of Business.
18-31
2.
Researching Potential Jurors or Witnesses
18-32
3.
Ex Parte Communications
18-33
III.
Knowledge of Client Misconduct
18-33
A.
Attorney-Client Privilege
18-36
1.
National Security and Attorney-Client Privilege
18-37
2.
Disclosure and Ransomware Attacks
18-38
B.
Ethics Rules on Confidentiality
18-38
1.
Confidentiality
18-38
2.
Assisting a Client's Crime or Fraud
18-39
3.
Audits and Investigations
18-39
a.
Hiring Consultants
18-40
b.
Crime/Fraud Exception to Attorney-Client Privilege
18-40
c.
Attorney Liability When Representing a Client
18-40
4.
Representing the Organization
18-41
a.
"Climbing the Corporate Ladder"
18-41
b.
Preventing Misunderstandings About Who Represents Whom
18-41
c.
Causing a Constituent to Be Fired
18-42
d.
Employee's Use of Employer Data in Legal Actions
18-42
IV.
Conflicts of Interest
18-43
A.
Joint Representation
18-43
B.
Close Corporations
18-45
C.
Partnerships and Limited Partnerships
18-46
D.
Conflicts and Malpractice Liability
18-47
Appendices
App-1
Appendix A: Government Agencies
A-1
Appendix B: E-Health Glossary
B-1
Appendix C: Health Insurance Portability and Accountability Act (HIPAA) Glossary
C-1
Appendix D: Documenting the Deal [Forms]
D-1
D-1.
HIPAA Business Associate Agreement Form
D-1-1
D-1.2.
Business Associate Agreement [HIPAA Adminstrative Simplication Subtitle]: Addendum
D-1.2-1
D-2.
Resolution Agreement
D-2-1
D-2.1.
Example of Resolution Agreement and Corrective Action Plan (Without External Monitoring)
D-2.1-1
D-2.2.
Example of Resolution Agreement and Corrective Action Plan (With External Monitoring)
D-2.2-1
Table of Cases
T-1
Index
I-1