Insights & Resources

November 29, 2023 | Alerts

Flurry of Activity Around Patient Information Impacting New York Providers

Flurry of Activity Around Patient Information Impacting New York Providers

In the last few months of 2023, there has been a flurry of legal activity pertaining to the use, disclosure, and protection of health information.  Here is a summary of the latest legal initiatives impacting New York providers.

AHA Sues DHHS Over Tracking Guidance

As we have noted in previous Garfunkel Wild alerts, the Department of Health and Human Services (“DHHS”) Office of Civil Rights (‘OCR”) published guidance regarding the use of tracking technologies (i.e., technologies that collect and analyze information about how users interact with websites and mobile applications). The guidance specifically states that authenticated (i.e., pages requiring a log-in) and unauthenticated website pages containing tracking technologies could violate HIPAA and result in a Breach of Unsecured PHI.  In July 2023, OCR and the Federal Trade Commission (“FTC”) jointly notified 130 providers that they may be deploying online tracking technologies in violation of HIPAA.

In response, on November 3, 2023, the American Hospital Association, along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System (the “Plaintiffs”), filed a lawsuit against DHHS and the OCR.  The Plaintiffs claim that OCR’s guidance inappropriately expands the definition of PHI to include data, such as internet protocol addresses, collected from unauthenticated public-facing provider webpages, even when the user has no existing relationship with the provider.  The Plaintiffs are requesting that the Court intervene to prevent the OCR’s interpretation regarding tracking technologies on unauthenticated websites from being enforced. 

Information Blocking Enforcement.

In November, the DHHS released a proposed rule that would establish three specific “disincentives” for healthcare providers that knowingly and unreasonably interfere with the access, exchange, or use of electronic health information in violation of the Information Blocking Rule.   The disincentives, which will be coordinated through the CMS, are as follows:

  • Pursuant to Meaningful Use, violations by an eligible hospital could result in the loss of 75 percent of the annual market basket increase (a methodology used to increase payments to adjust for, among other things, inflation);
  • Under MIPS, an eligible clinician or group that violates the Information Blocking Rule would receive a zero score in the “Promoting Interoperability” performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
  • Under the Medicare Shared Savings Program, a healthcare provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.

The proposed regulations can be found here: https://www.federalregister.gov/documents/2023/11/01/2023-24068/21st-century-cures-act-establishment-of-disincentives-for-health-care-providers-that-have-committed.  Public comments on the proposed rule will be accepted through January 2, 2024.

NYS Department of Health Issues Cybersecurity Regulations

The New York State Department of Health (“NYSDOH”) proposed new cybersecurity regulations at 10 NYCRR 405.46 (the “NY Cybersecurity Regulations”).  The NY Cybersecurity Regulations mirror the HIPAA Security Rule in many ways, but there are a number of additional requirements that must be addressed.  These include, among other things:

  • Requirement for an annual report to the Governing Board by the Chief Information Security Officer
  • Policies regarding third-party vendor access to systems containing patient information and validation regarding compliance with such policies
  • Multifactor authentication
  • Specific requirements for an incident response plan
  • Notification of NYSDOH within 2 hours of identifying a cybersecurity incident

The proposed regulations can be found here:  (https://www.health.ny.gov/facilities/public_health_and_health_planning_council/meetings/2023-11-16/docs/codes_agenda.pdf) and will go into effect one year from date of approval, except that the reporting obligations to the NYSDOH become effective immediately upon adoption.

New York Attorney General Settlement re: Breach

In October, the New York Attorney General secured $350,000 from a home health care company, Personal Touch Holding Corporation (“Personal Touch), for failing to protect patient data.   This resulted from a ransomware attack against Personal Touch that compromised the medical information of approximately 316,845 individuals.  It was determined that Personal Touch violated both HIPAA and New York state law by failing to adequately implement data security safeguards. In addition, the Attorney General obtained $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.  This case reminds everyone that both the OCR and state attorney generals are authorized to pursue enforcement for violations of the HIPAA Security Rule (as well as state law).

Should you have any questions regarding the above, please contact the author, the Garfunkel Wild attorney with whom you regularly work, or contact us at [email protected].