Category: Uncategorized

As many health tech companies are realizing, the regulatory landscape around them is complex and constantly shifting. Previously, companies had to seek guidance from siloed, individual experts, one by one. Thriving in this dynamic space today requires advice from multiple subject matter experts working together to provide the most nuanced and anticipatory, not reactionary, guidance.

Just like the regulatory backdrop transforming around us, Elevation is evolving, and we’re excited to share our new structure with you! We’ve brought on a group of experts in numerous aspects of health tech regulations who perfectly reflect the depth and complexity of the health tech teams we serve. This accomplished group will now advise Elevation to grow in our capacity to provide cohesive, comprehensive solutions to businesses looking to conquer problems in the delivery of health, medicine, and technology.

Meet the members of our Advisory Board:

Jason Brooke is an attorney and biomedical engineer with a wealth of experience in advising medical device and digital health companies at all stages of commercialization, particularly with respect to regulatory compliance with rules promulgated by the Food and Drug Administration (FDA). His expertise spans a variety of areas where cutting-edge technology meets the law, including software as a medical device, artificial intelligence, virtual reality, and augmented reality. Jason’s unique ability to straddle the worlds of law, science, and technology enables him to advise Elevation clients on everything from product design and development to business strategy and operations, all with respect to legal and regulatory compliance.

Evelyn Gallego started her own 8(a) certified Small Minority-Owned Business with a mission to deliver value-driven health data management advisory services to both private and government clients. Her expertise centers around bridging the gap between health IT policy/standards and business requirements. Evelyn excels in multi-stakeholder consensus-building and program management for value-driven client compliance solutions.

Dr. Alicia Morton Farlese has been a senior leader in national health IT policy and programs for nearly two decades and was a key drafter of many of the regulations that Elevation clients need help with the most, including the 21st Century Cures Act requirements around information blocking and interoperability. During her time within the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare & Medicaid Services (CMS), Alicia also implemented many of the HITECH Act provisions and oversaw the nation’s only Health IT Certification Program. In addition to her extensive background in Health IT, Alicia is a retired Captain/O-6 who served over twenty years in both the United States Navy Nurse Corps and the Commissioned Corps of the United States Public Health Service. She      boasts impressive subject matter expertise in social determinants of health, nursing/clinical informatics, and public health.

Dr. Jamie Skipper, founder of Elevation, is a nationally-respected expert on health data regulations. Jamie has an extensive background in federal regulation, from her former roles as a Health IT Legislative Assistant on Capitol Hill and Senior Scientist at the Office of the National Coordinator for Health IT (ONC), to her present position as Director of Healthcare Registry Technology Consulting Services at IQVIA. She has seen promising companies bringing innovative tech solutions to the healthcare world get torpedoed by regulatory compliance, and built Elevation with the aim of breaking down silos of regulatory advisory services to help tech companies achieve cohesive regulatory alignment for elevated levels of sustainability and growth.

Kem Tolliver is a national expert on revenue cycle management. Kem has been providing strategic and operational leadership experience to hospitals and private health care providers for over two decades. She co-authored a text on revenue cycle management and brings valuable insight to payors, medical societies, and health IT software companies.

In addition to our Board members, we also have advisors with subject matter expertise in health data privacy law, patient access, and FHIR technology and compliance.

COVID-19 may have stalled a lot of governmental work over the past two years, but regulations surrounding information blocking, interoperability, and health data privacy/patient access have been steadily proposed, finalized, and implemented. A lot of these regulations have now at least partially gone into effect. The headlines are not as splashy as those related to the global pandemic, but the significance of these efforts to many health tech companies is enormous. 

In this post, we provide a quick reference list of four of the major events for health tech companies to pay attention to in the coming year. 

1. By now, health tech businesses know whether they are—or intend to become—certified by the Office of the National Coordinator (ONC) through the Health IT Certification Program. Businesses falling under this umbrella should have recently completed their first attestation to the conditions of participation, and should now be looking ahead to a large-looming year–end deadline to make the new HL7® FHIR® API capability available as their standard for health care data exchange. Not to be overlooked in the interim is another significant change coming this fall—as of October 6, 2022, the definition of Electronic Health Information (EHI) is transitioning from the data elements represented in the USCDI to the entire HIPAA data set, a much larger suite of information. 
2. Companies supporting payers in the medical space were given a reprieve at the end of 2021 when CMS formally announced its decision to exercise discretion in enforcement and no longer take action against certain payer-to-payer data exchange provisions in the Interoperability and Patient Access final rule. Over the past few months, CMS has further memorialized this intent by indicating that they will be soon be releasing new rulemaking with regard to payer-to-payer data exchange, so stay tuned for more information on that as it becomes available.
3. The Office of the Inspector General (OIG) is the HHS agency tasked with issuing enforcement guidelines and setting monetary penalty standards for entities which violate HHS regulations. As of the date of publication, we are still waiting on the Final Rule from OIG on penalties for information blocking. However, the Proposed Rule indicated fines up to $1 million dollars per instance of information blocking, which could be especially devastating for startup health tech companies. While no fines are being handed out just yet, OIG has signaled that it intends to focus on selecting cases for investigation that are consistent with enforcement priorities, such as conduct that: (i) resulted in, is causing, or had the potential to cause patient harm; (ii) significantly impacted a provider’s ability to care for patients; (iii) was of long duration; (iv) caused financial loss to federal health     care programs, or other government or private entities; or (v) was performed with actual knowledge.
4. Finally, in December 2020, the federal government proposed several updates to HIPAA to require better data sharing between health care providers and health tech companies that empowers patients, improves coordinated care, and reduces regulatory burdens. These proposals have yet to be finalized, but should serve to streamline exchange of health data by enforcing important data exchange among payers and providers. The updated HIPAA rule is also expected to take a step in the direction of encapsulating social determinants of health by treating community–based organizations providing auxiliary support to patients (transportation, food, housing services, etc.) in essentially the same way as medical care providers with respect to health data privacy and sharing. 

Is your health tech company ready to achieve compliance with these upcoming rule changes? Do you need help getting there? Enforcement and heavy fines are just around the corner, but Elevation is here to help you navigate these rules and stay off OIG’s radar. We work with your business every step of the way, from attaining and maintaining compliance with currently enacted regulations to predicting and monitoring new regulations coming down the pike.

Health data privacy is governed by more than just HIPAA. Just like tech, this legal area of health-data privacy and data access is undergoing rapid growth and development, so it is essential for your business to stay up to date. Below is a summary of the most relevant state, federal, and international data privacy laws and regulations which affect health tech businesses in the U.S. 

FEDERAL LAWS & REGULATIONS—these apply to businesses located anywhere in the U.S.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA only applies to very specific holders of health data—covered entities (“CEs”) and their business associates (“BAs”)— and to a very specific type of data—protected health information ( “PHI”). For more on HIPAA, check out Elevation’s HIPAA Refresher blog series.  

The main tenets of HIPAA are that PHI cannot be shared without patient consent (the Privacy Rule), and that certain physical, administrative, and technical safeguards must be implemented in order to protect PHI (the Security Rule). 

Health Information Technology for Economic and Clinical Health Act (HITECH)

HITECH was signed into law in 2009 with the goal of promoting and expanding the adoption and meaningful use of health information technology—specifically, electronic health records (“EHRs”)—by health care providers. HITECH increased PHI protections to assure patients more confidence in the security and transmission of their PHI.

HITECH also expanded HIPAA requirements to BAs in a legally enforceable way. Prior to HITECH, only CEs could be penalized by the government for HIPAA violations. Today, the government can sanction CEs and BAs alike for HIPAA violations. Current HITECH regulations have now morphed into CMS’s Promoting Interoperability Programs 

CMS Interoperability and Patient Access Final Rule

This is a relatively new rule, now coming from CMS’ Promoting Interoperability Program offices, took effect in 2020 and became enforceable this year. The central takeaway from this rule is that all CMS-regulated payers must now implement and maintain a HL7 Fast Healthcare Interoperability Resources (“FHIR”) standard API. The FHIR framework provides a means for representing and sharing health information among clinicians and organizations regardless of the ways local EHRs represent or store the data.

Importantly, as its name suggests, this rule also requires or encourages different types of entities to allow patients to have electronic access to some of their personal information. For example, health plans must make certain data available to patients such as adjudicated claims, encounters with capitated providers, and some clinical data. 

21st Century Cures Act/Information Blocking

This rule works in conjunction with CMS’s Interoperability Rule to promote effective and appropriate health-related communications. Certain entities are required to share electronic health information (“EHI”—which is broader than PHI) for a variety of patient care purposes. Interfering with this exchange is called information blocking. Your company can still be deemed a “data blocker” even if your activities are not directly involved with patient treatment. The information blocking rule has a list of exceptions, such as infeasibility and preventing harm, but they are generally pretty narrow in order to encourage as much appropriate EHI sharing as possible.

INTERNATIONAL LAW—this applies to many U.S. companies that have even one customer or consumer in the EU.

General Data Protection Regulation (GDPR)

The GDPR was enacted in 2016 and has revolutionized data privacy by imposing specific, stringent obligations on businesses (e.g. data protection by design) and endowing all EU residents with certain rights and privileges (e.g. right to access personal data). It has quickly become an international “gold standard,” inspiring several U.S. states to consider or pass similar laws. Several U.S. Congress members are currently proposing U.S. national-level versions of the GDPR.

GDPR is a transparency-centered law that empowers consumers with brand new rights to their own data—this means any data, not just health data. The rule includes the right for consumers to erase or correct their information. Consumers can also restrict the processing or sale of their data. It also imposes strict security and compliance standards on businesses, enforceable by government fines and consumer lawsuits.

GDPR may apply to your business if you have even just one customer who is (or becomes) an EU resident. It’s vital for tech companies in particular to be informed about this law, as their “products” are generally quite portable and companies can incur fines or be subject to consumer lawsuits. 

STATE LAWS—may apply to businesses headquartered in those states, businesses with operations in those states, and/or businesses with consumers who are residents of those states.

State-level “mini-GDPRs” and “mini-HIPAAs”

In the U.S., the federal government sets minimum legal standards across the country. States may then choose to raise the minimum legal standard within that state by passing their own laws. Many states have chosen to do this with HIPAA-covered health data privacy laws. 

For example, Illinois has a Biometric Information Privacy Act (BIPA), which covers the collection, use, and retention of biometric identifiers such as retina scans, iris scans, fingerprints, and voiceprints, as well as any information based on an individual’s biometric identifier that can be used to identify that individual. Among other things, BIPA requires companies to provide individuals with notice and to obtain their written consent before collecting their biometric data. 

While the federal government has not (yet) enacted a national law or standard in a certain area, many states choose to pass their own laws to ensure certain standards are being met within their geograpgic boundaries or with regard to their residents. This is currently happening with data privacy in the U.S.—in the absence of a specific federal law, several states have begun to implement certain provisions of the GDPR. 

The most notable (and the first in the nation) are likely California’s two companion laws, the California Consumer Privacy Act (CCPA) and the Virginia Privacy Rights Act (CPRA). Although many people consider these to add up to a state-level GDPR, the threshold for businesses to become subject to these laws is higher than GDPR. For example, the CCPA and CPRA apply only to businesses in California that have a gross annual revenue over $25 million; buy, receive, or sell the personal information of at least 50,000 California residents, households, or devices; or derive 50% or more of their annual revenue from selling California residents’ personal information. 

This is just a high-level overview of the main data privacy rules governing U.S. health tech companies, and it may have already changed since you began reading this blog post. While other legal areas may trail decades behind the pace of reality, new data privacy laws and regulations are evolving quickly. Generally speaking, protections are becoming greater for individuals while businesses are seeing additional burdens and obligations. Let Elevation help take some of that extra weight off your shoulders—we can help you determine which laws apply to your business and help you implement necessary changes to achieve compliance! 

From a practical standpoint, the Security Rule is probably the most relevant section of HIPAA for health tech companies. The Security Rule operationalizes much of the Privacy Rule by setting standards for the security of the technology used to access, store, transmit, or process protected health information (PHI).

One of the most important things to understand about the Security Rule is that while it sets standards that must be met by CEs or health tech companies that qualify as BAs, it’s not overly prescriptive on how these standards must be met. Therefore, complying with the Security Rule is more of an exercise in reasonable risk mitigation than adhering to a checklist of specific practices and protocols.

The Security Rule outlines “required” and “addressable” specifications for administrative, technical, and physical safeguards, as well as for organizational and documentation purposes. 

For example, there are four required administrative specifications:

1. Risk analysis
2. Risk management
3. Sanction policy-
4. Information system activity review.

Under this Rule companies are required to assess vulnerabilities and potential risks in their PHI-handling practices. Once established, they must implement protocols to mitigate these risks (such as sanctions against employees who violate the protocols). CEs and BAs must also have the technological capability to review employee activity while accessing PHI on the company’s various data platforms.

CEs and BAs may approach “addressable” specifications in whatever ways make the most sense for their business. For these choices it is vitally important that companies document the reasoning behind them.

Some general best practices to conform to the Security Rule’s addressable specifications include:

• Limiting PHI collection, usage, and retention to only what is essential for successful business operations.
• Aggregating data wherever possible to meet business goals and avoid HIPAA violations.
• Periodically reviewing and updating security measures and documentation in response to environmental and operational changes that affect security of PHI.

Because portions of the Security Rule are open to interpretation, many health technology companies need to know what their unique situation requires to comply with HIPAA and avoid legal fines and penalties. Reach out to Elevation today—we have the expertise to confidently help your business navigate this regulatory landscape!

HIPAA is the cornerstone of safely sharing health data in the U.S. Policy experts love to point out that the “P” in HIPAA stands for Portability not Privacy. The idea is that data portability cannot be realized without creating a safe data sharing environment. HIPAA’s main two rules—the Privacy Rule and the Security Rule—lay out the security and protection standards around protected health information (PHI). In this blog, we’ll cover the basics of the Privacy Rule and what it means for health tech companies.

The Privacy Rule is essentially the cornerstone section of HIPAA. It lays out the permitted uses and disclosures of PHI that Covered Entities (CEs), such as hospitals and providers, may make without additional authorization from patients. Generally, a CE is permitted (but not required) to use and disclose PHI without an individual’s authorization for the following purposes or situations:

• Treatment, Payment, and healthcare Operations (commonly referred to as the “TPO”  Exception)
• Certain public interest and benefit activities, including:
  
  • When required by law
  • Public health activities (e.g. reporting certain communicable diseases such as TB to public health authorities)
  • Victims of abuse, neglect, or domestic violence
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement
  • Research (under certain conditions)
  • Preventing or lessening a serious threat to health or safety
  • Essential government functions
  • Workers compensation

The Privacy Rule also details what is known as the Minimum Necessary Rule, which determines that CEs must make a “reasonable” effort to disclose only the minimum necessary PHI required to achieve their purpose.   

Today, health tech companies that fall under the HIPAA umbrella are called “business associates (BAs)” and must comply with HIPAA rules in order to avoid serious financial and legal repercussions and remain in business. The Elevation team can help your company navigate your responsibilities as a BA when handling PHI.  In addition, we offer engaging and effective HIPAA courses that train health technology company staff to recognize PHI and keep it safe. 

Stay tuned for our next blog, where we will break down the Security Rule and offer some best practices around the Security Rule for health tech companies. 

The global COVID-19 pandemic has driven health care more into the virtual world at an unprecedented and historic pace, and the need to protect digital health data is now more pressing than ever.  Does HIPAA provide the coverage to protect all health data currently being exchanged? The quick answer is no. However, understanding what HIPAA includes as “Protected Health Information (PHI)” is a fundamental concept for health tech leaders to grasp.  HIPAA ONLY applies to PHI—not any other kind of information.

PHI is any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity. It can only be shared to provide health care services or secure payment for health care services. PHI can be in any form, including physical records, electronic records (often referred to as ePHI), or spoken information.

It’s important to note that PHI must be a combination of a personal identifier with some health information (anything about a person’s past, current, and future health such as diagnoses, health care coverage, payment for medical services, lab results, etc.). There are discrete categories of information that qualify as personal identifiers:

• Names
• Dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
• Telephone/fax numbers
• Geographic data/address
• Social Security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers including license plates
• Web URLs
• Device identifiers and serial numbers
• Internet protocol addresses
• Full face photos and comparable images
• Biometric identifiers (e.g. retinal scan, fingerprints)
• Any unique identifying number or code

Under HIPAA, if health information is stripped of all identifiers that can tie the information back to an individual, it ceases to be PHI and the HIPAA rules no longer apply. However, the landscape is evolving to protect data beyond what is covered under HIPAA. Be aware of the new class of data protections that have already been passed in California and Virginia. For a full audit of data protect laws that affect your health tech, reach out to the Elevation Team.