In collaboration with the Bergen County Prosecutor’s Office; 6 NJ/NY CLE credits. Click here for more information or to register.
Helen Oscislawski, Privacy Risk Assessments and Privacy Challenges
Helen Oscislawski is the founder of Oscislawski, LLC in Princeton. She provides legal guidance on HIPAA, HITECH, state privacy laws, electronic health information exchanges and health information technology to HIEs, RHIOs and ACOs, and counsels other healthcare clients in various matters.
Ms. Oscislawski was appointed by Governor Jon Corzine in 2008 to the New Jersey Health Information Technology Commission (NJHITC) and was reappointed to the NJHITC by Governor Chris Christie in 2010 where she also served as Chair of the Privacy and Security Committee for NJHIT Coordinator. She is the primary author of Update to Privacy and Security Compliance Manual, which was developed for the New Jersey Hospital Association and, most recently, she has developed and authored several editions of the HIPAA-HITECH Helpbook, a manual that combines tools and sample forms that address HITECH changes, state law and other considerations and Meaningful Use and Health Information Exchanges.
Before founding Oscislawski, LLC, Ms. Oscislawski was a healthcare attorney at Fox Rothchild in Princeton, New Jersey, where she counseled healthcare clients on a wide range of legal matters. She received her BA from Rutgers University, Douglass College and her JD from Rutgers School of Law.
Frank Pasquale, Professor of Law, Seton Hall Law School, The Past, Present and Future of Health Privacy
Professor Frank Pasquale is the Schering-Plough Professor in Health Care Regulation and Enforcement at Seton Hall Law School. Professor Pasquale has taught information and health law at Seton Hall since 2004. He has published over 20 scholarly articles. His research agenda focuses on challenges posed to information law by rapidly changing technology, particularly in the health care, internet, and finance industries.
Professor Pasquale is an Affiliate Fellow of Yale Law School’s Information Society Project. He has been named to the Advisory Board of the Electronic Privacy Information Center. He has served on the executive board of the Health Law Section of the American Association of Law Schools (AALS), and has served as chair of the AALS Section on Privacy and Defamation.
Professor Pasquale received his BA from Harvard University (summa cum laude), his M.Phil. from Oxford University, and his JD from Yale Law School.
Jaime S. Pego, Director, Healthcare Advisory Services, KPMG LLP, (along with Joy Pritts, Mark Swearingen, and Frank Pasquale, Moderator) Panel Discussion: The Practical Steps Necessary to Promote Privacy and Cybersecurity in Modern Healthcare Organizations
Jaime S. Pego is a Director in the Short Hills, New Jersey, office of KPMG LLP’s Healthcare Advisory Services Practice and serves as the firm’s National HIPAA Privacy Director. She has substantial experience in healthcare regulatory compliance and healthcare-related advisory services.
Ms. Pego works with a variety of healthcare clients to assist with identifying and preventing compliance risks and complying with federal and state regulations. Her work for KPMG includes serving as lead director for OCR HIPAA audits, as well as acting as Privacy Lead for the KPMG HIPAA national service line assisting covered entities and business associates with HIPAA compliance. She has conducted internal investigations concerning a variety of topics, including fraud and abuse, HIPAA violations, as well as other legal and regulatory matters, and researched and developed compliance policies for institutions in the areas of gifting under the Anti-Kickback Statute and Stark Law, the DRA, HIPAA, EMTALA and others. She participates in the KMPG National HIPAA working group to develop tools and methodologies for client needs, and conducts and manages ICD-10 Impact Assessment at a variety of healthcare organizations to help identify gaps in ICD-10 readiness. She has also served as the firm’s lead manager for health care reform legislative analysis and research.
Prior to coming to KPMG, Ms. Pego was a Local Compliance Officer at a teaching hospital and outpatient center for one of New Jersey’s largest health care systems and has worked with some of the country’s leading health systems. She received her BA from American University and her JD from Seton Hall University School of Law, with a Concentration in Health Law, and is Certified in Healthcare Compliance (CHC) by the Health Care Compliance Association (HCCA).
Joy Pritts, Chief Privacy Officer, ONC, HHS, Meaningful Use Regulations: What Providers Need To Know To Comply
Joy Pritts joined the Office of the National Coordinator for Health Information Technology (ONC), Department of Health & Human Services in February 2010 as its first Chief Privacy Officer. Ms. Pritts provides critical advice to the Secretary and the National Coordinator in developing and implementing ONC’s privacy and security programs under HITECH. She works closely with the Office for Civil Rights and other operating divisions of HHS, as well as with other government agencies to help ensure a coordinated approach to key privacy and security issues.
Prior to joining ONC, Ms. Pritts held a joint appointment as a Senior Scholar with the O’Neill Institute for National and Global Health Law and as a Research Associate Professor with the Health Policy Institute, Georgetown University. She has an extensive background in confidentiality laws including the HIPAA Privacy Rule, federal alcohol and substance abuse treatment confidentiality laws, the Common Rule governing federally funded research, and state health information privacy laws.
Ms. Pritts received her BA from Oberlin College and her JD from Case Western Reserve University.
Anna Spencer, Esq., Sidley Austin, LLP, Data Breaches/Data Breach Notification Requirements and the Need for Encryption
Anna Spencer is a partner in Sidley Austin’s Washington, D.C. office whose practice focuses on health care. Ms. Spencer primarily works on matters involving the privacy and security of health information and she is the firm’s global coordinator for health information privacy. She regularly counsels a broad range of clients on healthcare information privacy and security issues. This includes assisting clients with respect to HIPAA and HITECH and has significant experience in investigating and responding to data breaches and information security incidents. She has represented clients in connection with data breach reporting obligations under the HITECH regulations for breaches of protected health information and defended health care providers in investigations initiated by the Office of Civil Rights, Department of Health and Human Services.
On behalf of covered entities and entities that qualify as HIPAA business associates, Ms. Spencer has developed multiple HIPAA privacy and security compliance and training programs. She has negotiated hundreds of Business Associate Agreements on behalf of various clients.
Ms. Spencer has spoken on privacy/security matters on behalf of numerous groups such as BNA and the American Conference Institute. She has authored a variety of articles on privacy/security issues, Medicare coverage, and fraud and abuse. She is currently authoring a book for BNA on health information privacy. Ms. Spencer received her BA from Sewanee and her JD from Vanderbilt University School of Law.
Mark Swearingen, Esq., Hall, Render, Killian, Heath & Lyman, PC, HIPAA and HITECH Trends (Enforcement and Otherwise)
Mark Swearingen coordinates the HIPAA practice and provides counsel on health information privacy and security matters such as breach response and notification and the creation, use, disclosure, retention and destruction of medical records and other health information at the Indianapolis law firm, Hall, Render, Killian, Heath & Lyman, P.C. His counsel to clients also includes a variety of health care topics related to regulatory compliance, physician and clinical services contracting, risk management and Independent Review Organization services. He has provided such services to a broad spectrum of health system, hospital, physician practice, diagnostic imaging center, ambulatory surgical center and long-term care facility clients.
Mr. Swearingen has spoken and written nationally and regionally on numerous topics, including antitrust, electronic medical records and health information privacy and confidentiality. He is an adjunct professor of a course in Law and Medicine at the Indiana University School of Informatics at IUPUI.
Mr. Swearingen received his BA from Indiana University and his JD from Seton Hall Law School.
Seton Hall Professor and Health Care Regulation Expert Frank Pasquale to Present Draft White Paper Outlining Options and then Moderate a Discussion on its Pros and Cons with Fellow Academics
Washington, D.C. – Seton Hall University School of Law hosted an academic roundtable discussion on how our current healthcare law will respond to the new technology environment – in particular, maintaining privacy for consumers as the health industry expands adoption of cloud computing, on Friday, March 22, 2013. Seton Hall Professor Frank Pasquale moderated the event, “The Future of HIPAA and The Cloud,” and also released a white paper he coauthored with Tara Adams Ragone on the challenges that cloud computing technologies pose to the Health Insurance Portability and Accountability Act (HIPAA).
As the recent HIPAA Omnibus Rule showed, regulation must both reflect and shape technological advances. As stakeholders face new challenges and opportunities, the roundtable asked: What is the future of HIPAA in the cloud? How will patient data be used? What is the role for third party vendors? And who should be held responsible for security breaches in the cloud?
White paper abstract:
This white paper examines how cloud computing generates new privacy challenges for both healthcare providers and patients, and how American health privacy laws may be interpreted or amended to address these challenges. Given the current implementation of Meaningful Use rules for health information technology and the Omnibus HIPAA Rule in health care generally, the stage is now set for a distinctive law of “health information” to emerge. HIPAA has come of age of late, with more aggressive enforcement efforts targeting wayward healthcare entities. Nevertheless, more needs to be done to assure that health privacy and all the values it is meant to protect are actually vindicated in an era of ever faster and more pervasive data transfer and analysis.
After describing how cloud computing is now used in healthcare, this white paper examines nascent and emerging cloud applications. Current regulation addresses many of these scenarios, but also leaves some important decision points ahead. Business associate agreements between cloud service providers and covered entities will need to address new risks. To meaningfully consent to new uses of protected health information, patients will need access to more sophisticated and granular methods of monitoring data collection, analysis, and use. Policymakers should be concerned not only about medical records, but also about medical reputations used to deny opportunities. In order to implement these and other recommendations, more funding for technical assistance for health privacy regulators is essential.
In her article, “Institutional Competence to Balance Privacy and Competing Values: The Forgotten Third Prong of HIPAA Preemption Analysis,” Barbara J. Evans takes on the well-settled belief — or “rumor,” as she calls it – that the HIPAA “Privacy Rule merely sets a floor of privacy protection that leaves states free to set stricter privacy standards.” (A draft of this article is available on SSRN, and it will be published in the University of California-Davis Law Review in 2013.) Although this general rule of HIPAA preemption is largely accurate, the article argues that it is wrong with respect to an enumerated “class of public health activities that Congress deemed to have high social value,” including “reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”
Professor Evans begins with a textual argument, pointing out that HIPAA’s statutory text specifically includes a third prong, while HIPAA’s Privacy Rule, one of HIPAA’s key implementing regulations, collapses the statutory language into two prongs. The article maintains that in doing so, the “Privacy Rule ignored a clear statutory instruction to preempt state privacy law in a specific circumstance where Congress determined that individual privacy interests should give way to competing public interests.” In this specific public health context, she continues, “the HIPAA statute creates what might be called a ‘canopy,’ to shelter specific socially important data uses from more stringent privacy laws.” The author buttresses her analysis with legislative and regulatory history as well as a comparison with the structure of ERISA preemption provisions.
Noting that the statute speaks directly to this issue, Professor Evans maintains that the public health portion of the Privacy Rule is not entitled to Chevron or Skidmore deference where its interpretation is contrary to the statute and the agency did not offer a persuasive account to justify its interpretations. Rather, “the HIPAA statute preempts state privacy laws — even ones that are more stringent than the HIPAA privacy Rule — in situations where state laws would interfere with public health surveillance and investigations.”
Professor Evans attributes the inconsistency between the Privacy Rule and HIPAA to politically savvy rather than incompetent agency drafting. She asserts that HHS was aware that states were afraid that their privacy laws would be preempted, and thus the agency took a modest approach in the Privacy Rule, leaving unspoken the effect of the third prong on more stringent state laws in the limited context of enumerated public health activities. The statutory text, however, reflects Congress’s choice to ”trust no institution other than itself” to “strike the balance between privacy and competing public interests.” There was a conscious choice not to permit a patchwork of varying state laws to frustrate the development of multi-state, interoperable databases needed for the enumerated public health activities.
This article breathes new life into statutory language that has been largely overlooked in the sixteen years since HIPAA’s enactment and is critical reading for anyone interested in public health surveillance, investigation, and privacy law. Professor Evans argues that facilitating access to large-scale, multi-state, interoperable databases of health-related data for tens or even hundreds of millions of people could speed “the detection of drug safety risks, unmask ineffective or wasteful treatments, and understand disparities in health outcomes among various populations subgroups,” while “unduly restrict[ing] access to data and biospecimens can very literally kill people.”
The article closes with an invitation to scholars for further “dialogue about [HIPAA']s forgotten preemption provision,” an invitation the health law community would be wise to accept. While she readily acknowledges that her conclusions are unorthodox, they will undoubtedly generate substantial and serious academic discussion.
Another important article for interoperability policymaking is Leslie P. Francis‘s article, “Skeletons in the Family Medical Closet: Access of Personal Representatives to Interoperable Medical Records,” which recently was posted to SSRN and was published in volume 4, issue 2 of the 2011 Saint Louis University Journal of Health Law & Policy.
With HIPAA’s Privacy Rule and the HITECH Act, federal law now grants patients the right to access their own medical records, including EHRs, with some limitations for certain records, such as psychotherapy notes. Importantly, personal representatives now generally enjoy the same rights of access to medical records that patients themselves hold, consistent with state law.
In addition, although HIPAA preempts state laws that are inconsistent with federal law, HIPAA generally (see Professor Evan’s important caveat above) does not preempt state laws that protect privacy more stringently than federal law. A state law is deemed more stringent when, for example, it provides individuals with greater access to their health information. As a result, “states may expand the individual right of access to health information, but may not contract it.”
The article points out an unintended consequence of such an expansion, however, given federal law on access: states that provide equal rights of access to patients and their representatives would be expanding personal representative access in step with any increased rights for patients.
But given the breadth of interoperable EHRs, patients may not want or expect their personal representatives to have access equal in scope to their own. Interoperable EHRs may very well contain records of medical care that are not directly relevant to the patients’ current care and that patients may not want their personal representatives to see. Professor Francis offers the example of an older patient being treated for a stroke who may not want her child to learn about her prior, unrelated pregnancy termination or psychiatric history – what Professor Francis calls “the metaphorical skeletons in her closet.”
The article thus explores the extent to which states may protect patient privacy and confidentiality in this legal framework by regulating personal representatives’ access to patient records. For example, although states generally either grant or deny personal representatives access to patient records, Professor Francis details how some have been more nuanced. For example, some permit patients to use advance directives to define the scope of access by personal representatives, such as on a need to know basis, while others restrict personal representative access to mental health or substance abuse treatment records.
Given the importance of respect for private autonomy, Professor Francis then makes four recommendations:
(1) Advance directive statutes should permit competent patients to designate the scope of their personal representatives’ access to interoperable medical records, ideally with respect to specific types of information, such as mental health, substance abuse, and reproductive history, and options such as all information, information only as needed to make care decisions, or no information.
(2) When patients do not have advance directives, there should be a presumption that personal representatives only have access to records needed for decision making about their care.
(3) Interoperable medical records should be designed to permit special management of sensitive medical information, such as mental health or substance abuse treatment records, to which personal representatives would have access only when necessary for emergency care.
(4) These recommendations generally should apply regardless if patients have mental illness or cognitive disabilities.
Graduate Certificate Program in Pharmaceutical & Medical Device Law & Compliance to Start Again, October 7, 2012
Filed under: Compliance, Drugs & Medical Devices, Seton Hall Law
Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy starts classes again on October 7th for the Graduate Certificate in Pharmaceutical & Medical Device Law & Compliance. The priority application date is September 24, 2012.
The Graduate Certificate in Pharmaceutical & Medical Device Law & Compliance is a non-degree program designed for individuals who seek in-depth knowledge about legal, regulatory, and ethical issues related to the pharmaceutical and medical device industries. Taught exclusively online, it offers students nationwide a targeted immersion in key substantive issues along with the practical skills necessary to research and communicate effectively about the law.
The intensive program is geared to busy professionals who want to cover a significant amount of material in a relatively short period of time. The program is open to students who have earned a baccalaureate degree from an accredited college or university. It is specifically designed to meet the needs of mid- to senior-level professionals in the health care industry, but highly motivated students from other backgrounds are also welcome to apply. It is not necessary to have prior academic or work experience in health care in order to do well in the program.
Additional information and registration is available here.
Why study pharmaceutical and medical device law at Seton Hall School of Law?
Seton Hall Law School has specialized in health law for more than a decade, and its health law program is consistently ranked among the top ten in the nation by U.S. News & World Report. The Law School’s health law faculty specialize in a wide range of health law topics, including healthcare organizations, nonprofit governance, healthcare financing, healthcare fraud and abuse, food and drug law, research with human subjects, genetics and the law, public health law, and bioethics. In addition to training future lawyers, Seton Hall Law offers a Master’s of Science in Jurisprudence degree for individuals working in the health care industry, as well as an innovative compliance certification program for pharmaceutical and medical device professionals. Seton Hall Law is also a center for scholarship and public policy development related to health care, particularly through its Center for Health & Pharmaceutical Law & Policy, whose mission is to foster informed dialogue among policymakers, consumer advocates, the medical profession, and industry.
I have hinted at problems with uniform trade secrecy laws in this volume and a law review article. I plan to continue that line of research in a co-authored work with Dave Levine, exploring the costs of trade secrecy in the finance, energy, and communications sectors. When it comes to “solutions,” I’m increasingly inclined to frame the issue as: how do we operationalize the insights of Michael Carroll’s “Uniformity Costs” concept? In other words, how do we shape doctrine so that it respects the unique economic conditions (and moral imperatives) related to specific industries?
One way to do so is to insist on the autonomy of a subject matter defined legal field (versus the trans-substantive aspirations of, say, contract, property, or intellectual property law). The “law of the horse crowd” usually assails that autonomy by warning about the distortionary affects of applying different laws to different sectors. Health law professors shared that worry for a while, debating whether health care law is a “coherent field.” But that anxiety seems to have faded as a distinct arena of health care economics develops and lawyers set to work implementing the massive HITECH and PPACA legislation passed in 2009 and 2010. The stage is now set for a distinctive law of “health information” to emerge, as third party payers and government use their leverage in the sector to tamp down counterproductive IP- and contract-based corporate strategies.
The law of health information is neither more “open” nor more “closed” than information law generally. Free access should be dictated in areas of extreme personal or societal need; in other cases, it may be right to force high payments, either ex ante via taxes, or ex post via high prices, from those with the ability to pay. Privacy should play a far more important role here than it does in the usual Wild West of internet data collection and processing. But once data is truly anonymized, the research imperative for access is perhaps more pressing than in any other area of law (except, perhaps, national security.).
For a recent controversy where laws of copyright seem inappropriate in a medical setting, check out this story:
According to the New England Journal of Medicine, after thirty years of silence, authors of a standard clinical psychiatric bedside test have issued take down orders of new medical research. Doctors who use copies of the bedside test which will have been printed in some of their oldest medical textbooks are liable to be sued for up to $150,000. . . . [E]ven the ghosts of positively ancient abandoned copyrights for the very simplest of ideas can be used to block new medical work through legal bullying.
The “thirty years” of silence part makes me want to look into a laches claim. The simplicity of the test also seems to invite a merger defense. On the other hand, perhaps the best answer is compulsory licensing, which should have gotten more attention during the SOPA/PIPA flap. Whatever solution is optimal, the implication of the NEJM piece is clear: health professionals believe their field deserves some autonomy from the normal laws of intellectual property. Popular reaction against secret prices of medical devices and hospital procedures also reflects that view.
In many areas, such rebellions against pricing the priceless have translated into general skepticism about intellectual property. In health care, they may lead to something different: a health information law distinct from the IP and privacy laws of general application.
An eminence grise of cyberlaw once told me that he got into the field in the 1980s because it was one of the few areas where things were “up for grabs” enough that a creative scholar could still have an influence. An elder statesman of the IP field told me that it had gone into “normal science” mode as of 2004 or so. Perhaps those who still want “paradigm shifts” need to work heavily regulated fields like health information law, where government policymakers are more regulators for (rather than instruments of) vendors and providers.