EDPB Issues New Guidance on the Use of Location Data and Contact Tracing in the Context of the COVID-19 Outbreak

As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.

The EDPB’s new guidelines complement and build on similar guidance previously issued by the Board itself (see herehere and here), and by the European Commission (see our blog post here).

The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).

The guidelines aim to clarify the data protection conditions and principles that should be followed when:

  • using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
  • using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.

The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic.  However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.

Continue Reading

HHS Relaxes HIPAA Enforcement for Certain Covered Entities and Business Associates Regarding Their Participation in COVID-19 Community-Based Testing Sites

On April 9, 2020, U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding certain covered entities and business associates who choose to participate in the operation of a Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency. The Notification relaxes HHS’s enforcement of certain provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). More specifically, HHS will not impose penalties against covered health care providers and their business associates for violations of the HIPAA Privacy, Security, and Breach Notification Rules related to the “good faith participation” in a CBTS. The Notification is effective immediately but applies retroactively to March 13, 2020.

For the purpose of the Notification, a CBTS includes “mobile, drive-through, or walk-up testing sites that only provide COVID-19 specimen collection or testing services to the public.” Operation of a CBTS encompasses “all activities that support the collection of specimens from individuals for COVID-19 testing.”

Under the Notification, HHS’s enforcement discretion will apply only to covered health care providers and their business associates regarding activities connected to the operation of a CBTS. The Notification does not apply to non-CBTS activities performed by covered health care providers or their business associates. As such, there is still potential HIPAA liability for all other HIPAA-covered actions, unless otherwise determined by HHS. In addition, the Notification does not apply to health plans and health care clearinghouses when they are conducting health plan and clearinghouse operations. If a covered entity acts as both a health plan and health care provider, the Notification will apply only when the entity is acting in its role as a health care provider, and then only to the extent that it is participating in a CBTS.

Although covered health care providers and their business associates will not face penalties for HIPAA violations connected to the good faith operation of a CBTS, HHS still encourages them to implement reasonable safeguards for the privacy and security of individuals’ protected health information (“PHI”). According to the Notification, reasonable safeguards include:

  • Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment;
  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples;
  • Controlling foot and car traffic to create adequate distancing at the point of services to minimize the ability of persons to see or overhear screening interactions at a CBTS — a six foot distance would service this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19;
  • Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming;
  • Using secure technology at a CBTS to record and transmit electronic PHI;
  • Posting a Notice of Privacy Practices (“NPP”) or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.

OCR Alert Warns Covered Entities and Business Associates of Potential PHI Scam

On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator on the telephone, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.”

HIPAA covered entities and their business associates are encouraged to warn their workforce of potential scams and remind them of basic verification steps, such as asking for the Investigator’s email address (which will end in @hhs.gov) and asking for a confirmation email sent from the Investigator’s hhs.gov email.

Organizations can send questions and concerns to OCRMail@hhs.gov. Additionally, suspected incidents of individuals impersonating federal law enforcement should be reported to the Federal Bureau of Investigation (“FBI”). The FBI has also released a public service announcement regarding COVID-19-related fraud schemes.

FDA Issues COVID-19 Policy for Certain Digital Health Solutions

On April 14, 2020, FDA issued a direct-to-final guidance outlining its “Enforcement Policy for Digital Health Devices for Treating Psychiatric Disorders During the Coronavirus Disease 2019 (COVID-19) Public Health Emergency.”  The guidance intends to “expand the availability of digital health therapeutic devices” – possibly the first time FDA has used such term in its written policies – to facilitate consumer and patient use and reduce potential exposure to COVID-19.  The guidance applies to two groups of products: (1) computerized behavioral therapy devices and other digital health devices for psychiatric disorders; and (2) low-risk wellness and digital health products for mental health or psychiatric conditions. Like FDA’s many other COVID-19 enforcement policies, the policy will remain in effect “only for the duration of the public health emergency related to COVID-19.” Continue Reading

State Medical Licensing Changes to Combat COVID-19

The rapid spread of COVID-19 has transitioned the telehealth debate from a matter of access, convenience, and cost-saving to a matter of absolute necessity on a large scale. A variety of barriers have traditionally stood in the way of broader adoption of telehealth including a lack of reimbursement by both state and private insurance, restrictions on prescribing across state lines, limitations to interstate malpractice coverage, and concerns related to privacy and security, licensure, credentialing, and privileging. Although CMS has temporarily alleviated some of the Medicare reimbursement limitations, the patchwork of state licensing regimes has been one of the most difficult barriers to overcome. This post highlights how some states have made temporary concessions with regard to their control over licensure in order to support patients during the COVID-19 pandemic. However, while these measures have helped, a uniform national mechanism for licensure for telehealth across state borders would be much more effective.

Licensure and Telehealth

Medical licensure in the United States is handled by states and the requirements can vary from state to state. Although there is some uniformity in the basic standards, many states require their own testing, interviews, background checks, and other steps to become licensed in that state. Initiatives such as the Interstate Medical Licensure Compact (IMLC) make it easier for providers to become licensed in multiple states, but the IMLC has not been adopted in every state, and the process for providers to take advantage of this reciprocity is not automatic. The licensing regime that applies to a particular encounter is typically based on the state of the “originating site” (i.e., the physician needs to be licensed in the state where the patient is located at the time of receiving the services). The limitations to the adoption of the IMLC and the originating site rule mean that it has been difficult for physicians to provide services across multiple states. There are various state-based exceptions that allow physicians to consult with out-of-state specialists on a limited basis, allow physicians from neighboring states to have their licenses recognized on a limited basis, or allow out-of-state physicians to provide certain types of telehealth services directly to patients, but the inconsistency of these exceptions creates risk and uncertainty for physicians and discourages broader use of telehealth.

Emergency Licensure and Licensure Waivers

Many state responses to the COVID-19 crisis have included the availability of temporary, emergency, or fast-tracked licensure or the temporary waiver of certain licensure requirements. Massachusetts has created an expedited “Emergency Temporary License Application” that allows physicians who hold “an active full, unlimited and unrestricted medical license in another U.S. state/territory/district” to obtain licensure, but only during the state declarations of emergency related to COVID-19. New York, has entirely waived NY licensure requirements for certain types of physicians, by allowing those who are “licensed and in current good standing in any state in the United States to practice in New York State without civil or criminal penalty related to lack of licensure.” Other requirements have also been waived by some states; for example, Delaware has waived the requirement that physicians see patients in-person before providing telehealth. These emergency measures not only allow physicians to travel to states where the need for medical professionals has sharply increased, it allows physicians to provide telehealth services to patients in those states where their ability to receive treatment in-person has significantly diminished.

A Unified Approach to Emergency Telehealth Licensure

Although individual state-based measures can help to increase the availability of physicians, a unified response would allow the healthcare community to be more responsive as the spread of COVID-19 effects different areas of the country at different times. One potential avenue for this is the Emergency Management Assistance Compact (EMAC). EMAC has been ratified by Congress and every U.S. state and territory, and it provides state emergency management agencies with broad powers to cooperatively respond to emergencies, including liability waivers, license reciprocity, and reimbursement for costs. The National Emergency Management Association supports the use of EMAC to implement uniform waivers to state licensure requirements for the provision of services via telehealth, and has released a form executive order that Governors can use to efficiently achieve this result. If adopted, this order includes a broad waiver of in-state licensure requirements for physicians who are licensed in another jurisdiction and allows them to provide any services they could provide in their home jurisdiction via any remote telecommunications technologies. Universal adoption of such an order would allow physicians to treat patients anywhere in the country via telehealth, and would facilitate the efficient implementation of nationwide telehealth networks.

Telehealth Licensure After COVID-19

Most of the measures discussed above apply only as long as the state emergency declarations continue. The same is true of the federal responses to the virus, such as the FCC’s COVID-19 Telehealth Program, which is part of the CARES Act and was discussed in an earlier post. Similarly, as also previously discussed, HHS is exercising enforcement discretion, having announced that it will not impose penalties for noncompliance with certain provisions of HIPAA, relating primarily to the security of transmission methods, in connection with the “good faith” provision of particular telehealth services during the COVID-19 nationwide public health emergency. Some of the current demand for telehealth is due to the fact that COVID-19 is so easily communicated via in-person interactions and the need for a national response to a pandemic that will peak at different times across the country. But the current crisis also highlights the access-to-care challenges the country faced before the crisis, and the hard lessons of the crisis response can create opportunities for the growth of nationwide telehealth services. As a significant number of new doctor-patient relationships are formed via telehealth, we may find that the benefits of this form of healthcare outweigh the concerns and argue for making some of these changes permanent, and support for this type of long-term change is already building.

Jon-Paul Berexa, Anna Kraus, Rebecca Yergin and Tara Carrier contributed to this post.

AI Update: FTC Provides Guidance on Use of AI and Algorithms

On April 8, 2020, the Federal Trade Commission (“FTC”) released a blog post about the use of artificial intelligence (“AI”) and algorithms in automated decisionmaking. The blog highlighted the potentially great benefits and risks presented by increasingly sophisticated technologies, particularly in the “Health AI” space. However, it also emphasized that automated decisionmaking is not a new phenomenon—and the FTC already has a long history of assessing and addressing its challenges. Based on prior FTC enforcement actions, studies, reports, and other sources of guidance, the post outlined five general principles for using AI and algorithms while adequately managing consumer protection risks:

  1. Be transparent. Entities should be upfront with consumers about how they use their AI solutions. For example, if automated tools, such as chatbots, are used to interact with consumers, the nature of this interaction should not be deceiving (i.e., it should be clear to consumers that they are interacting with an AI tool). In particular, entities should be transparent when collecting sensitive data—as secretly using sensitive data to “feed” an algorithm could give rise to an FTC action. Finally, entities should consider whether certain notices are required when they make automated decisions based on information obtained from a third-party vendor that may be considered a “consumer reporting agency” under the Fair Credit Reporting Act (“FCRA”). For example, when using data obtained from a credit reporting agency to deny someone an apartment, an “adverse action” notice must inform the consumer of his or her right to see and contest the information reported about them.
  2. Explain your decision to the consumer. When denying consumers something of value based on an algorithmic decision, entities should be able to explain what data was used in the model and how that data was used to arrive at the decision. Similarly, entities that use algorithms to generate “scores” about consumers should disclose the factors that went into the score and their relative importance with respect to influencing the score. Importantly, if automated tools may alter the terms of an existing deal (such as tools that might reduce consumers’ credit limits based on their purchasing habits), this must be disclosed to consumers, as well.
  3. Ensure that your decisions are fair. Entities should ensure that their use of AI does not result in discrimination against protected groups—which is prohibited by several existing antidiscrimination laws. The post emphasized that when evaluating whether one of these laws has been violated, the FTC will look at both the inputs into the AI algorithm (e.g., whether the model contains ethnically-based factors or proxies for such factors, such as census tracts), and the outcomes of the inputs (i.e., whether a facially neutral tool results in a discriminatory outcome). Finally, the FTC notes that consumers are entitled under FCRA to obtain a copy of the information on file about them and to have the ability to correct it.
  4. Ensure that your data and models are robust and empirically sound. In certain use cases, entities will be legally obligated to ensure that their data and models are robust and empirically sound. For example, entities acting as consumer reporting agencies are required under the FCRA to implement “reasonable measures” to ensure that the information provided is as accurate as possible. Even if an entity is not considered a consumer reporting agency, it may still be considered a “furnisher” if the company provides data to consumer reporting agencies, and furnishers are required to have in place written policies and procedures to ensure that the data provided is “accurate and has integrity.” In all cases, the FTC recommends that a company’s AI models are statistically “validated and revalidated to ensure that they work as intended, and do not illegally discriminate.”
  5. Hold yourself accountable for compliance, ethics, fairness, and nondiscrimination. Before using an algorithm, the FTC’s blog post recommends asking four key questions: (1) how representative is the data set? (2) does the data model account for biases? (3) how accurate are the predictions based on big data? and (4) does a company’s reliance on big data raise ethical or fairness concerns?

In addition, when developing AI for others to use, entities should ensure that appropriate access and use controls are put in place to prevent misuse (e.g., contractual obligations, such as a terms of use for the AI tool, and technical measures, such as running the technology on the developer’s own servers). Further, entities should ensure they have appropriate accountability mechanisms in place, and should consider using tools and services to test algorithms for potential problems.

As the FTC’s blog post noted at the outset, these five principles undoubtedly will come into play as AI increasingly is deployed in critical industries, such as the healthcare sector. As we mentioned in a previous blog post, AI and other digital health technology has the potential to play an integral role in managing the current COVID-19 pandemic. In particular, researchers are considering whether AI can be applied to patient monitoring, preventing the spread of infection, and vaccine development efforts. As these and other technologies are developed to address the global health crisis, it will be critical to ensure that regulatory guidance (including the FTC’s blog post) is considered and applied throughout the product lifecycle.

For companies developing AI and other technology solutions to aid in the efforts against COVID-19, please take a look at our Coronavirus/COVID-19 Checklist to better understand some of the potential regulatory and other legal considerations. We also have posted some simple steps companies can take to mitigate their product liability risk as they develop these new innovative technologies.

To learn more about AI, please access our AI toolkit.

FCC Embarks on New Rural Health Initiatives with CARES Act Funding

In light of the COVID-19 pandemic, Congress and the Federal Communications Commission (FCC) have ramped up efforts to subsidize the provision of the telecommunications and broadband services necessary to deliver telehealth solutions. This includes steps to make it easier for eligible health care providers to secure funding under the FCC’s existing Rural Healthcare (RHC) program, developing procedures for tapping into a new $200 million COVID-19 Telehealth Fund, and launching a pilot program intended to help eligible health care providers deliver online (connected) care to a greater number of low-income patients and veterans.

The FCC’s Rural Healthcare Program (approx. 600-$700 million per year)

Recognizing that hospitals and other health care providers in rural areas face unique connectivity challenges, nearly 25 years ago Congress directed the FCC to establish its Rural Healthcare (“RHC”) program.

Under the RHC program, the FCC provides funding to eligible health care providers for the purchase of telecommunications and broadband services at substantial discounts compared to commercial rates. Generally, eligible providers are not-for-profit or public providers located in rural areas, although funding also is available for consortia with membership of both rural and non-rural health care providers in some circumstances.

The RHC program has grown increasingly popular in recent years, with over $700 million in support committed for expenditures in 2019 alone. Funds for the program come from fees that virtually all American consumers and businesses pay into the federal Universal Service Fund (“USF”), through assessments on certain forms of mobile and landline phone service.

COVID-19 Telehealth Program ($200 million)

The CARES Act appropriated $200 million that is funding a new COVID-19 Telehealth Program by the FCC. Unlike RHC Program funding, funds under this new temporary program will be open to health care providers whether they serve urban or rural areas. Funds can be used to support the purchase of telecommunications, broadband services, and connected devices to provide connected care services in response to the coronavirus pandemic.

The FCC anticipates providing up to $1 million per eligible provider that applies for funding, with funding awarded on a rolling basis until exhausted. In a deviation from procedures for the RHC program generally, the FCC will not require providers to seek competitive bids for the services they buy with this funding. On April 8, the FCC issued detailed guidance for prospective applicants and it announced today that the agency would begin accepting applications on Monday, April 13.

Connected Care Pilot Program ($100 million)

At the same time that it established the COVID-19 Telehealth Program, the FCC took steps to establish a Connected Care Pilot Program under its existing universal service authority. The Pilot Program will make $100 million available over three years to pay 85% of costs of broadband connectivity, network equipment, and other information services necessary for an eligible health care provider to provide connected care services—particularly to low-income households and/or veterans. Application deadlines will be announced, and the process for distributing funding is not expected to occur as quickly as it will for the COVID-19 Telehealth Program.

HHS Seeks to Facilitate Certain Uses and Disclosures of Health Data to Public Health and Health Oversight Agencies Amidst COVID-19 Nationwide Public Health Emergency

On April 2, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding the disclosure of protected health information (“PHI”) to public health authorities and use of PHI to perform analytics for such authorities.  Designed to “facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency,” the Notification relaxes HHS’s enforcement of certain provisions of the Privacy Rule issued  under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  More specifically, the Notification announces that, under certain circumstances, HHS will not impose penalties for violations of such provisions against covered health care providers and their business associates for the use and disclosure of PHI “by business associates for public health and health oversight activities” in connection with the COVID-19 nationwide public health emergency. Continue Reading

AI Update: Using Artificial Intelligence to Combat COVID-19

The rapid spread of COVID-19, along with the effectiveness of existing public health response plans and the impacts of social distancing on the economy, have raised the question of how new technology can be used to address and manage the pandemic. On April 1, 2020, the Stanford Institute for Human-Centered Artificial Intelligence hosted “COVID-19 and AI: A Virtual Conference” to explore the potential applications of artificial intelligence (“AI”) in diagnostics and treatment, epidemiological tracking and forecasting of the spread of COVID-19, and the pandemic’s impacts on the economy, culture, and human behavior.

Continue Reading

The Potential Benefits of Digital Health Technology in Managing COVID-19

The COVID-19 crisis is demonstrating the potential of digital health technology to manage some of our greatest public health challenges.  The White House Office of Science and Technology Policy has issued a call to action for technology companies to help the science community answer high-priority scientific questions related to COVID-19.  The Centers for Disease Control and Prevention has also recognized that technology and surveillance systems can play an integral role in supporting the public health response to outbreaks.

The following are just a few examples of how technology has the potential to play an integral role in flattening the curve, limiting the spread of the virus, and assisting in the treatment of infected individuals.  Perhaps the positive impact of these technologies will further accelerate the adoption and importance of digital innovation in healthcare.  However, such innovation still needs to be balanced with the continuing need for safety.

Tracking the Coronavirus Pandemic

Digital health technology can help manage the pandemic by providing an early signal to potential infection.  As widely reported, many public health authorities are limiting test eligibility to symptomatic patients and healthcare workers.  Furthermore, there is a time delay between the onset of physical symptoms and, if the infected individual is able to get a diagnostic test, the receipt of results.

Kinsa Health, a company that uses internet-connected thermometers, has provided smart thermometers to people to record fevers at home.  Users of the smart thermometer can then instantly report their fever and symptoms.  Though the thermometers cannot confirm that a person has the coronavirus, the fever spikes captured by the thermometer are an early signal to potential infection.

Data from the Kinsa thermometer could help health authorities plan their allocation of resources.  The instant reporting feature allows Kinsa to track the spread of fevers, and share the data through its online interactive maps that show where individuals are exhibiting symptoms by zip code.  The clusters of fever spikes can signal to health authorities where to allocate medical resources and where to impose measures to further prevent the transmission of the virus.

Monitoring Hospital Visitors and Patients

Artificial intelligence has also been implemented in hospitals in the United States and abroad to help medical professionals screen visitors and treat infected patients.  Hospitals with access to digital health technology can more effectively monitor and manage the coronavirus pandemic.  For example, in Florida, Tampa General Hospital is using artificial intelligence developed by Care.ai, Inc. to screen hospital visitors with camera-embedded facial scanners that analyze facial attributes and thermal scans to determine whether a visitor is feverish.  Similarly, researchers at the University of Massachusetts Amherst are developing FluSense, an artificial intelligence device intended to analyze cough sounds to assess the potential spread of viral respiratory diseases.  Hospitals are deploying tools like these to help reduce the spread of the virus.

Remote monitoring, another form of artificial intelligence technology, can be implemented by medical facilities to protect staff and carefully monitor patients.  In Israel, for example, Sheba Medical Center has been monitoring patients at remote hospital units in the hospital’s dormitories and underground parking garages.  The sensor technology employed by Sheba, developed by EarlySense Ltd., is positioned under the patient’s mattress and analyzes the patient’s heart rate, respiratory rate, and body movement.  Hospital staff can then monitor the patients remotely and be alerted to deteriorating health conditions as they occur.  This technology not only reduces the medical professional’s exposure to the virus, but also benefits patients by improving the quality of health care.

3-D Printing of Equipment and Materials

3-D printing has been recognized for its potential in crisis remediation, and we are seeing this with COVID-19.  The Chinese used 3-D printed houses for isolation of infected patients.  Facebook has a group, OSCMS, dedicated to the design, validation and sourcing of fabrication of open source emergency medical supplies.  Tips for using 3-D printing to create values and components for ventilators are being created by technologists and shared by healthcare professionals around the world via tools like Google Docs and WhatsApp.  There are various stories of short-term use ventilators being produced using 3-D printing techniques.

More Examples in China

The China Academy of Information and Communications Technology recently released a full report on the use of big data, AI and smart applications by more than 100 Chinese companies in response to the pandemic. The report concludes that collection and accumulation of data, harmonizing data standards and sufficient data processing capabilities were all key to a more successful response. Specific examples of digital technologies that are promoted by the report for epidemic prevention and control include: (1) “big data monitoring and analysis platforms to analyze the trajectory of confirmed patients, track their contact history, identify the virus transmission route, and predict the development trend of the epidemic situation”; (2) “AI technologies, … online diagnosis, viral genome sequencing” and (3) “cloud computing, big data, AI … applications in epidemic detection, analysis, early warning, prevention and control.”  Interestingly the report also talks about privacy and the importance of anonymization for data sharing even during a crisis.

Balancing Innovation and Safety

As we all struggle with the impacts of the crisis it is heartening to know that human ingenuity is a great source of solutions to our problems.  Perhaps fears with respect to the impacts and risks of technology in healthcare may have been disproportionate when compared to the very real benefits that technology is exhibiting in helping to manage the pandemic and attempt to curb the spread of the virus.  However, we have seen little discussion or coverage of whether these rapid innovations are taking into account regulatory guidance.  We make no comment on the compliance of any of the solutions described in this post, but instead observe that safety and compliance do remain important considerations even when moving rapidly.  As our colleagues posted yesterday, some simple steps can also help in managing litigation risk with these types of innovative technologies.  We have also developed a Coronavirus/COVID-19 Checklist to assist companies that are deploying technology solutions to manage the spread of the virus.