The UK Government has opened a consultation, running until September 7, 2016, regarding how UK National Health Service (NHS) patient data should be safeguarded, and how it could be used for purposes other than direct care (e.g. scientific research).

The consultation comes after two parallel-track reviews of information governance and data security arrangements in the NHS found a number of shortcomings, described below.  The  Care Quality Commission (CQC) and the National Data Guardian (NDG, led by Dame Fiona Caldicott) made a range of recommendations, including new security standards, stronger inspection and enforcement around security lapses and re-identification of anonymized patient data, and an eight-point process around assuming and respecting patient consent decisions.

Following the public consultation, the new security standards could eventually be required and audited by government inspectors from the CQC, and imposed under revised standard NHS England contract terms.  CQC inspectors could potentially act on tip-offs from NHS Digital (formerly known as the NHS Health and Social Care Information Centre, ‘HSCIC’).  Those tip-offs could be based on low scores obtained by organizations in their annual NHS Information Governance Toolkit (IGT) self-assessments.  The IGT, which the reviewers said should be redesigned, applies both to NHS bodies and their commercial vendors.

The new consent model, meanwhile, could provide more streamlined, system-wide consents for use of patient data for purposes including quality assurance and research.

The CQC and the NDG’s findings and twenty-four recommendations were jointly presented in a covering letter to the UK government, available here, and fuller reports, available here and here (CQC and NDG, respectively).  This post provides a brief summary of their main findings and recommendations.  For the consultation questions themselves, see here.
Continue Reading UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

Health care providers and other entities face a host of legal and practical challenges as they implement telehealth and telemedicine initiatives.

For example, providers of telehealth services, and the entities creating or hosting telehealth platforms, must determine which federal and state privacy and security laws apply to them.  These laws, such as the federal Health Insurance Portability and Accountability Act (HIPAA), may impose privacy and security restrictions, as well as restrictions on the use of data for marketing.  Additional privacy and security complications may arise if providers choose to store data from telehealth encounters on the “cloud.”
Continue Reading Legal and Practical Challenges Surround Telehealth Implementation

Medicare Part B pays for certain health services furnished to rural beneficiaries via an “interactive telecommunications system”—a system that provides for real-time audio and video communication.  Among the covered services are office visits, certain behavioral health services, diabetes self-management training, and medical nutrition therapy.  The practitioner furnishing the service remotely (the “distant site”  provider) may be a physician, physician assistant, nurse practitioner, clinical psychologist, or other provider.  In order for telehealth services to be reimbursed under Medicare, the beneficiary must receive the service from designated “originating sites,” such as a physician’s office, hospital, rural health center, or FQHC.
Continue Reading Medicare Coverage of Telehealth Services: Current Law and Changes for 2014