Career healthcare law attorney Helen Oscislawski speaks with us on the above and more in this article. The following interview takes a close look at Helen’s fascinating career story and the current state of healthcare and privacy law in the US, as well as the uncertain future of health data privacy with the advent of app-based health information services.
Thank you very much for speaking with us, Helen. For our readers who may not have encountered you before, can you please share a little about your practice and your personal journey in the field of law?
It is hard for me to believe that I have been practicing law for over 23 years! Growing up, pursuing a career in law was not even in the realm of my awareness. I grew up an only child to two working parents who came to the United States as Ukrainian refugees shortly after World War II. Quite often, I was looked after by my grandmother who did not understand English. Consequently, Ukrainian was my first spoken language. One might say that such factors are not exactly conducive to pursuing a profession which demands the strongest of English speaking and writing skills.
I went on to graduate from Rutgers University with a degree in Psychology Summa Cum Laude and was named ‘Most Outstanding Student in Psychology’. My plan was to go on to earn a PhD degree and become a clinical psychologist. However, my husband and I had to relocate to Michigan so that he could complete his residency in emergency medicine. As a result, I put my graduate school plans on hold. I worked as a social worker in a skilled nursing facility during that time. However, soon after, my husband convinced me that I should give law school a try. The rest then, as they say, is history.
I graduated from Rutgers School of Law at the top of my class and was admitted to the New Jersey bar in 1999. I worked as an associate at two different law firms before ending up at a large firm’s satellite office in Princeton, New Jersey. As it turns out, that job set up the trajectory for the rest of my career focusing on a unique and fascinating niche area of law – health data privacy.
When I started my job in Princeton, the federal law of HIPAA had just been enacted and its related regulations were brand new. For two years straight, I was assigned almost exclusively to matters which required detailed and comprehensive analysis of HIPAA. I was also required to research and analyse state laws which intersected with HIPAA, as well as other federal privacy laws. I quickly became the firm’s ‘go-to’ attorney for any legal issues involving privacy and health information.
For two years straight, I was assigned almost exclusively to matters which required detailed and comprehensive analysis of HIPAA.
Around 2005, health information technology really started to take off. First, there was a massive push to transition medical records from paper to electronic health records. Next came initial efforts to connect providers, patients and their electronic medical information through internet-supported networks. I was fortunate to be ideally positioned as a privacy expert at the forefront of this transformation.
On 13 May 2008, I was appointed by Governor Corzine to serve a two-year term on the New Jersey Health Information Technology Commission which was charged with developing a statewide health information technology plan for New Jersey. My role was to fill a seat reserved for “an attorney practicing in this State with demonstrated expertise in health privacy issues”. In 2010, I was reappointed by Governor Christie to serve a second two-year term and became Chair of the Commission’s Privacy Subcommittee.
In February of 2010, I left the law firm I had been at for nearly eight years to start my own boutique law practice, Attorneys at Oscislawski LLC. I now have the privilege of working with clients across the entire United States and advising them on how to manoeuvre their businesses through data privacy and health information technology minefields.
A typical work week for me might include assisting clients with responding to OCR HIPAA investigations, managing a data breach impacting health information, negotiating a complex data-sharing arrangement with a technology vendor or other types of third parties seeking access to health data for a variety of reasons, reviewing and updating consent forms, policies and other documents for compliance with federal and state data privacy requirements, completing compliance audits and developing mitigation strategies, all while keeping up with a rapidly changing data privacy and technology landscape which I cover in article posts on my blog.
Every day, I have the pleasure of working closely with in-house general counsels, CEOs, CIOs, IS Directors, Privacy Officers and many other incredible individuals who are dedicated to striking the right balance between data privacy and allowing technology to improve and drive healthcare forward into the future. I look forward to hopefully many more years of doing the same things that I have been doing for the last 23.
Drawing on your area of expertise, can you share some background into healthcare privacy regulation in the United States and the key laws and statutes that govern the use of healthcare information today?
In the early 1970s, Congress enacted a federal privacy law to protect the confidentiality of patient records originating from certain providers providing treatment for substance use disorders (SUD). That law and its related regulations are often referred to as ‘Part 2’. However, Part 2’s privacy protections did not extend to protecting information created by other types of healthcare providers. Additionally, although states were addressing health data privacy rights on an individual basis, the result was an uneven patchwork of standards that often fell short of guaranteeing individuals with meaningful privacy rights.
On 21 August 1996, Congress finally passed the first comprehensive federal healthcare privacy law in the United States – the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (‘HIPAA’). Four years later, the Secretary of Health and Human Services (HHS) published the ‘HIPAA Privacy Rule’ and required full compliance by 14 April 2003. Other rules implementing HIPAA followed, including the HIPAA Security Rule, which aims to safeguard electronic health information, and the Breach Notification Rule, which requires individuals and HHS to be notified when certain unencrypted health information has been compromised.
Together, Part 2 and HIPAA formed the predominant legal foundation for health data privacy in the United States. However, as technology and data sharing models continued to rapidly evolve, these federal laws started to become disconnected from what was actually happening in the ‘real world’. As a result, over the last few years, privacy attorneys like myself have had to keep up with a never-ending onslaught of new privacy laws, rules and amendments.
I look forward to hopefully many more years of doing the same things that I have been doing for the last 23.
Most recently, Congress enacted the 21st Century Cures Act, which resulted in a new ‘Information Blocking Rule’ that prohibits certain actors from interfering with the access, use and exchange of electronic health information when it is otherwise legally permissible. This new rule was created in part because certain electronic medical record (EMR) vendors were allegedly configuring their products to make it either impossible or too cost prohibitive for other vendors and third parties to connect to and access electronic health information from their EMR product.
In many ways, the Information Blocking Rule has turned federal healthcare privacy law on its head. In the past, healthcare organisations focused on how to keep medical information private. Now, they are left scrambling to realign their long-time data privacy practices with the Information Blocking Rule, which requires electronic health information to be openly accessible. And, if that is not enough, more changes to federal laws affecting healthcare privacy and technology are in the pipeline as we speak.
What rights are guaranteed under HIPAA and other laws concerning healthcare information privacy?
There are several ‘rights’ that HIPAA affords to individuals. I will touch on the big ones.
First, individually identifiable health information that is protected under HIPAA (referred to as ‘protected health information’ or ‘PHI’) may not be used or disclosed in an unauthorised manner. Generally, a ‘covered entity’ (CE) custodian of PHI must first obtain a signed authorisation from the individual who is the subject of the PHI to permit the desired use or disclosure. If a signed authorisation is not obtained, then the CE custodian is only permitted to use and disclose PHI in ways expressly allowed under an exception in the HIPAA Privacy Rule.
Examples of when HIPAA does not require a signed authorisation to use and disclose PHI include for: treatment, payment, health care operations, public health, and other limited reasons. However, even if a use or disclosure might fall within an exception under the HIPAA Privacy Rule, certain state laws could still require a signed consent before such information can be disclosed. In such cases, the CE custodian of the health information protected by a state’s privacy law would have to obtain a signed consent before disclosing the information, even if it is not required by HIPAA.
Another important right guaranteed by HIPAA is the individual’s right of access. This ensures that an individual generally has a right to access and control his/her PHI, including being permitted to request and receive electronic copies of his/her PHI in the form and format requested, and directing such information to be transmitted to a third party. This provision together with the Information Blocking Rule have had a profound impact on increasing patients’ use of mobile applications to directly connect to their provider’s EMR, extract their health information and facilitate its transmission to other third parties.
In many ways, the Information Blocking Rule has turned federal healthcare privacy law on its head.
Finally, the HIPAA Breach Notification Rule guarantees that individuals will be notified if their PHI has been compromised by a data breach or security incident. This way, individuals can take steps to potentially protect themselves against identity theft and fraud.
I think that these ‘rights’ are three of the most important ones that HIPAA created. There are others, but it would be impossible to cover them all here.
During your years in practice, what significant advances have you seen in health information technology?
It was around 2005 when I recall health information technology (IT) really starting to take off. First, there was a massive push to transition medical records from paper to an electronic format. In the beginning, this transition was voluntary. However, by 2011 the federal government deployed a program called ‘Meaningful Use’ which initially financially rewarded healthcare providers for adopting EMRs, but then punished those who did not do so by 2018 by reducing their Medicare and Medicaid reimbursement.
Next came efforts to connect providers, patients and their electronic medical information through internet-supported networks called either ‘regional health information organisations’, ‘health information exchanges’ or ‘health information networks’. For years, these networks attempted to either connect EMRs to each other or develop ‘data wells’ where certain healthcare information about individuals was aggregated and maintained in a single source. However, lack of interoperability proved to be a barrier that stymied progress.
Today, we are in a phase where interoperability of health IT is a paramount goal. The federal government has pivoted to requiring developers of certified health IT to essentially ‘open up’ their application programing interfaces (API). This, in turn, is now allowing different EMR vendors to connect to one another with more ease. Moreover, this is creating new opportunities for individuals to use mobile apps to directly connect to multiple providers’ EMRs to access and control their health information.
What have the consequences of these advances been for patients' privacy?
It cannot be denied that when medical records were maintained predominantly on paper, it was more certain that the privacy of health information contained in such records could be protected. Paper medical records were typically manually controlled by the custodian and therefore much less accessible. Provider custodians would often refuse to release any part of these medical records unless the patient signed a paper consent form allowing such release, including when the patient wanted any part of such records released to themselves! Moreover, data breaches of paper records usually only happened when there was an incident of improper disposal (e.g. failing to shred) or records were taken off premises.
Today, we are in a phase where interoperability of health IT is a paramount goal.
Now, with technological advances, electronic information can be transmitted anywhere and everywhere with a click of a button. Moreover, health information and medical records are often stored on virtual servers on the internet instead of in physical cabinets. As the healthcare industry marches rapidly forward to allowing more ‘open’ APIs with EMRs, provider custodians will lose even more control over who is gaining access to confidential health information and where it is going. While privacy laws and security frameworks continue to offer guardrails to try and prevent misuse and breaches of health information, the cold, hard truth is that its increased prevalence in an electronic medium and being shared more openly and easily makes it inherently more vulnerable.
In your experience, what are the most common ways in which a person's right to health information privacy might be compromised?
The most common way that an individual’s privacy might be compromised is through data breaches. This can happen in a few different ways. Hacking incidents occur when criminals purposefully target and gain access to electronic health information. Hacking incidents can lead to medical and other sensitive information of thousands of individuals being obtained by the hacker and potentially ‘sold’ to other third parties. Data breaches can also occur because of unintentional security lapses. For example, if during a technology upgrade a health care organisation does not adequately evaluate the impact on security, a gap might cause health information to become inadvertently exposed on the internet.
With the more recent push to open APIs and adopt FHIR standards for certified EMRs, I think we are unfortunately going to see mobile apps becoming a new point of risk to electronic health information. With this new model, the burden will shift from the provider custodian to the patient to adequately vet all mobile apps that he/she intends to use and fully understand how their health information may be reused once it is downloaded from a source EMR. Many people do not realize that, for the most part, mobile app vendors are not subject to HIPAA. Such vendors are generally only required to abide by their own privacy policies and terms of use. Therefore, if the mobile app vendor notifies its customers that it may reuse any information downloaded into the app for other purposes, including potentially selling such data, and the customer agrees to such terms of use, the vendor would generally be permitted to do so.
The Federal Trade Commission (FTC) has been very active over the last few months in an attempt to hold vendors of mobile heath data Apps accountable for “unfair or deceptive acts or practices”. Several such vendors have been subjected to FTC enforcement actions this year. In addition, many states are individually passing privacy laws which would further regulate such mobile app vendors in their collection and reuse of individually identifiable information.
I think we are unfortunately going to see mobile apps becoming a new point of risk to electronic health information.
Last, I would be remiss if I did not mention how pixels, cookies and other online tracking technologies have recently led to finding a massive amount of patients’ individually identifiable data being ‘scraped’ up and shared with or even sold to third parties like Google and Meta.
What consequences can there be for those whose when healthcare information is compromised in these ways?
The consequences to the healthcare organisations are substantial. When health information is compromised due to violation of HIPAA, this can lead to significant civil monetary penalties. It can also lead to lawsuits, as is recently the case with the online tracking fiasco. Currently, dozens of hospitals have been named in class action lawsuits where plaintiffs are alleging that enabled tracking pixels impermissibly ‘scooped up’ their personal information from the hospital’s online website and disclosed it to third parties for unauthorised purposes. When such incidents happen, reputational damage to the organisation is also unavoidable.
There are also consequences to the affected individuals. Data breaches can result in a person’s sensitive and highly confidential information ‘floating around’ in the public domain. The impact of this can include embarrassment to the individual, harm to personal relationships, interference with legal disputes, loss of employment, and other potentially damaging outcomes. It can also lead to identity theft and fraud.
What legal recourse is available to victims in these circumstances?
Where hackers are involved, health care organisations would have to rely on the justice system to hopefully go after such criminals. Otherwise, when an organisation has relied on a contracted vendor to ensure the security of the health information maintained in its EMR and other systems, and said vendor has failed to do so, a lawsuit might need to be filed against such vendor to enforce contractual terms and recoup damages. This is why negotiating contractual terms, including indemnification and insurance, are so important up front.
As for recourse for individuals, lawsuits are one option, but often an uphill battle. Many people do not know that HIPAA does not include a private right of action. This means that if an organisation has compromised an individual’s health information, that person cannot walk into court, allege that HIPAA has been violated and, as a result, demand that he/she is entitled to damages. To even have a chance at sustaining a cause of action in such a case, that person would have to find a viable legal theory (e.g. invasion of privacy or breach of contract) based on the laws of the state in which he/she resides or where the wrongdoing occurred to file an action.
[ymal]
Another recourse an individual has is to file a HIPAA complaint with the federal government. However, not all HIPAA complaints result in investigations, and patients’ complaints are not always grounded in an actual violation of HIPAA.
In what ways do you expect to see health information technology and related privacy matters develop in the latter half of 2023 and beyond?
I expect mobile apps to continue to explode and facilitate the collection and transmission of electronic health information even more. Whether this will result in an increase in health information being compromised depends in part on how well consumers will become educated and understand what is actually going on with their health data once it leaves a more secure EMR source. Meanwhile, as the healthcare industry scrambles to catch up with managing open APIs and mobile apps, ChatGPT has arrived. The full scope of how such new AI technology will impact and even disrupt healthcare and privacy further is something that I expect to be busy staying on top of in the latter half of 2023, and likely well into next year.
Helen Oscislawski, Esq., Founder
782 Alexander Road, 2nd Floor Princeton, NJ 08540, USA
Tel: +1 609-385-0833
Fax: +1 609-385-0833
Helen Oscislawski is a seasoned healthcare attorney who is known to many as a “go to” attorney for legal guidance on HIPAA, 42 C.F.R. Part 2, Information Blocking, state privacy laws, consent, data breaches and networked electronic health information exchange, though her experience extends far beyond these fields. Helen was selected Best Lawyers® 2022 ‘Lawyer of the Year’ for healthcare law in Princeton, New Jersey, a distinction awarded to one lawyer with the highest overall peer feedback for a specific practice area and geographic region. She has also been selected every year since 2020 to a Super Lawyers® list for healthcare law (issued by Thomson Reuters). She is admitted to practice law in New Jersey and Arizona, although she has clients from across the United States.
Attorneys at Oscislawski LLC is a boutique healthcare law firm established by its founder, Helen Oscislawski, in February 2010. It is recognised as a leading healthcare law firm with attorneys who bring significant experience with a broad spectrum of healthcare laws, regulations and corporate transactions, as well as with governmental relations. Every year since 2018, Attorneys at Oscislawski has been included among the ’Best Law Firms’ in healthcare law in Princeton, New Jersey (issued by Best Lawyers).