Photo of Sara Shanti

Sara Helene Shanti is a partner in the Corporate Practice Group in the firm's Chicago office.

Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]

Continue Reading Texas is Making Moves on a Comprehensive Consumer Privacy Law

This week, the Drug Enforcement Administration (“DEA”), in conjunction with the Substance Abuse and Mental Health Services Administration (“SAMHSA”), issued a temporary rule extending the telemedicine waivers of the Ryan Haight Act (“RHA”) promulgated during the COVID-19 Public Health Emergency (“PHE”). This is notable as access to care, including mental health and substance abuse treatment, remains a crucial industry focus, especially as the transition to the post-PHE has begun.

Continue Reading DEA and SAMHSA Extend Tele-Prescribing Flexibilities

Recently, we were invited to speak on a panel at the Executive War College on Diagnostics, Clinical Laboratory and Pathology Management. We spoke about the federal information blocking rules, and highlighted how some actors are still engaging in conduct that the rules were intended to discourage, in part due to the lack of enforcement rules.

Continue Reading Laboratory and Pathology Information Blocking Concerns

On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (“NPRM”) to strengthen HIPAA’s protections around reproductive health care privacy. The NPRM responds to President Biden’s Executive Order 14076, which directed HHS to consider ways to strengthen privacy protections for reproductive health care services, following the Supreme Court’s rule in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and ultimately resulting in renewed concern over patient privacy and reproductive healthcare.

Continue Reading OCR Announces Proposed Rulemaking to Strengthen Reproductive Health Privacy

In February, when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) delivered two annual reports to Congress for the 2021 calendar year as mandated by the HITECH Act, several notable takeaways were exposed. By providing data on enforcement actions and insight into areas of noncompliance, the reports assist HIPAA entities to mitigate risk, prioritize compliance efforts, and promote industry accountability.

Continue Reading HHS OCR Delivered Annual Reports to Congress

This blog is the third installment of our Digital Health Trends Series, see previous blog posts here and here.

On February 24, 2023, the Drug Enforcement Agency (“DEA”) announced a new proposed rule, which provides some much-anticipated guidance related to the implications of telemedicine prescribing under Ryan Haight Act of 2008 (“RHA”) after the COVID-19 Public Health Emergency (“PHE”) terminates on May 11, 2023. The proposed rule extends certain flexibilities beyond the PHE and proposes to make permanent certain scenarios, in which a practitioner may prescribe controlled substances without a prior in-person medical evaluation.

Continue Reading DEA Proposes Rule for Post-PHE Telemedicine

Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Continue Reading ICYMI: HIPAA and Social Media IRL

Regulatory enforcement and large litigation relating to the use of third party trackers on companies’ websites and applications have been on the rise. Tracking often occurs without the companies’ knowledge or consent. Third party tracking on hospital and provider websites has specifically garnered notable media attention. Recently, there has been significant activity by the Federal Trade Commission (“FTC”) under the Health Breach Notification Rule for unauthorized sharing of personal information. It has begun to penalize and impose steep corrective actions, including long-impacting future restrictions, for such violations.

Continue Reading Web Tracking Creates a Web of Data Privacy Risks

This blog is the second installment of our Digital Health Trends series.

Overview

Digital health services have exploded since the onset of the COVID-19 pandemic, and behavioral health services have seen large increases in utilization. Prior to the pandemic, telehealth visits for mental health or substance use disorder represented less than 1% of outpatient visits, but by mid-2020 nearly 40% of telehealth outpatient visits were for mental health or substance use.[i] Behavioral health is the highest-funded clinical indication within digital health, and digital behavioral health companies raised $1.7 billion in the first three quarters of 2022.[ii] Investments in behavioral digital health services have the potential to transform the healthcare system in several key areas.

Continue Reading The Transformation in Behavioral Digital Health Services

The COVID-19 Public Health Emergency (“PHE”) led to a rapid expansion in the utilization of telehealth. Now, almost three years later, governmental entities have focused their attention on telehealth services and the potential for fraud and abuse. In July 2022, the Department of Health and Human Services Office of Inspector General (“OIG”) issue a Special Fraud Alert alerting practitioners to exercise caution when entering into arrangements with telemedicine companies. The issuance of this report is a significant step and reinforces the government’s interest in scrutinizing telehealth arrangements. The Department of Justice (“DOJ”) and the Drug Enforcement Agency (“DEA”) have also launched several high-profile investigations that the industry is monitoring closely. Telehealth providers should carefully review and update their practices given the heightened enforcement climate.

Continue Reading Recent Developments in Telehealth Enforcement

The U.S. Department of Health and Human Services (“HHS”) has announced proposed changes (the “Proposed Rule”) to 42 C.F.R. Part 2 (“Part 2”). While the Health Insurance Portability and Accountability Act (“HIPAA”) governs the privacy and security of protected health information generally, Part 2 specifically governs the medical records of federally assisted substance use treatment programs (“SUD Records”).

Continue Reading Proposal to Overhaul Privacy Law Governing Substance Use Disorder Treatment Records