HomeWebcastWearable Health Technology and HIPAA: Know Whether Your Company is Violating the Regulations in 2016
Wearable Health Technology and HIPAA CLE CLE

Wearable Health Technology and HIPAA: Know Whether Your Company is Violating the Regulations in 2016

Live Webcast Date: Tuesday, November 29, 2016 from 10:00 am to 11:00 am (ET)
Health Care CLE & CPERecording

Wearable Health Technology and HIPAA CLE

Join us for this Knowledge Group Wearable Health Technology and HIPAA CLE Webinar. 'Wearable' health devices, such as the Nike Fuel Band, Fitbit, and the Apple Watch, are becoming more popular, sophisticated, and powerful. Many of these devices don't merely monitor and measure the wearer's activity and fitness. They are also capable of transmitting data to computer networks. More sophisticated wearables are evolving such as using Google Glass to connect emergency room physicians to consulting specialists.

With the advent of these devices comes the risk of invading privacy of the wearer since they use remote, cloud based data storage. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule regulates Protected Health Information (PHI), while the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI).  HIPAA allows for the analysis and sharing of identifiable health information when directly related to the care of a patient by a physician and hospital staff. But, data such as heart rates and sleep/wake cycles derived from such wearable devices are not protected health information until used by medical staff.

Although many companies have quite permissive Terms of Service for wearable devices, these terms do not protect the company completely from litigation for violations of privacy under HIPAA. Furthermore, the Department of Health and Human Services Office for Civil Rights has started auditing companies for compliance with the HIPAA Privacy and Security Rules. 

Wearable device manufacturers storing health information in the cloud must ensure that their Terms of Service and privacy policies are compliant with HIPAA privacy and security requirements. As such, there are several critical issues that many companies overlook and place themselves at risk of non-compliance and subsequent litigation and fines. These include: ensuring that computer networks are secure; ensuring that wearable devices have security software; controlling data transmission and sharing; analyzing health data to determine what is permissible under HIPAA; isolating personal medical data from other health data and information; clearly informing patients and wearers about how their data is being used, for what purposes, and by whom; and ensuring that all health data is securely encrypted; auditing all transmission and use of health data; and reporting any loss or breach of data to the wearer or patient.

In this, Webcast, a panel of key thought leaders organized by The Knowledge Group will discuss Wearable Health Technology and HIPAA and provide insightful information to help you Know Whether Your Company is Violating the Regulations in 2016. Speakers will discuss how the regulations will affect companies developing wearable devices, and provide sound advice to mitigate the risk of litigation.

Key topics include:

  • Wearable Medical Devices
  • Health Care Data under HIPAA
  • Wearables and HIPAA: Conflicts, Limitations, and Confusions
  • Wearables and Non-HIPAA Covered Entities
  • Risks Assessment and Management
  • Complying With HIPAA Privacy and Security Rules
  • Cloud Compliance
  • A Lawyer's Perspective
  • HIPAA Violations and Sanctions
  • Wearable Privacy and Data Security Best Practices

Agenda

SEGMENT 1:
Eric W. Gregory, Attorney
Dickinson Wright PLLC
  • When does HIPAA actually apply?
    • It is important to consider that not all private health data is covered by HIPAA in all circumstances.
    • HIPAA mandates the protection of protected health information or “PHI.”
    • HIPAA applies to “covered entities.” These include:
      • Health care providers
      • Group health plans
      • Health care clearinghouses
    • Employers that sponsor group health plans are likely to be affected by HIPAA in a variety of ways: as an employer, as a plan sponsor, and potentially as a plan administrator.
    • HIPAA also applies to “business associates:” a person or organization that performs certain activities, such as claims processing, data analysis, billing, legal, actuarial, consulting, management, financial or administrative services on behalf of a covered entity.
  • What are the basic requirements of HIPAA?
    • The HIPAA Privacy Rule protects PHI held or transmitted by a covered entity or its business associate, in any form.
    • The HIPAA Security Rule provides safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information, or ePHI.
    • The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI.
  • How HIPAA affects the use of wearable medical devices in employer health plans.
    • The most typical use-case for wearable medical devices will be in conjunction with a wellness program.
    • A wellness program is designed to help employers manage their corporate healthcare costs by creating a healthier workforce. Frequently, wellness programs will provide incentives for employees to improve health outcomes by testing for medical conditions or risk factors.
      • Smart devices are sometimes used in this regard.
    • Whether a wellness program comes under the HIPAA Privacy Rule depends on the nature of the wellness program.
      • If the wellness program is not a part of the health plan, and the wellness program does not provide health care in any way, it may not be covered by HIPAA.
      • To the extent a wellness program is part of the health plan or provides any kind of healthcare, it is going to be subject to HIPAA.
    • Therefore, any data obtained from a smart device regarding heart rate or even steps taken during the day would constitute PHI and must be protected.
  • Wellness programs that are a part of a fully-insured plan
  • Wellness programs that are a part of a self-insured plan
    • A self-insured plan is a group health plan in which all payments for coverage are made by an employer form its general assets. To cap liability for high medical costs, an employer that self-insured will typically enter into a “stop loss” contract with an insurance carrier.
    • In this case, the health plan, and not the employer, is the covered entity. Employers with self-insured plans must ensure that the wellness program collects any information and maintains it except for the permitted disclosures.
    • Employers with self-insured plans that also self-administer the plan must ensure that the PHI is only accessed by designated and authorized employees for purposes of administering the plan.
    • Practical considerations
  • Business associate agreements
    • There should always be a HIPAA-compliant business associate agreement with the party filling this role.
      • The agreement should address protections and remedies for the employer in case of a breach.
      • Indemnification
      • Insurance
      • De-Identification
      • Security Safeguards
  • HIPAA Penalties and Enforcement
    • HHS Office of Civil Rights (“OCR”) is responsible for enforcing the HIPAA Privacy and Security rules.
      • This office is responsible for:
        • Investigating complaints filed with it
        • Conducting compliance reviews to determine if covered entities are in compliance
        • Performing education and outreach to foster compliance
    • OCR reviews the information it gathers to help determine that the covered entity did not violate the requirements of the Privacy and Security Rules. OCR attempts to resolve cases via:
      • Voluntary compliance
      • Corrective action
      • Resolution agreements
    • Failure to comply with HIPAA can lead to criminal and civil penalties. If a compliant describes an action that could be a violation of a criminal provision of HIPAA, OCR may refer complaints to the Department of Justice for investigation.
    • Civil Violations
    • Criminal penalties
    • Private causes of action
  • State Privacy Laws
    • State security breach notification laws
    • State personal information disposal laws
    • Other state laws
    • Preemption
    • Practical steps

SEGMENT 2:
Ali Pabrai, CEO
ecfirst
  • Examine the threat from IoT in the context of an enterprise cyber security program
  • Walk thru key elements of an IoT security policy to address HIPAA mandates
  • Step thru four key IoT HIPAA compliance and cyber security actions organizations must address

Who Should Attend

  • Wearable Medical Device Manufacturers
  • Wearable Medical Device Software Developers
  • HIPAA Lawyers
  • HIPAA Managers
  • PHI & ePHI Records Managers
  • Health Care Insurance Managers
  • Health Care Services Professionals
  • Health Care Attorneys
  • Compliance and Risk Managers
  • Healthcare Privacy & Security Specialists
  • Other Interested Professionals

Wearable Health Technology and HIPAA CLE

SEGMENT 1:
Eric W. Gregory, Attorney
Dickinson Wright PLLC
  • When does HIPAA actually apply?
    • It is important to consider that not all private health data is covered by HIPAA in all circumstances.
    • HIPAA mandates the protection of protected health information or “PHI.”
    • HIPAA applies to “covered entities.” These include:
      • Health care providers
      • Group health plans
      • Health care clearinghouses
    • Employers that sponsor group health plans are likely to be affected by HIPAA in a variety of ways: as an employer, as a plan sponsor, and potentially as a plan administrator.
    • HIPAA also applies to “business associates:” a person or organization that performs certain activities, such as claims processing, data analysis, billing, legal, actuarial, consulting, management, financial or administrative services on behalf of a covered entity.
  • What are the basic requirements of HIPAA?
    • The HIPAA Privacy Rule protects PHI held or transmitted by a covered entity or its business associate, in any form.
    • The HIPAA Security Rule provides safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information, or ePHI.
    • The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI.
  • How HIPAA affects the use of wearable medical devices in employer health plans.
    • The most typical use-case for wearable medical devices will be in conjunction with a wellness program.
    • A wellness program is designed to help employers manage their corporate healthcare costs by creating a healthier workforce. Frequently, wellness programs will provide incentives for employees to improve health outcomes by testing for medical conditions or risk factors.
      • Smart devices are sometimes used in this regard.
    • Whether a wellness program comes under the HIPAA Privacy Rule depends on the nature of the wellness program.
      • If the wellness program is not a part of the health plan, and the wellness program does not provide health care in any way, it may not be covered by HIPAA.
      • To the extent a wellness program is part of the health plan or provides any kind of healthcare, it is going to be subject to HIPAA.
    • Therefore, any data obtained from a smart device regarding heart rate or even steps taken during the day would constitute PHI and must be protected.
  • Wellness programs that are a part of a fully-insured plan
  • Wellness programs that are a part of a self-insured plan
    • A self-insured plan is a group health plan in which all payments for coverage are made by an employer form its general assets. To cap liability for high medical costs, an employer that self-insured will typically enter into a “stop loss” contract with an insurance carrier.
    • In this case, the health plan, and not the employer, is the covered entity. Employers with self-insured plans must ensure that the wellness program collects any information and maintains it except for the permitted disclosures.
    • Employers with self-insured plans that also self-administer the plan must ensure that the PHI is only accessed by designated and authorized employees for purposes of administering the plan.
    • Practical considerations
  • Business associate agreements
    • There should always be a HIPAA-compliant business associate agreement with the party filling this role.
      • The agreement should address protections and remedies for the employer in case of a breach.
      • Indemnification
      • Insurance
      • De-Identification
      • Security Safeguards
  • HIPAA Penalties and Enforcement
    • HHS Office of Civil Rights (“OCR”) is responsible for enforcing the HIPAA Privacy and Security rules.
      • This office is responsible for:
        • Investigating complaints filed with it
        • Conducting compliance reviews to determine if covered entities are in compliance
        • Performing education and outreach to foster compliance
    • OCR reviews the information it gathers to help determine that the covered entity did not violate the requirements of the Privacy and Security Rules. OCR attempts to resolve cases via:
      • Voluntary compliance
      • Corrective action
      • Resolution agreements
    • Failure to comply with HIPAA can lead to criminal and civil penalties. If a compliant describes an action that could be a violation of a criminal provision of HIPAA, OCR may refer complaints to the Department of Justice for investigation.
    • Civil Violations
    • Criminal penalties
    • Private causes of action
  • State Privacy Laws
    • State security breach notification laws
    • State personal information disposal laws
    • Other state laws
    • Preemption
    • Practical steps

SEGMENT 2:
Ali Pabrai, CEO
ecfirst
  • Examine the threat from IoT in the context of an enterprise cyber security program
  • Walk thru key elements of an IoT security policy to address HIPAA mandates
  • Step thru four key IoT HIPAA compliance and cyber security actions organizations must address

Wearable Health Technology and HIPAA CLE

Wearable Health Technology and HIPAA CLE

Eric W. GregoryAttorneyDickinson Wright PLLC

Mr. Gregory’s practice is focused primarily in the areas of ERISA, employee benefits, and compensation, including both welfare plans and retirement plans.

Mr. Gregory counsels employers on wellness program design and compliance, and integration with incentives and health risk assessments. This includes assisting employers regarding regulatory compliance with HIPAA, GINA, and ADA.

Mr. Gregory also assists clients with privacy and security concerns, including the privacy implications of HIPAA and state laws. Mr. Gregory has counseled numerous employers that have experienced a data breach, and has assisted compliance efforts with numerous security breach, disclosure, and identity theft state laws. Mr. Gregory has also advised employers regarding federal preemption of state laws under HIPAA and ERISA.

Wearable Health Technology and HIPAA CLE

Ali PabraiCEOecfirst

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security +, is the CEO of ecfirst. A highly sought after information security and regulatory compliance expert, he has successfully delivered solutions on compliance and information security to organizations worldwide. Mr. Pabrai has presented opening keynote and featured briefs at several conferences, including ISACA, WEDI, HCCA, Google, ISSA, FBI InfraGard, HIMSS, HCFA, HIPAA Summit, Microsoft Tech Forum, NASEBA Healthcare Congress (Middle East), Kingdom Healthcare (Saudi Arabia), Internet World, DCI Expo, Comdex, Net Secure, and many others.


Click Here to Read Additional Material

Wearable Health Technology and HIPAA CLE

Course Level:
   Intermediate

Advance Preparation:
   Print and review course materials

Method Of Presentation:
   On-demand Webcast

Prerequisite:
   NONE

Course Code:
   145771

NASBA Field of Study:
   Specialized Knowledge - Technical

NY Category of CLE Credit:
   Areas of Professional Practice

Total Credit:
    1.0 CLE

No Access

You are not logged in. Please or register to the event to gain access to the materials and login instructions.

About the Knowledge Group

The Knowledge Group

The Knowledge Group has been a leading global provider of Continuing Education (CLE, CPE) for over 13 Years. We produce over 450 LIVE webcasts annually and have a catalog of over 4,000 on-demand courses.

About the Knowledge Group

The Knowledge Group

The Knowledge Group has been a leading global provider of Continuing Education (CLE, CPE) for over 13 Years. We produce over 450 LIVE webcasts annually and have a catalog of over 4,000 on-demand courses.

Dickinson Wright PLLC is one of the fastest growing law firms in North America, with 16 offices in the U.S. and Canada. We have more than 400 lawyers that provide elite client service in more than 40 practice areas to a broad range of business and governmental entities. From the largest Fortune 500 companies to small and emerging businesses, state and local governments, non-profits and individuals, each client benefits from the depth of our experience, the breadth of our expertise and our focus on providing personalized service. No client is the same, and we don’t treat them as such. We focus on the individual needs of each client and work to create legal solutions to satisfy those needs.  Our lawyers are respected by their peers, honored by industry endorsements and recognized through significant appointments throughout the legal industry.

Along with our Nevada and Arizona offices, we have locations in Michigan, Florida, Ohio, Kentucky, Tennessee, Washington D.C. and Toronto, Ontario.

Website: https://www.dickinson-wright.com/

Mr. Gregory’s practice is focused primarily in the areas of ERISA, employee benefits, and compensation, including both welfare plans and retirement plans.

Mr. Gregory counsels employers on wellness program design and compliance, and integration with incentives and health risk assessments. This includes assisting employers regarding regulatory compliance with HIPAA, GINA, and ADA.

Mr. Gregory also assists clients with privacy and security concerns, including the privacy implications of HIPAA and state laws. Mr. Gregory has counseled numerous employers that have experienced a data breach, and has assisted compliance efforts with numerous security breach, disclosure, and identity theft state laws. Mr. Gregory has also advised employers regarding federal preemption of state laws under HIPAA and ERISA.

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security +, is the CEO of ecfirst. A highly sought after information security and regulatory compliance expert, he has successfully delivered solutions on compliance and information security to organizations worldwide. Mr. Pabrai has presented opening keynote and featured briefs at several conferences, including ISACA, WEDI, HCCA, Google, ISSA, FBI InfraGard, HIMSS, HCFA, HIPAA Summit, Microsoft Tech Forum, NASEBA Healthcare Congress (Middle East), Kingdom Healthcare (Saudi Arabia), Internet World, DCI Expo, Comdex, Net Secure, and many others.

Ultimate Value Annual Program

Bring a colleague for only $149, a savings of $50 per additional attendee.

  • Unlimited Access to Live & Recorded Webcasts
  • Instant Access to Course Materials
  • And More!

$199