Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @DarshanTalks or the show's website at darshantalks.com.
Darshan: Hey everyone, welcome to DarshanTalks. We have Shannon Hartsfield with us and Shannon is a privacy attorney, but I wanted to let Shannon talk a little bit more about herself before we delve into some really interesting discussions around privacy and digital health and more. Shannon, could you tell us a little bit more about yourself?
Shannon: I'm Shannon Hartsfield. I'm a partner with Holland and Knight. I am based in Florida. I'm board certified in health law by the Florida bar. I've been practicing for about 25 years and I'm a co-author of a book that just came out in January, published by the American Bar Association called, HIPAA: A Practical Guide to the Privacy and Security of Health Data. Co-authored with June Sullivan who practices in Massachusetts. I'm excited to talk to you today.
Darshan: That's awesome. First of all, this may be the first time someone's actually plugged a book here so I love it.
Shannon: Have to get that in.
Darshan: That's awesome. I ended up writing a book as well for the ABA and I loved the process of it. I'm glad you've rewritten several. You've written this one for sure. And I got to make sure I get a copy and read into it and we'll probably have you back after I finish reading and I have questions. But here's a sort of jump off point for you because you can tell us a little bit more about HIPAA. When I go onto Twitter, when I talk to people, everyone's talking about how digital health is the new, well, it's really where everything's going. Whether you're talking about telemedicine, you're talking about FDA regulated apps, digital health becomes really critical. But then everyone says that HIPAA prevents us from really doing much. In your experience, is HIPPA everything that stops progress? What is your take on it?
Shannon: Actually, I think it's very rare that HIPPA is an impediment to anything that legitimate actors need to do with health data, with respect to treatment, payment and healthcare operations. As you probably know, HIPAA doesn't even require a patient's authorization in order for a covered entity, which are most healthcare providers and plans, to use and disclose protected health information or PHI for those purposes, treatment payment, healthcare operations. Now in the digital health era, it's interesting because people think that HIPAA applies to all health data. They kind of use the word HIPAA like we use the word Kleenex when we're talking about tissue. It's become sort of a generic moniker for all health data. But the reality is that a lot of times in the digital health world, HIPAA may not apply at all. For example, the health data that you collect on your personal devices or that you share with certain websites and things like that, may not be protected under HIPAA.
Now where we sometimes do see what I would call potential roadblocks in terms of sharing data, typically arises in state laws. State laws that were drafted long before digital health was contemplated in some cases, and those state laws are pretty short and sweet and say, "You can't share health information without the patient's authorization." Or, "You can only share it for treatment." Or something like that. And so these old state laws that don't fit really well with what we have today. On the other hand, HIPAA, the drafters of HIPPA thought long and hard about a lot of the common situations where we might need to disclose health data for public health, for example and all sorts of other types of uses. In the digital health era, one of the first questions you have to answer is does HIPAA even apply? And if it doesn't, then you have to figure out all the different state laws it could apply or you think about the Federal Trade Commission restrictions on how consumer data can be used and disclosed and it can get quite complicated, but I definitely don't think HIPAA is the impediment and a lot of cases.
And we've seen with COVID, some waivers around HIPAA that have been helpful and it'll be interesting to see if those continue. For example, in the telehealth space, normally under HIPAA, you need to make sure you have a telehealth platform that complies with security rules, where you've got a business associate agreement with the vendor and you've done our risk analysis and all that stuff. And to some extent, COVID has loosened some of those what I call administrative requirements, but I do think it's important to make sure we keep that data secure. And once the waivers expire, we're going to have to make sure we have all the HIPAA bells and whistles in place. There's lots to think about with respect to HIPAA, but I definitely don't think it's a roadblock to sharing information.
And conversely on May 1st, some rules came out prohibiting what we call information blocking that are actually designed, I think, to make it imperative that information gets shared through APIs, shared with different patient driven apps and things. I think we're going to start seeing a lot more information flow.
Darshan: Oh yeah. I could have a whole discussion with you about information blocking and I do have some questions, but let's sort of do a little bit more around HIPAA and then if you don't mind, if you still have time, I'll ask you a couple of questions on information blocking because I find that fascinating. One of the big pushes I get back on HIPAA is, you know what? It's a federal law, it preempts state law. What is your take on that?
Shannon: HIPAA actually a lot of times does not preempt state law. The HIPAA rules say that HIPAA preempts state law if HIPAA is more stringent than state law or provides more access to individuals to their own information. But HIPAA only preempts state law when the law is contrary to the state law and contrary means it's impossible to comply with both HIPAA and state law. And I find those situations where it's impossible to comply with both sets of laws are pretty rare. For example, sitting here in Florida, Florida law says that you cannot generally, this is very general, but generally you cannot disclose a patient's information except for treatment purposes without that patient's written authorization. Well, that's a law that is not really contrary to HIPAA because you can comply with Florida law and HIPAA simply by getting that Florida law authorization for uses and disclosures for payment and healthcare operation. Florida law's more stringent, but it's not contrary to HIPAA. They kind of walk alongside each other and you can comply with both.
Darshan: What I hear you saying is that HIPAA is not as big an issue as people make it out to be which I actually agree with you on. Thank you. Coming from someone smarter than me, it's always nice to hear that.
Shannon: Hardly.
Darshan: The next question that I often get, especially in the context of telemedicine and full disclosure, I'm not a telemedicine lawyer, I go more from the FDA perspective as you know, but everyone's goes, "You know what? Why can't my doctor just get on Zoom and talk to me about my health?" What is the reason behind that? Are there HIPPA issues?
Shannon: Well yeah, I think right at this minute during COVID, the doctor probably can do that, but let's pretend like COVID doesn't exist, wouldn't that be nice? The doctor can certainly get on, I can't speak to particular platforms, but there are a number of platforms that offer data security and we'll sign what we call a HIPAA business associate agreement with the doctor that makes sure that the teleconferencing platform will keep that information secure. And so once that's in place and the vendor has agreed in writing to comply with the HIPAA security rule and to comply with the terms of that written HIPAA business associate agreement, you can certainly communicate with your doctor using that platform.
Now there are other platforms that are available right through your phone without any special software or anything like that that may or may not be able to be used. You certainly don't want to use TikTok or something like that for your telehealth consultation. Or you could, I guess, if the patient signed a HIPAA compliant authorization, allowing their information to be used and disclosed in that way, but there's certainly nothing in HIPAA prohibiting the use of some of these popular platforms, as long as certain protections are in place and the vendor is willing to implement its own HIPAA compliance program.
Darshan: That raises a really interesting question, which is everyone's looking for new way to market their services. My favorite recent person was the dentist who was on the hover scooter. Did you hear about this guy?
Shannon: Yes. Yes.
Darshan: Recorded himself doing a dental surgery and I believe at the end of it, I haven't seen the video, but I read about the video.
Shannon: I read about it.
Darshan: You might just actually see the video, but he apparently ended that by saying, "This is the new standard of care." And for that, I believe he went to jail for 12 years and lost his license. From a pure HIPAA perspective is what he did theoretically even possible? Or did he violate that in the process anyways?
Shannon: Well, HIPAA protects not just a patient's name and other direct identifiers, but HIPAA protects a number of data elements related to the patient. For example, I haven't seen a video of the incident, but if it had the patients face in it or something like that, that's protected under HIPAA. Also, something that a lot of people don't think about when they're talking about, "Oh, I'm just using de-identified data," HIPAA under what we call the safe harbor for de-identification, requires that you remove all elements of dates related to a patient other than the year.
If a doctor is going on a video platform or social media and disclosing the fact that they did a particular procedure on a particular day, that is in my view, kind of risky from a HIPAA perspective because it raises the question about whether the information was completely de-identified. There's other ways to establish that it was de-identified. But I think that any time you show any part of a patient on a video, you're running a risk because that video is probably associated with a date. That patient could have other characteristics that are unique, that would identify that patient somehow, maybe their voice is on the video, or maybe they've got a tattoo that you can see or maybe they have an unusual injury or condition. There's that.
There's also the issue of simply using the patient's information improperly, even if you're not disclosing the patient's information on a video or through a digital health platform, are you using that patient's information in a way that's permitted under HIPAA? Those are all questions that have to be analyzed very carefully in any sort of digital communication.
Darshan: That's kind of interesting to me from two different perspectives. The one thing is, again, in a former life as a pharmacist, we used to attend morbidity and mortality rounds. And in those cases we always had situations where people would share their previous patients and here's what we can learn from them and what are your opinions? Is that by itself a HIPAA issue?
Shannon: No, because HIPAA, again, that the drafters of HIPAA were very, very thoughtful in terms of the types of uses and disclosures that normally take place and that are good and things that are helpful to the healthcare industry. And one of those is training. And again, HIPAA allows you to use and disclose protected health information without a patient's authorization for treatment, payment and what we call healthcare operations. And healthcare operations are defined very broadly to include training and quality assurance and those types of activities. There's a lot of times where healthcare providers need to exchange identifiable protected health information. Should be the minimum necessary, of course, but they need to disclose that for these types of training and quality assurance purposes and HIPAA does not stand in the way of that. Again, state law could be a different issue, but HIPAA is not going to be the problem.
Darshan: And we'll sort of keep a standard. First of all, this is not legal advice for anyone. This is just general advice and your state laws may prevent all of this anyway. We'll keep that to the side. But now if we're saying that we can do this, do training on a one on one basis, that same training, if recorded on Zoom and I keep using Zoom like I own stock. Actually I do own stock in Zoom. But if it's recorded on Zoom or shared via Zoom, would that necessarily become violative? Let's assume it's not COVID.
Shannon: Well, when we're saying Zoom, I assume we're just using that as a generic for any type of internet platform. I think you would want to look carefully and make sure you have a HIPAA compliant pathway to share that information. The first question is, whether the information is completely de-identified. There's lots of ways that you could discuss a particular patient's case and it could be de-identified. You can remove all of the identifiers listed in the regulation, including the date, including any other unique characteristics. And once information is completely de-identified, then HIPAA doesn't apply. And theoretically, I wouldn't recommend it, but you could go on social media and do all kinds of crazy things with that data if it's completely de-identified.
Otherwise, if it's information that is not completely de-identified, let's pretend COVID doesn't exist. I would recommend that you make sure that the video conferencing platform you're using is one where the vendor has signed a HIPAA compliant business associate agreement and agrees that they won't use that information for anything other than what's permitted under the agreement. And in that case, you've got a secure transmission, you've got a business associate agreement in place and assuming the people with access to that video or whatever the communication is, assuming that they are also covered under HIPAA or there's some other reason they're allowed to get the data, HIPAA again, should not be the problem.
Darshan: Like I said, there were two things that came out of that for me. One was that type of training that we just discussed in the healthcare setting. And again, that's a rabbit hole we can definitely explore even more. But the other thing, that really comes up in a lot of the pieces of the world that I land up addressing, which is in the clinical trials world. And as you may have heard, there's a whole cottage industry at this point around clinical trial transparency, are you familiar with this? Has this ever popped up for you?
Shannon: A cottage industry on clinical trial transparency? No. I've dealt with some issues related to HIPAA and research and clinical trials, and I know there's a lot of advancements and changes happening in that area. Some in response to COVID, some just in general.
Darshan: Fair enough. I'll sort of give you some details, but let's assume that you're working only with the details of given, so your answer's contingent on just what I tell you. I love how I'm putting disclaimers in for everything. There's a whole thing right now, for example, the European Medicines Association, or whatever, EMA, which is the European version of the FDA, has come out and said, "You know what? If you work on studies that are going to be part of whatever you submit to us to decide whether your product should be approved in Europe, we want to not only have access to your data to obviously do that. But number two, we're going to actually share that data. And you can de-identify that data to the extent you want to, but the fact is that we're going to disclose it and we want the raw data to go out.
From a HIPAA perspective, the fact that American patients may have their data disclosed, is that worrisome? Or is the fact that you're dealing primarily with GDPR, which is even worse, probably subsumed if you will. And I don't know if you're a GDPR sort of person, but I'm just putting that out.
Shannon: I am not. I stay far, far away from it. But what I can tell you is under HIPAA research clinical trials, they are not part, although a clinical trial could involve treatment. Research is separate from treatment, payment or healthcare operations. You can't use or disclose protected health information for research, unless you're following a HIPAA compliant pathway. And generally any sort of use or disclosure for research requires either the patient's written authorization or a waiver or partial waiver of that authorization from a privacy board or an institutional review board, IRB.
Let's say that you're going the patient authorization route, that authorization form, if it complies with HIPAA says that, "You can use and disclose my information for this research. And once it's disclosed, HIPAA no longer applies." Again, just like any patient authorization that complies with HIPAA, that information once you sign that authorization, HIPAA no longer protects your data. What the regulatory authorities do with that data is up to them and subject to their own laws and requirements. HIPAA is not going to protect those research subjects once they sign that authorization.
Darshan: To me, that's interesting because there's a whole discussion, especially in the context of GDPR, and I recognize that's not your expertise, but they want a very clear understanding of what you're going to do with the data. And HIPAA basically what you're saying is that once you give it for research, you've lost control of the data. Do we need, do you think, under the current processes if you will, some kind of separate authorization saying, "Not only are you giving us this data for research, but your data may be made public." Do you need explicit consent around that?
Shannon: HIPAA doesn't dictate that requirement. HIPAA says though, that once the information is disclosed, it's no longer protected. I think it follows that all kinds of things could happen to it, but at least here, again, I'm not an FDA person.
Darshan: Of course.
Shannon: But it's my understanding that these trials are overseen by an IRB and one of the things they're concerned about is how the patient's data is used and making sure the patients are protected. I would guess that in order for the IRB to approve the patient facing document, if that's going to happen, that would need to be addressed to some degree. But again, I'm just speculating. It's not my area.
Darshan: Of course, of course, of course. Which is a totally different discussion at this point. I know we promised to keep this tight. Shannon, this was amazing. Would you be open to doing more of these in the future?
Shannon: Certainly. I appreciate the opportunity. It's been fun.
Darshan: This was wonderful. Thank you again.
Shannon: Thanks so much.
Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @DarshanTalks or the show's website at darshantalks.com.