Helen Oscislawski, a career healthcare law attorney, speaks to us about the above as well as more in this article. This interview examines Helen’s career and discusses the current state of privacy and healthcare law in the US. It also explores the future of privacy and health data with the advent app-based services.
Helen, thank you for taking the time to speak with us. Can you tell our readers, who have never met you before about your law practice and personal journey?
It’s hard to believe I’ve been practicing law over 23 years. As a child, I had no idea that I would pursue a legal career. I was raised as an only child by two parents who were both working and came to the United States shortly after World War II. My grandmother was often the one who looked after me, as she did not speak English. My first language was Ukrainian. Some might argue that these factors do not make it easy to pursue a career which requires the best of English writing and speaking skills.
I graduated from Rutgers University in Psychology with a Summa cum Laude degree and was awarded the title of ‘Most Outstanding Psychology Student’. I had a plan to get a PhD and become a clinical psychology. My husband and I were forced to move to Michigan to allow him to complete his emergency medicine residency. In order to complete my graduate studies, I had to put them on hold. During that time, I was a social worker at a skilled nursing home. My husband persuaded me to try law school not long after. As they say, the rest is history.
I graduated at the top of the class from Rutgers School of Law and was admitted to New Jersey’s bar in 1999. I was an associate in two law firms before working at the satellite office of a large law firm in Princeton, New Jersey. This job was the beginning of my focus on health data privacy, a fascinating and unique niche of law.
HIPAA was a brand-new federal law and regulations when I began my career in Princeton. I was almost exclusively assigned to HIPAA-related matters for two years. I also had to analyze and research state laws that intersected HIPAA as well as federal privacy laws. I became the ‘go to’ attorney at my firm for all legal issues that involved privacy and health data.
Two years in a row, I have been assigned to almost exclusively HIPAA-related matters that require detailed and comprehensive analyses.
Around 2005, the health information technology started to really take off. The first step was to move medical records away from paper and into electronic records. The next step was to establish a network that would connect patients, providers and electronic medical records. As a privacy expert, I was ideally placed to lead this transformation.
I was appointed to the New Jersey Health Information Technology Commission by Governor Corzine on 13 May 2008. The commission was tasked with creating a New Jersey statewide plan for health information technology. I was appointed to fill the seat of “an experienced attorney in New Jersey who has demonstrated knowledge and expertise in privacy issues related to health”. In 2010, Governor Christie reappointed me to serve for a second term of two years and I became the Chairperson of the Commission’s Privacy Subcommittee.
In February 2010, I started my own boutique firm, Attorneys at Oscislawski LLC. I had worked at the same law firm for almost eight years. I have the opportunity to work with clients from all over the United States, advising them how to navigate the minefields of data privacy and health IT.
My typical work week might include helping clients respond to OCR HIPAA inquiries, managing a breach of health information, negotiating complex data-sharing arrangements with technology vendors or other third parties who seek access to health information for various reasons, updating consent forms, policy documents, and other documents to ensure compliance with federal and State data privacy requirements. I also complete compliance audits, develop mitigation strategies and keep up with the rapidly changing technology and data privacy landscape, which I discuss in my blog.
I am privileged to work with many incredible people every day. These include in-house general attorneys, CEOs CIOs, Information Security Directors, Privacy Officers, and other individuals dedicated to finding the perfect balance between privacy and technology. I hope to continue doing the same thing for many years more.
Can you, based on your expertise, provide some background information about healthcare privacy regulations in the United States? What are the main laws and statutes that govern today’s use of health data?
Congress passed a federal privacy act in the early 1970s to protect patient records from providers who treat substance use disorders. This law, along with its regulations, is often referred as “Part 2”. Part 2 did not protect information created by any other type of healthcare provider. In addition, even though states addressed privacy rights for health data on a state-by-state basis, this resulted in a patchwork of standards which often did not guarantee individuals meaningful privacy rights.
The Health Insurance Portability and Accountability Act of ’96, Public Law 1041, was passed by Congress on 21 August 1996. The Secretary of Health and Human Services published the “HIPAA privacy rule” four years later and demanded full compliance by the 14th April 2003. HIPAA was implemented by other rules, such as the HIPAA Privacy Rule which required full compliance on 14 April 2003.
Together, Part 2 of HIPAA and Part 2 formed the dominant legal foundation for privacy protection in the United States. As technology and data-sharing models evolved rapidly, federal laws began to be disconnected from the actual’real world.’ Over the past few years, privacy lawyers like myself have been forced to keep up with an onslaught new privacy laws, regulations and amendments.
I hope to continue doing the same thing for many years more.
Recently, Congress passed the 21 st Century Cures Act. This resulted in the creation of a new “Information Blocking Rule” that prohibits certain actors to interfere with access, use, and exchange electronic health information, when this is otherwise legal. The new rule was created partly because some electronic medical record (EMR), vendors allegedly configured their products in a way that made it impossible or prohibitively expensive for third parties and other vendors to connect and access electronic health data from their EMR.
Information Blocking Rule is a major change in the federal privacy law. In the past healthcare organizations focused on keeping medical information private. They are now scrambling for ways to align their long-standing data privacy practices to the Information Blocking Rule which mandates that electronic health information be openly accessible. If that’s not enough, there are more federal laws in the works affecting privacy and technology in healthcare.
What rights are protected under HIPAA or other laws relating to healthcare information privacy?
HIPAA provides individuals with a number of ‘rights.’ I will only touch on the major ones.
First, HIPAA-protected individual identifiable health information (also known as “protected health data” or “PHI”) may not be used or disclosed without authorisation. In general, the ‘covered entity (CE)’ that holds the PHI must obtain the signed consent of the person who is the subject to the PHI before allowing the use or disclosure. In the absence of a signed authorization, the CE custodian may only use or disclose PHI as expressly permitted by an exception to the HIPAA privacy rule.
HIPAA doesn’t require a signed authorization to use or disclose PHI for certain reasons, such as: treatment, payment of health care services, public health and other limited purposes. Even if the use or disclosure falls under an exception to the HIPAA privacy rule, some state laws may still require that a consent be signed before this information is disclosed. In these cases, the CE keeper of health information that is protected by the privacy laws of a particular state would need to get a consent signed before releasing the information.
The right to access is another important right that HIPAA guarantees. The HIPAA ensures an individual has the right to control and access his/her personal health information, which includes being able to receive and request electronic copies in any format and form requested and to direct such information be transmitted to third parties. Together with the Information Blocking Rule, this provision has had a significant impact on patients using mobile applications to connect directly to their EMR provider and extract their health data.
The Information Blocking Rule is a major change in the federal privacy laws governing healthcare.
The HIPAA Breach Notice Rule ensures that individuals are notified in the event of a breach of security or data. Individuals can then take the necessary steps to protect themselves from identity theft and fraud.
These ‘rights,’ I believe, are the three most important rights that HIPAA has created. Other rights exist, but they are too numerous to list.
What significant advancements in the field of health information technology have you witnessed during your years as a practitioner?
Around 2005, I remember the health information technology (IT), really taking off. There was a huge push to convert medical records from paper format to electronic format. Initially, the transition was voluntary. In 2011, the federal government launched a program titled ‘Meaningful Use,’ which first rewarded healthcare providers financially for adopting EMRs. However, those who failed to do so in 2018 would be penalized by Medicare and Medicaid reimbursement.
The next step was to try and connect patients, providers and electronic medical records through networks supported by the internet. These networks were called’regional healthcare information organisations’, “health information exchanges” or “health information networks”. These networks tried for years to connect EMRs or create ‘datawells’ that aggregated healthcare data about individuals and maintained it in one source. Lack of interoperability was a major barrier to progress.
Interoperability is the goal of today’s health IT. The federal government is now requiring that developers of certified healthcare IT ‘open up their APIs’. It is easier for different EMR vendors now to communicate with each other. This also creates new opportunities for people to connect directly to the EMRs of multiple providers to access and manage their health information.
What has been the impact of these developments on patient privacy?
When medical records are maintained primarily on paper, the privacy of any health information contained within them is more protected. Paper medical records are typically controlled manually by the custodian, and so they are less accessible. The custodian of the medical records would refuse to release any information unless the patient signed an authorization form. This included if the patient only wanted to see a portion of the records. Data breaches on paper records are usually the result of an improper disposal incident (e.g. Failure to shred or removing records from the premises are two common examples of data breaches.
Interoperability is the goal of today’s health IT.
With the technological advancements, electronic data can now be sent anywhere, anytime, and to anyone with just a single click. Health information and medical records can also be stored online on virtual servers instead of physical cabinets. Providers who are in charge of storing confidential health data will have less control as the healthcare industry moves to allow more “open” APIs to be used with EMRs. Privacy laws and security frameworks will continue to provide guardrails in order to prevent misuse or breaches of health data. However, it is the hard, cold truth that their increased use in electronic media and sharing more easily and openly makes them more vulnerable.
What are the most common ways that a person’s right to privacy of health information is violated?
Data breaches are the most common way to compromise an individual’s personal privacy. It can happen a number of different ways. Criminals can hack electronic health records if they target them and gain access. Hacking can result in the hacker gaining access to sensitive medical information and other data of thousands of people and possibly’selling’ it to third parties. Unintentional security breaches can also lead to data breaches. If, for example, during a technology upgrade, a health care organization does not evaluate the impact of security adequately, there could be a gap that causes health information to be inadvertently revealed on the internet.
Mobile apps will unfortunately become a new source of risk for electronic health records, with the recent push towards open APIs and FHIR standards. This new model will shift the responsibility from the provider to the patient. The patient must thoroughly vet any mobile apps they intend to use, and understand the re-use of their health data once downloaded from an EMR source. Most people are unaware that mobile app vendors do not have to comply with HIPAA. They are . These vendors are only required to adhere to their terms of service and privacy policies. If the mobile app vendor informs its customers that they may use any data downloaded into the application for other purposes (including potentially selling the data), and if the customer agrees with the terms of usage, then the vendor is generally allowed to do this.
In recent months, the Federal Trade Commission has been active in attempting to hold vendors responsible for “unfair and deceptive practices or acts”. In the past year, FTC has taken enforcement action against several of these vendors. Many states have also passed privacy laws that would regulate the collection and use of personally identifiable information by mobile app vendors.
Mobile apps will unfortunately become a new source of danger for electronic health data.
Last but not least, I’d be remiss to fail to mention that pixels, cookies, and other tracking technologies online have led to the recent discovery of a large amount of patient’s individually identifiable data which has been’scraped up’ and shared or even sold to a third party like Google and Meta.
What are the possible consequences for patients whose information about their healthcare is compromised?
Consequences for healthcare organizations are significant. HIPAA violations can result in significant civil penalties when health information is compromised. As was the case recently with the tracking scandal, it can also lead lawsuits. In class action suits, dozens hospitals are named by plaintiffs who claim that tracking pixels have’stolen’ their personal data from hospital websites and passed it on to unauthorised third parties. It is impossible to avoid reputational damage when such incidents occur.
The affected individuals also suffer consequences. The public can be exposed to highly sensitive information. This can cause embarrassment for the individual as well as damage to their personal relationships, interfere with legal disputes, lose employment and other damaging outcomes. This can lead to fraud and identity theft.
What legal remedies are available to victims?
Health care organizations would need to depend on the justice system in order to take action against hackers. If, however, an organisation relies on a vendor contract to protect the health information in its EMR or other systems and that vendor fails to deliver, then a lawsuit may be necessary to enforce the contractual terms and recover damages. Negotiating contractual terms is important, especially indemnifications and insurances.
Litigation is one way to get recourse, but it can be a long and difficult road. HIPAA does not provide a private right to action. It means that, if a company compromises an individual’s personal health information, the person can’t go to court and claim that HIPAA was violated, claiming that they are entitled to damages. In order to have any chance of proving a claim in this case, the person must find a legal theory that is viable (e.g. Invasion of privacy or breach contract based on laws in the state where he/she lives or the place the wrongdoing took place.
A person can also file a HIPAA-related complaint with the federal authorities. Not all HIPAA complaint results in an investigation, and patient complaints are not always based on a HIPAA violation.
What changes do you anticipate in health information technology, privacy and related issues during the second half of 2023?
I anticipate that mobile apps will continue to grow and become more popular, facilitating the collection and transfer of electronic health data. The extent to which this leads to a rise in the number of health records being compromised will depend in part on whether consumers are educated enough and know what happens with their data after it leaves an EMR. ChatGPT is here to stay, while the healthcare industry tries to catch up on managing mobile apps and open APIs. In the second half of 2023 and probably well into next years, I will be occupied with keeping up to date on how AI technology can impact and disrupt healthcare and privacy.
Helen Oscislawski, Esq., Founder
782 Alexander Road 2nd Floor Princeton NJ 08540, USA
Tel: +1 609-385-0833
Fax: +1 609-385-0833
Helen Oscislawskiis an experienced healthcare attorney. She is well-known for her legal expertise in HIPAA and 42 C.F.R. She has extensive experience in many other areas, including Part 2, Information Blocking and state privacy laws. Helen was named Best Lawyers (r) 2022 ‘Lawyer Of The Year’ for healthcare law in Princeton New Jersey. This distinction is given to the lawyer who receives the most positive peer feedback within a particular practice area or geographic region. Since 2020, she has been named to the Super Lawyers (r) list of healthcare lawyers published by Thomson Reuters. She is licensed to practice in New Jersey and Arizona. However, she has clients all over the United States.
Attorneys of Oscislawski LLCis an exclusive healthcare law firm founded by Helen Oscislawski in February 2010. The firm is recognized as a leader in healthcare law, with attorneys with significant experience on a wide range of healthcare laws and regulations, corporate transactions, and governmental relations. Attorneys at Oscislawski have been listed among the “Best Law Firms” in healthcare law for Princeton, New Jersey every year since 2018 (by Best Lawyers).