Semester: Spring 2023 (tentative) Fall 2022 Summer 2022 Spring 2022 Fall 2021 Summer 2021 Spring 2021 Fall 2020 Spring 2020 Fall 2019 Summer 2019 Spring 2019
Professional/Experiential Skills Courses First Year Courses Only

Health Information Privacy & Data Security (LAW-719F-001)
Kirk Nahra

Notices

Description

Data is everywhere in the health care industry, and is being used by a broader range of entities for a broader range of purposes every day. This phenomenon is present in virtually all industries (thanks to the principles of “big data,” artificial intelligence and the Internet of Things), but the health care industry presents the most evolved legal and regulatory structure for the privacy and security of personal data that exists. Health care lawyers and compliance professionals must understand - and lawyers and compliance professionals for all other industries can learn from - the key principles surrounding the use and disclosure of personal data when providing virtually all aspects of legal advice to healthcare companies, including compliance, mergers and acquisitions, litigation and the full range of specific privacy and data security laws and regulations.

This course will explore the primary legal and policy principles surrounding the use and disclosure of personal data across the health care industry – the key privacy and security laws, regulations and principles that govern how the health care industry operates. This analysis will serve as a baseline for consideration of all other privacy and data security laws around the country and around the world. This course will emphasize the primary privacy and information security principles set out in the Health Insurance Portability and Accountability Act (“HIPAA”) as a baseline framework for compliance, and will explore how these rules apply in theory and in practice. We will discuss the best approaches for overall HIPAA compliance. We also will explore emerging areas for privacy and information security, including new enforcement principles, issues related to security breaches and breach notification, and the emergence of “non-HIPAA” data as a new challenge to the privacy and data security regulatory structure. We will spend some time on issues related to privacy and medical research. We also will assess how these issues affect the business of health care, including a broad range of strategic and compliance issues affecting health care companies and others that use personal data.

The goal is to understand the key principles of the developing law in this area, but also to teach what a lawyer and compliance professional/privacy officer does on these issues and the need to combine legal knowledge with practical analysis and an understanding of business implications. Class sessions will review and evaluate a broad range of regulations as an initial framework, coupled with specific examples of recent developments, compliance challenges and the ongoing evolution of the HIPAA privacy and data security rules. In addition to this review of the HIPAA Privacy, Security, and Breach Notification Rules, this course will survey other potentially applicable laws that create compliance obligations for the health care industry, including state law (and the impact of preemption), and other relevant federal laws. We also will examine new developments in health care privacy and data security, including the evolving principles governing healthcare research, the privacy and data security challenges arising from mobile applications and the emerging implications of “big data” principles on privacy rights and the health care industry. As we work through the semester, we also will evaluate how best to revise health care privacy law in the future, in the context of a national privacy law or otherwise.

The teaching strategies for this course will include readings, lectures, and group discussions focusing on these topics along with other industry developments. We will discuss and explore specific problems/challenges/situations where you will be asked to apply your knowledge to a compliance or business challenge related to the use of personal data. You will be expected to learn not only the substance of these laws and regulations, but also how to analyze business challenges and evaluate compliance implications for a health care business. You are expected to participate in class discussions and to be thoughtful about the policy implications of different choices and compliance options in connection with these laws. We also will discuss and debate the evolution of privacy and data security principles in a changing health care environment and will provide practical advice on how to be an effective lawyer in this new and challenging area.

Textbooks and Other Materials

The textbook information on this page was provided by the instructor. Students should use this information when considering purchases from the AU Campus Store or other vendors. Students may check to determine if books are currently available for purchase online.

The course reading will consist of statutes, regulations and case law, along with federal and state agency guidance and materials, as well as articles and other materials. Some materials will be publicly-available on-line or through resources available to students (e.g., LexisNexis/Westlaw). Additional materials will be distributed in class. Students are expected to complete the assigned reading in advance of each class. Students must refrain from using the Internet or cell phones during class.

First Class Readings

• Nahra, “Privacy Law and the First-Year Law School Curriculum,” 23 GREEN BAG 2D 22 (Autumn 2019), available at "http://greenbag.org/v23n1/v23n1_articles_nahra.pdf
• Kliegman, “The New Era of Suicide Prevention,” The Ringer (April 2017), available at https://theringer.com/social-media-suicide-prevention-policies-5490c2c224e0.
.
• Couldry and Mejias, “Big Tech’s latest moves raise health privacy fears,” Financial Times (December 6, 2020), available at https://www.ft.com/content/01d4452c-03e2-4b44-bf78-b017e66775f1
• Paul, “Colleges want freshmen to use mental health apps. But are they risking students’ privacy?,” (Washington Post Dec. 27, 2019), available at https://www.washingtonpost.com/technology/2019/12/27/colleges-want-freshmen-use-mental-health-apps-are-they-risking-students-privacy/
• Copeland, “Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans,” (Wall Street Journal Nov. 11, 2019), available at https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790 (let me know if you cannot access this)

• Allen, “Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates,” (July 17, 2018), available at https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates
• Walker, “Data Mining to Recruit Sick People,” (Wall Street Journal Dec. 17, 2013), available at https://www.wsj.com/articles/data-mining-to-recruit-sick-people-1387237952
• Maheshwari, “This Thermometer Tells Your Temperature, Then Tells Firms Where to Advertise,” New York Times (October 23, 2018), available at https://www.nytimes.com/2018/10/23/business/media/fever-advertisements-medicine-clorox.html (IF you cannot access this please let me know)
• Nahra, “A public service announcement about the HIPAA Privacy Rule,” IAPP Daily Dashboard (June 18, 2021), available at https://iapp.org/news/a/a-public-service-announcement-about-the-hipaa-privacy-rule/?mkt_tok=MTM4LUVaTS0wNDIAAAF9vwpQ5J6owEywaEB1Li1TO4b9svqYwNyX-naHSZYm-6qIK9So0uZt_UHYthr2MuDbwco1LDwS1ZsTet8TjnA4-26BuYX49G9I-6atGnn1kv_H

Syllabus

Use your MyAU username and password to access the syllabus in the following format(s):

• Adobe Acrobat (PDF)