Privacy, Intellectual Property, and Cyberlaw
Introduction
For more than 2,500 years, patient privacy has been a fundamental principle in healthcare, as demonstrated by the Hippocratic Oath and other early Greek medical texts. This chapter provides a thorough overview of the legal aspects associated with privacy, confidentiality, and information management in the healthcare delivery setting. In addition, intellectual property law is critical in healthcare, as some of the most significant healthcare advancements are safeguarded by intellectual property doctrines. We will explore each principle and its role in securing healthcare business assets (Perry & Thompson, 2017).
Learning Objectives
- Distinguish the legal, ethical, and public policy considerations related to patient confidentiality and privacy of health information
- Explain patents, patent trolls, and what is patentable
- Analyze issues related to trade secrets and copyrights
Privacy and Confidentiality
The commitment to privacy has guided healthcare for centuries. The AMA Principles of Medical Ethics (2001) state, “A physician shall respect the rights of patients, colleagues, and other health professionals, and shall safeguard patient confidence and privacy within the constraints of the law.” The Hippocratic Oath, attributed to the ancient Greek physician Hippocrates, required physicians to “abstain from whatever is deleterious and mischievous,” seeking only the benefit of their patients. Since 1847, the AMA code has been revised extensively but has maintained the secrecy surrounding the patient-provider relationship (faqs.org, n.d.).
The principles of privacy in healthcare give rise to laws and regulations that dictate patient confidentiality, which involves protecting personal health information. Fundamentally, patients have a reasonable expectation that their health information will remain confidential, except in certain circumstances. Exceptions to confidentiality may be exceptional, as in the Tarasoff case, or routine, such as when processing insurance claims, conducting quality control reviews, or fulfilling research or medical education goals. The importance of respecting patient privacy cannot be understated. Furthermore, legal and regulatory penalties against violations of confidentiality can be significant (Perry & Thompson, 2017).
The HIPAA Privacy Rule [YouTube] 2016 by OfficeSafe powered by PCIHIPAA
Confidentiality
The obligation to uphold patient confidentiality arises from the fiduciary bond between a patient and their healthcare provider. The basis for this duty is the notion that respecting a patient’s privacy will inspire them to seek medical care. Courts typically view confidentiality breaches unfavorably (Perry & Thompson, 2017).
Exceptions
Although it is the responsibility of healthcare providers to prioritize patient privacy and confidentiality, some exceptions exist. The intricacies of any given situation can complicate the application of legal principles, so the possibility of exceptions should always be taken into account when analyzing a case (Perry & Thompson, 2017).
There are situations where healthcare providers or organizations may have a responsibility to disclose confidential information to parties other than the patient. For example, quality control or peer review may allow for the disclosure of private information in some cases. In other cases, state or federal law, as well as common law, may require confidential information to be shared to protect a specific third party or the broader community. Statutory examples of situations where a breach of confidentiality may be justified include:
-
Reporting of communicable diseases to state public health authorities;
- Wounds (from either a knife or gunshot) that appear to be non-accidental;
-
Suspected child abuse;
-
Suspected elder abuse; and
-
Diagnosis of epilepsy among those licensed to drive or operate heavy machinery (Perry & Thompson, 2017).
Health Information Privacy
In 1972, New York designed a law to prevent drugs from being diverted into illegal channels. The law required State Health Department officials to collect personal information, including the name, address, and age of anyone who received certain Schedule II drugs with a prescription from a doctor. This information was to be transferred to computer files and kept for five years, with safeguards in place to protect patient privacy. However, a group of patients who regularly received Schedule II drugs and their prescribing physicians challenged the constitutionality of the patient identification requirements. The lower court ruled that the doctor-patient relationship is protected by the Constitution’s right to privacy and that the law’s patient identification provisions were too broad. In 1977, the Supreme Court made a significant ruling in Whalen v. Roe that recognized a limited constitutional right to privacy for health information. While upholding the state law, it recognized a “statutory or regulatory duty to avoid unwarranted disclosures” based on the Constitution (Perry & Thompson, 2017).
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
On August 21, 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act of 1996 into law. HIPAA established protocols for safeguarding personally identifiable information held by the healthcare and healthcare insurance sectors against fraud and theft and addressed restrictions on healthcare insurance coverage. Covered entities, such as healthcare providers and businesses, are prohibited from disclosing protected information to anyone other than the patient and their authorized representatives without consent, subject to certain exceptions. Patients are free to receive information about themselves and are not restricted from voluntarily sharing their health information (Perry & Thompson, 2017). HIPAA is made up of five titles:
- Title I safeguards health insurance coverage for workers and their families,
- Title II sets national standards for electronic health care transactions and national identifiers, and
- Titles III, IV, and V govern pre-tax medical spending accounts, group health plans, and company-owned life insurance policies, respectively.
In January 2013, the Final Omnibus Rule updated HIPAA to include the HITECH Act requirements. The revised regulations enhanced safeguards for patient confidentiality, granted additional privileges to individuals concerning their medical data and bolstered the government’s capacity to uphold compliance with more severe penalties for HIPAA violations. However, the HIPAA Privacy Rule provides waivers during times of natural disaster (Perry & Thompson, 2017).
It is important to note that HIPAA defines a “Covered Entity” and prohibits the use of personal health information (PHI) for any purposes other than treatment, payment, or health care operations. This excludes any information that has been de-identified. To be considered de-identified data, the information may not contain the following information:
- Name
- Address (all geographic subdivisions smaller than a state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Number of relatives in the household
- Vehicle or other device serial numbers
- Employer
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image: Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual (Loyola University Chicago, 2023).
A. HIPAA Myths
HIPAA permits healthcare providers to discuss a patient’s condition with others in a semi-private room or over the phone with the patient, another provider, or a family member. It also allows providers to leave messages on a patient’s home answering machine and to display a patient’s name next to their hospital room door or a patient care sign, such as “fall risk” or “diabetic diet,” at the patient’s bedside or outside their hospital room. However, HIPAA does NOT grant patients an unlimited right to their healthcare information. Requests for records may be denied if the information contains psychotherapy notes or was compiled for use in a civil, criminal, or administrative proceeding. Also, if a patient wants a copy of their medical chart, they are responsible for the cost of copying it (Perry & Thompson, 2017).
B. Enforcement
If there are accusations of noncompliance, the Department of Health and Human Services (HHS) is obligated to investigate and ascertain if the violations were due to “willful neglect.” In reality, “willful neglect” does not require a high level of proof, and penalties can be substantial. In October 2009, the HHS Office of Civil Rights began publishing the names of healthcare entities with reported data breaches, thus creating the “HIPAA Wall of Shame.” Details include the name of the covered entity or business associate that experienced the breach, the category of breach, the location of the breached PHI, and the number of individuals affected. Because of the intricacy of HIPAA regulations and the potential for huge fines for non-compliance, it would be wise for firms and individuals to proceed with an excess of care when using and contemplating the disclosure of PHI (HIPAA Journal, n.d.).
Health Information Technology for Economic and Clinical Health (HITECH) Amendment 2021
In 2018, the HHS issued a Request for Information to explore ways to alleviate the administrative burden of HIPAA compliance and improve healthcare coordination through better data sharing. In response, many covered entities and business associates requested a safe harbor provision in the event of a data breach if they had adhered to the safeguards of the Security Rule. The HITECH Act was amended in 2021, resulting in the HIPAA Safe Harbor law, which provides the Office for Civil Rights at HHS with the flexibility to refrain from enforcing action, mitigate penalties for HIPAA violations, or shorten the duration of a Corrective Action Plan if the offending party has implemented a recognized security framework and has been operating it for twelve months prior to the breach or other security-related violation. According to Astra Security (2023), “The third quarter of 2022 saw 1 in 42 healthcare organizations targeted by ransomware attacks. The healthcare sector saw a 60% increase in attacks in 2021, with an average of 1426 attacks per week. 90% of healthcare institutions have experienced at least one security breach in the previous few years.”
Modifications of HITECH
- Creating incentives for developing the “meaningful use” of electronic health records
- Changing the liability and responsibility of business associates
- Redefining what a breach is
- Creating stricter notification standards
- Tightening enforcement
- Raising the penalties for a violation
- Creating new code and transaction sets (ICD-10)
Breaches
There were no federal requirements to notify patients of a healthcare privacy breach before HITECH. After its implementation in 2009, HITECH now mandates that all affected individuals be notified when protected health information (PHI) is breached. HITECH further defines a breach as “the unauthorized acquisition, access, use, or disclosure of PHI, which compromises the security or privacy of the information.” Furthermore, a breach is anything that poses a significant risk of financial, reputational, or other harm to the individual due to the compromise of PHI (Perry & Thompson, 2017). Common breaches include:
- Lost, missing, or stolen laptops or other portable devices;
- Disposal of documents, computers, or other materials;
- Hacking; and
- third-party mistakes.
To protect its PHI, a covered entity must establish administrative, physical, and technological safeguards, as mandated by the HITECH regulations. HITECH provides a safe harbor for encrypted devices. Apart from this, the covered entity must have administrative safeguards such as policies, procedures, and documentation to ensure that the policies and procedures have been put into effect. HITECH necessitates that the covered entity conduct a risk analysis and devise a risk management plan to mitigate identified vulnerabilities. Therefore, the covered entity should have a documented risk analysis policy and a corresponding risk management plan in place (Perry & Thompson, 2017).
Notification Requirements
Once an incident constitutes a breach, a covered entity must decide on the appropriate method of informing the impacted patients, as per HITECH regulations. HITECH requires that the covered entity should notify each individual whose unsecured PHI has been breached in writing, using first-class mail, unless the patient has previously consented to receive email communication. In cases where there is a possibility of imminent misuse of the PHI, the notification can be made via telephone. If the covered entity lacks enough information to notify 10 or more individuals, substitute notice becomes necessary. The substitute notice involves a conspicuous posting on the covered entity’s website for 90 days or a notice in major print or broadcast media in areas where the affected individuals are likely to reside. If 500 or more individuals in a jurisdiction are affected, notice to prominent media outlets is required, along with immediate reporting to the Office for Civil Rights (OCR). The notification must be expedited no later than 60 days after the date of discovery of the breach (Perry & Thompson, 2017).
The notification to affected individuals must contain various details, such as a description of the incident, the breach date (if known), the date the breach was discovered by the covered entity, the type of compromised PHI, recommendations on measures individuals can take to protect themselves from potential harm, a description of the investigation, the mitigation or protection measures implemented by the covered entity to prevent future breaches, and contact information, including a toll-free number, for addressing affected persons’ questions. State laws could influence the notification’s content based on the data elements involved. For example, if an electronic breach of PHI in Florida includes social security numbers and impacts patients residing in Florida, it may necessitate an analysis beyond HIPAA/HITECH requirements. The notification requirements for each state are different, and some states may have stricter regulations than HITECH. In Florida, notification to residents must occur within 45 days, with the attorney general receiving notification as well. A covered entity must look beyond just notification to patients and include attorneys general, other consumer agencies, OCR, law enforcement, the media, and credit reporting agencies when social security numbers are involved in the breach (Perry & Thompson, 2017).
Response
According to HHS.gov, the HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term. When a breach occurs in a covered entity, it should activate its breach incident response team, which is comprised of individuals from the C-Suite and a multidisciplinary team including legal, compliance, information technology, communications, and customer relations. In some instances, security and human resources may also be involved (Perry & Thompson, 2017).
Crisis management processes should include:
- daily status report meetings;
- daily goal setting;
- assignment of tasks for the team to accomplish;
- tracking of progress; and
- decision making.
Priorities for the crisis management team include:
- end the compromise of security or remedy the risk control deficiencies;
- restore the functioning of the affected systems;
- determine the root cause of the incident and mitigation and protection to be utilized;
- evaluate any notice obligations (federal, state, and contractual);
- outreach to key customers and business partners;
- prepare media and internal communications; and
- issue notification.
Costs
In 2022, IBM Security’s “Cost of a Data Breach Report” provided evidence that healthcare data breaches cost an average of $10.1 million per incident. This was a 9.4% from the previous year and a 41.6 percent increase from 2020. Healthcare sectors suffered higher ransomware attack costs on average, at $4.82 million ($1 million more than the average cost for other industries) (McKeon, 2022).
In the event of security breaches involving sensitive data, healthcare establishments should consider credit monitoring and utilizing internal call centers. Also, considerations should be taken for partnering with a crisis management firm for effective communication strategies and protecting the healthcare entity’s reputation. Lastly, they should engage experienced healthcare privacy and data breach attorneys for guidance on regulatory compliance and overseeing the notification process.
Post-Breach
After a healthcare data breach, organizations must address media and affected individuals’ concerns, especially for breaches impacting over 500 people. These breaches can undermine community trust and attract significant media attention. Patient inquiries and effective communication by the incident response team are essential. Following the crisis, the Office for Civil Rights (OCR) investigated the entity’s HIPAA/HITECH compliance and the breach’s cause, potentially resulting in fines and penalties. Compliance documentation is crucial, and organizations may face requests from other regulatory bodies or legal actions related to Protected Health Information (PHI) disclosure (Perry & Thompson, 2017).
Protection and Prevention
To ensure compliance with HIPAA/HITECH, covered entities must maintain constant vigilance and implement preventive measures against breaches and violations. These measures include adhering to administrative requirements, designating a privacy officer, conducting a risk analysis, and executing a risk management plan. Additionally, organizations should employ technical and physical safeguards, prioritize encryption, provide staff training on PHI disclosure repercussions, and incorporate IT audits. Acquiring cyber liability insurance or exploring alternative risk financing options can add extra protection against healthcare data breaches (Perry & Thompson, 2017).
Exceptions
Patients cannot access all medical records under HIPAA. Providers can withhold certain categories, like psychotherapy notes, and have the discretion to deny disclosure if it may harm the patient. Some test results follow state-specific or federal regulations on disclosure, such as HIV tests or substance abuse cases.
Emerging Issues
As healthcare increasingly adopts electronic platforms, health law continues to evolve for better protection of individuals affected by data breaches. Electronic Health Records, health information exchanges, and patient portals introduce new vulnerabilities as organizations focus on user-friendliness. Wireless and mobile devices increase the risk of accidental losses and potential disclosures, especially when lacking robust security measures. The growing use of cloud computing and offshore data storage adds further challenges in protecting Protected Health Information. Collaboration between stakeholders, policymakers, and technology developers is crucial to establishing guidelines, standards, and regulations that ensure the responsible implementation of AI in EHR systems.
The integration of AI with EHRs presents several challenges, including data privacy and security concerns, issues of bias and fairness, interpretability and transparency of AI models, questions of liability and accountability, the need for data quality and standardization, and ethical and legal implications. These concerns must be carefully addressed to ensure effective and safe AI applications in electronic health records (Perry & Thompson, 2017).
Intellectual Property in Healthcare
The concept of intellectual property pertains to non-physical assets that embody the creations of the human intellect, as opposed to physical labor. The legal entitlements associated with intellectual property encompass those elements of intellectual property that can be safeguarded according to a country’s laws. Typically, the safeguarding of intellectual property rights falls into one of the following categories: patents, trademarks, copyrights, or trade secrets (Perry & Thompson, 2017).
Intellectual Property [YouTube] 2016 by DurhamUniversity
Protecting intellectual property is crucial because it prevents misappropriation, encourages creative thinking, and fosters innovation for a thriving economy. It holds significant value for businesses, with Fortune 500 companies estimating that 45-75% of their value is attributed to intellectual property. Ensuring its security maintains its value for its proprietor (Morgan, 2019).
Patent
Patents are government-granted monopolies for a limited time, with utility, design, and plant patents being the most common types. To apply for a patent, the inventor must draft claims and ensure the invention is new, useful, and nonobvious. A patent search and consideration of prior art are crucial steps to proving an invention’s novelty and its nonobviousness must be evident to someone skilled in the relevant field (Perry & Thompson, 2017).
A. What can be patented?
Patent litigation is complex and costly for healthcare businesses. Historically, patents covered processes, machines, manufacturers, or compositions of matter, while natural laws, phenomena, and abstract ideas were not patentable. However, the U.S. Supreme Court expanded patentable subject matter to include some algorithms between 1972 and 1981 (Perry & Thompson, 2017).
B. Patent Trolls
Patent trolls, or non-practicing entities, pose significant problems for healthcare businesses by filing infringement lawsuits without creating new products or ideas. They capitalize on the high costs of patent litigation, leading to increased technology development costs and potential market delays. The healthcare industry, particularly the electronic medical record (EMR) sector, is increasingly targeted by patent trolls, requiring more attention to patents as both valuable assets and potential business threats (Perry & Thompson, 2017).
C. Patent Infringement
Patent infringement involves the unauthorized making, using, selling, offering to sell, or importing of patented inventions. Encouraging such acts and supplying components of a patented invention also constitute infringement. The Supreme Court has broadened penalties and interpretations to reduce troll activity, limiting the Federal Circuit’s authority to overturn infringement decisions and setting an “abuse of discretion” standard for attorney fees under 35 U.S.C. Section 285.
Trade Secrets
Companies face a choice between filing for a patent or protecting an invention as a trade secret. Trade secrets offer limited protection, only allowing the owner to sue those who improperly disclose them. Patents provide more extensive monopoly rights. Trademarks are used to identify products and services, preventing consumer confusion while not restraining legitimate competition. Trademarks are words, symbols, logos, and marks used to identify projects and services. The purpose of protection is to identify the source of the product or service and avoid consumer confusion; however, the trade-off is that the protection of a trademark should not restrain legitimate competition (Perry & Thompson, 2017).
Table 1. Patents vs. Trade Secrets
Patent | Trade Secrets | |
Applicable Law | Federal Statute | State Law |
Requirements | Invention and application to the USPTO | Information is created, kept secret, and has independent economic value due to being secret |
Exclusivity | Yes | No |
Reverse Engineering | Not Permitted | Complete defense if properly acquired |
Official Grant from Government | Yes | No |
Novelty | Required | Cannot be generally known or readily ascertainable |
Obviousness | Must be nonobvious | Cannot be generally known or readily ascertainable |
Duration | Generally, 20 years from application filing | No express limitation |
Copyright
The copyright system encourages the creation and dissemination of new, creative works by granting authors rights such as copying, distributing, and creating derivative works. These rights apply to various types of works, including literature, music, and architecture. However, limitations exist, such as the difference between expression and underlying idea and the “fair use” exception. Authors generally hold the copyright of their works, except in cases of work-for-hire where it belongs to the employer unless agreed otherwise (Perry & Thompson, 2017).
Copyright Protection: What Can Be Protected and What Cannot be Protected [YouTube] 2021 by LawShelf
A company website contains various copyrightable elements such as text, images, videos, and sound recordings. The company must ensure they either own the copyright, have a license, or use public domain content. Additionally, they should acquire permission from individuals in images due to “rights of publicity.” This also applies to promotional materials and other documents used to support healthcare services and products (Perry & Thompson, 2017).
However, there are some gray areas regarding copyright laws. The Food and Drug Administration (FDA) allows generic manufacturers to use the same labels and user guides and requires identical labeling for generic medications.
The U.S. Copyright System has conflicting goals of encouraging creativity but also enabling distribution. It protects expression, but not ideas or facts. It protects the author under “works for hire,” and no registration is required. Further, it provides protection for a very long period. It protects against copying but not independent creation. There are exceptions for “fair use” of copyrights permitted (Perry & Thompson, 2017).
A. Work for Hire
The owner of a copyright can be someone other than the creator if the situation falls under the work-for-hire doctrine. There are two categories of works that are considered “works made for hire” under U.S. copyright law. The first category includes works created by employees within the scope of their employment. In this situation, the employer is the copyright owner of the work.
The second category includes works created by independent contractors, but only if the work is specially ordered or commissioned, comes within one of nine limited categories of works, and there is a written agreement between the parties specifying that the creation is a work made for hire.
The nine limited categories of works are:
- A contribution to a collective work
- Part of a motion picture or other audiovisual work
- A translation
- Supplementary work
- A compilation
- Instructional text
- A test
- The answer material for a test
- An atlas
If a work does not fall into one of these nine categories, it cannot be considered a work made for hire unless there is a written agreement between the parties specifying that it is. In general, it is important to be aware of the work-made-for-hire doctrine if you are creating or commissioning a work that is protected by copyright. By understanding the doctrine, you can ensure that you are the rightful owner of the copyright in the work.
Here are some additional details about the work-made-for-hire doctrine:
- The work-made-for-hire doctrine is a default rule that applies if the parties do not have a written agreement specifying otherwise.
- The work-made-for-hire doctrine can be beneficial for employers and independent contractors because it can simplify the process of transferring copyright ownership.
- However, the work-made-for-hire doctrine can also be disadvantageous for employees and independent contractors because it can prevent them from owning the copyright in their own work
B. Copyright Infringement
According to Morgan (2019), “copyright infringement occurs when a party copies all or a substantial amount of a copyrighted work without the owner’s permission.” There are two popular defenses to copyright infringement under the Copyright Act of 1976: the first sale doctrine and the fair use defense. The first sale doctrine allows the resale of copyrighted works after they have been sold by the copyright holder. The fair use defense allows the use of copyrighted works for certain purposes, such as education, literary criticism, research, and social comment (Morgan, 2019).
The fair use defense is a complex one, and the four factors that courts consider in deciding whether it applies are:
- The purpose and character of the use by the defendant, particularly whether it was for profit
- The nature of the copyrighted work
- The amount of work used by the defendant
- The impact of the use by the defendant on markets for the copyrighted work
Copyright infringement can be either direct or indirect. Direct infringement occurs when a party copies all or a substantial amount of a copyrighted work without the owner’s permission. Indirect infringement occurs when a party copies a copyrighted work by using a derivative work that is based on the original work. The fair use defense is a limited exception to the exclusive rights granted to copyright holders. The fair use defense is not available for all uses of copyrighted works, and the four factors that courts consider in deciding whether it applies are not always easy to apply. If you are sued for copyright infringement, you may be able to defend yourself by asserting the fair use defense. However, it is important to note that the fair use defense is not a guarantee of success.
Table 3. Types of Intellectual Property
Type of Right | Purpose |
Patent | Protecting inventions and methods |
Trademark | Protecting indicators of the source of products and services |
Copyright | Protecting original expressions |
Trade Secret | Protecting valuable secrets |
Trade Secrets
Intellectual Property: Trademarks [Youtube] 2013 by Kauggman FoundersSchool
- derives independent economic value, actual or potential, from not being generally known to and not being readily ascertainable by proper means by other persons who can obtain economic value from its disclosure or use, and
- is the subject of efforts that are reasonable under the circumstances to maintain its secrecy (Legal Information Institute, n.d.).
Proper means may include information obtained legitimately from the Internet where no expectation of privacy is present. This process is called reverse engineering and is considered a legal method of obtaining information that may be intended to be secret. As an extension of the Economic Espionage Act of 1996, Congress passed the Defend Trade Secrets Act (DTSA) in 2016 to allow owners of trade secrets the ability to sue when secrets have been misappropriated.
Table 4. Characteristics of the Types of Intellectual Property
Patent | Trademark | Copyright | Trade Secret | |
Interest Protected | Inventions and methods | Indicators of the course of products and services | Expressions in a tangible form | Sensitive & valuable information |
Federal or State | Federal only | Federal and State | Federal only | Primarily State |
Creation Process | Registration with PTO | Use mark in commerce and get stronger protections by filing with PTO | Once in tangible form, stronger protections by filing with CO | Reasonable steps to protect the secrecy |
Duration | 20 years | Indefinite | Life of the author plus 70 years or 120 years from creation | Indefinite |
Costs | High | High | Low | Low |
Conditions for grant of protection | Novel, non-obvious, and of a specific type | Distinctiveness, based on a spectrum | Original expression | Reasonable measures to protect secrecy |
Criminal Liability | No | Yes | Yes | Yes |
Cyber Law
Over the last three decades, the Internet has been the most influential means of information and communication to change our lives. The ability to instantly obtain information and communicate with one another has been instrumental on a global scale. As quickly as technology has evolved, the internet has also provided potential security concerns. The healthcare industry did not embrace emerging technology as quickly as other industries for various reasons. The main reason is the sheer cost of purchasing a product that can hold large amounts of information and protect the privacy of that information. In addition, meaningful use requires the ability of these integrated systems to talk to one another at some point in the future. With the risk of data and privacy breaches at an all-time high, the laws regulating cyber security were creeping slowly into existence. The first cyber law was the Computer Fraud and Abuse Act (CFAA), which was passed by the United States Congress in 1986. The CFAA prohibits unauthorized access to computer systems and data. However, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was not passed until 2009. The HITECH Act provides financial incentives for healthcare organizations to adopt electronic health records (EHRs) and to implement security measures to protect EHR data. Cyber laws on healthcare have also been passed in other countries, such as the European Union’s General Data Protection Regulation (GDPR). The GDPR applies to all organizations that process the personal data of individuals located in the European Union, regardless of where the organization is located. Cyber laws pertaining to healthcare are constantly evolving as technology changes and new threats emerge. Healthcare organizations need to stay up-to-date on the latest laws and regulations so that they can protect patient health information (Morgan, 2019).
Patent
For over four decades, it has been possible to secure a patent for a process that involves a computer program. The U.S. Supreme Court has affirmed that software can be patented because it includes a mathematical formula that puts a formula into practice within a structure or process.
A unique challenge arises when it comes to a specific category of utility patent applications, especially in the context of software and internet-based businesses. These applications seek patents for innovative ways of conducting business, known as business method patents. Examples include Amazon.com’s one-click shopping system and Priceline.com’s online reverse auction. The U.S. Supreme Court supports the patenting of business methods, provided they meet the criteria of novelty and non-obviousness and fall within an acceptable subject matter category. However, a significant challenge in obtaining patent protection for business methods is demonstrating that these methods go beyond abstract ideas, as abstract ideas are not eligible for patents (Morgan, 2019).
Recognizing the potential impact of granting patents for internet-related business methods on commerce, a portion of the America Invents Act of 2011 (AIA) introduced streamlined post-issuance review procedures for certain types of business method patents. This review process is limited to patents that involve data processing or other operations related to financial products or services, excluding those covering technological innovations. In one notable case, the Patent Trial and Appeal Board (PTAB) declared in 2013 that a previously granted business method patent was invalid because it was deemed “abstract.” This decision had a significant impact, as the patent holder had previously won a $345 million infringement case against a challenger. Consequently, the PTAB’s decision nullified the infringement judgment (Morgan, 2019).
Trademark
Website operators, online content owners, and software developers have the freedom to use trademarks in the digital realm. A famous example is AOL’s use of the trademark “You’ve got mail” online. This means that both trademark infringement and trademark dilution can occur in the online space. Certain practices, such as linking to other websites, deep linking, and deploying pop-up ads, can potentially violate trademark protections. For instance, there was a case where a defendant’s software used a plaintiff’s trademark to generate pop-up ads, but the court didn’t find infringement because the ads never displayed the trademark, and they opened in new windows, reducing the likelihood of confusion. However, the legal landscape regarding trademark infringement through pop-up advertising is uncertain and will evolve over time (Morgan, 2019).
When someone registers a domain name that is identical or very similar to a trademarked domain with the intent to profit unfairly from another’s trademark, it constitutes “cybersquatting” under the Anticybersquatting Consumer Protection Act (ACPA) passed in 1999 by Congress. Violating the ACPA can lead to statutory damages ranging from $1,000 to $100,000 per domain name involved in cybersquatting. Alternatively, successful plaintiffs can receive actual damages, and courts have the authority to award triple actual damages due to the “bad faith” element of this action. Typically, cybersquatters are compelled to transfer the domain to the legitimate trademark owner, and in exceptional cases of wrongful domain name registration, attorney’s fees may also be awarded (Morgan, 2019).
Copyright
Copyright law is a crucial tool for protecting intellectual property in the digital age. Most content on the internet is copyrighted, and the act of sharing this material involves making copies. Copyright safeguards the tangible expression of information but not the underlying idea. For example, while the idea behind a computer game cannot be copyrighted, the computer program running the game can be. This means that someone can create a similar game as long as they use a different program. The fair use doctrine applies to software, allowing copyrighted software to be used in educational settings without requiring permission or royalties (Morgan, 2019).
In 1980, amendments to the Copyright Act extended copyright protection to certain aspects of computer programs. A computer program is defined as a set of instructions that a computer uses to achieve a specific outcome. Courts have made it clear that literal copying, where the actual code is duplicated, constitutes copyright infringement. Even disguising the origin of a copy doesn’t usually prevent copyright holders from proving this type of infringement. However, when it comes to nonliteral elements like structure, sequence of operations, interfaces, and functions that can be copied without directly duplicating the code, courts have had mixed opinions on whether they are subject to copyright protection (Morgan, 2019).
In 1998, Congress passed the Digital Millennium Copyright Act (DMCA), which focuses on preventing the circumvention of copyright protection systems for digital content like software, music, videos, and books. The DMCA provides limited liability for Internet service providers (ISPs) and websites. They are not held liable for copyright infringement unless they are aware of a subscriber’s violation. Additionally, ISPs and websites hosting infringing material must follow specific procedures, such as responding to takedown notices, to secure protection under the DMCA’s safe-harbor provision (Morgan, 2019).
Trade Secret
Trade secret protection is a vital aspect for most businesses, as it applies to creative ideas at various stages of development. Trade secret law safeguards product ideas and information, often superior to trademark and copyright protection. Trademark protection primarily focuses on specific product characteristics, while copyright law only safeguards the expression of an idea. In contrast, trade secret law offers broader protection without requiring disclosure, unlike patent registration, which demands that an invention be novel and non-obvious. For trade secrets, the main criteria are that the information is valuable and reasonable efforts have been made to keep it secret (Morgan, 2019).
However, businesses must strategically approach the protection of their trade secrets. Implementing reasonable security measures is crucial in determining whether something qualifies as a trade secret. For instance, in industries like computer and Internet-related businesses, where employee turnover is high, it’s vital to take comprehensive precautions. Confidentiality agreements and non-disclosure agreements (NDAs) are commonly used to ensure the protection of trade secrets. Moreover, efforts should be made to restrict access to trade secrets only to employees who genuinely require it. For example, encryption is employed to prevent access to software codes, and decryption capabilities are granted only to those with a legitimate need (Morgan, 2019).
The implementation of provisions from the Uniform Trade Secrets Act (UTSA) throughout most of the United States has created a uniform framework to ensure consistency in defining trade secrets, determining what qualifies as reasonable measures to maintain secrecy, and specifying the remedies available in cases of misappropriation (Morgan, 2019).
Key Takeaways
- A commitment to healthcare privacy has been guided for centuries through codes of ethics and now with laws to protect the patient-provider relationship.
- There are a few exceptions to these principles including communicable diseases, wounds from acts of violence, and suspected abuse.
- HIPAA (1996) provided protocols for safeguarding personal information, and HITECH (2013) added further protection for electronic medical record data. HITECH was amended in 2021 to provide safe harbor provisions in the event of a data breach if adherence to the Security Rule is observed.
- Examples of data breaches include lost/stolen electronic devices, disposal of materials with identifiable information, hacking, and thrid-party mistakes. In the event of a data breach, several notification steps are required.
- Patents are federally-protected inventions.
- Trade secrets are state-protected valuable secrets.
- Copyrights protect original expressions but not ideas or facts.
- Trademarks protect the source of a product or service (sign, symbol, design, or expression).
References
- faqqs.org (n.d.) Lymphatic system to movement disorders. Medical ethics. http://www.faqs.org/health/topics/24/Medical-ethics.html#ixzz7tsvMXCKa
- Legal Information Institute. (n.d.) trade secret. https://www.law.cornell.edu/wex/trade_secret#:~:text=Overview,Columbia%20have%20adopted%20the%20UTSA.
- Loyola University Chicago (2023). HIPAA @ Loyola: The 18 HIPAA Identifiers. https://www.luc.edu/hipaa/policiesandguidelines/the18hipaaidentifiers/
- McKeon, J. (2023). Average healthcare data breach costs surpass $10M, IBM finds. Health IT Security. https://healthitsecurity.com/news/average-healthcare-data-breach-costs-surpass-10m-ibm-finds#:~:text=July%2027%2C%202022%20%2D%20Healthcare%20data,41.6%20percent%20increase%20from%202020.
- Morgan, J. F. (2019). Business Law, 6th ed., BVT Publishing.
- Palatty, N. J. (2023). 80+ Healthcare Data Breach Statistics 2023. Astra. https://www.getastra.com/blog/security-audit/healthcare-data-breach-statistics/
- Perry, J. E., & Thompson, D. B. (2017). Law and ethics in the business of healthcare. West Academic Publishing.
- The HIPAA Journal. (n.d.) What is the HITECH Act? https://www.hipaajournal.com/what-is-the-hitech-act/
- U.S. Copyright Office (2021). Circular 30: Works Made for Hire. https://www.copyright.gov/circs/circ30.pdf
- 35 U.S. Code § 285 (July 19, 1952, ch. 950, 66 Stat. 813.)
privacy refers to the freedom from intrusion into one's personal matters, and personal information.
When a therapist determines, or pursuant to the standards of his profession, should determine, that his patient presents a serious danger of violence to another, he incurs an obligation to use reasonable care to protect the intended victim against such danger.
Confidentiality refers to personal information shared with an attorney, physician, therapist, or other individual that generally cannot be divulged to third parties without the expressed consent of the client.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
The HITECH Act encouraged healthcare providers to adopt electronic health records and improve privacy and security protections for healthcare data. This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules.
“Covered Entity,” which includes any health insurance plan, billing company/healthcare clearinghouse, or healthcare provider that collects or transmits electronically any “protected health information” or PHI, which is the second important category.
PHI is defined as any identifying information, whether oral or recorded that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and which relates to past, present or future physical or mental health of individual, or past, present, or future payment for health care services, that might identify the patient, including medical history, clinical findings, test results, prior procedures, insurance coverage, and demographic data.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
When a party copies all or a substantial amount of a copyrighted work without the owner's permission.
A legal cause of action occurring when someone uses the trademark of the rightful trademark owner without permission in the sale of goods and services in a manner in which there is likely to be confusion in the mind of the consumer as to the true source of the goods or service.
Occurs if one discloses a trade secret or uses a trade secret where the trade secret was obtained improperly.
Legal matters associated with the internet, computers, and software, particularly as relating to business