Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing

Blockchain is rapidly becoming the focus of conversations regarding health care disruption, and for good reason. What started out as a means for cryptocurrency is now making waves in a variety of industries, set to revolutionize how data is stored and shared.

The inability to easily and securely store and share data has long been a burden on the health system. Blockchain poses a solution to that through encryption and highly advanced technological assets which open the doors to health care innovation. Today we see blockchain being used with electronic health records (EHRs) so that a patient’s medical history is easily accessible to him/her, as well as his/her doctors, insurance providers, etc. It’s also providing the “how” in implementing value-based payment agreements, which link payment to performance of a drug or medical device. Blockchain is currently being used both in the private and public sectors, including the FDA and the CDC. While the full potential of this new technology is not yet known, the industry seems eager to find out.

Ahead of this year’s J.P. Morgan Healthcare Conference, we sat down with Lee Schneider, our top blockchain thought leader, to talk specifically about how this new technology is revolutionizing (or has the potential to revolutionize) the health care space.
Continue Reading

In the final days of 2017, the vice chairman of the Standing Committee of China’s National People’s Congress (NPC) submitted a report to the Standing Committee of the NPC detailing the Network Security Law enforcement inspection project that began earlier in the year. This inspection had focused on five key points under the government’s overall data protection strategy:

  • Legal education
  • Supporting laws and regulations
  • Protection of critical information infrastructures and the application of graded protection for network security
  • Illegal network information
  • Personal information protections


Continue Reading

As the Federal Communications Commission repeals the Open Internet Order—more commonly known as the net-neutrality rules—health care consumers and providers have been left wondering how this change will affect their ability to receive and deliver health care using digital health tools. In this On the Subject, we outline how changes in internet access will

China’s new data protection framework clearly creates a requirement for local storage and conducting a security assessment before personal information or important data is shared with other jurisdictions, but it is currently much less clear what types of entities fall under this requirement.

Localization and Transfer Assessment Requirements Related to CII Operators

Under the People’s Republic of China Network Security Law, also known as the Cybersecurity Law, personal information and important data collected and generated in the operation of critical information infrastructure operators (CII operators) is required to be stored in China and, before providing that information abroad, a security assessment is required to be passed. This new requirement caused a significant amount of concern for entities that fall within the category of CII operators because of the need to potentially restructure their data systems, but there was also a general appearance of acceptance within the business community due to the relatively targeted scope of the definition of CII operators and acknowledgement that critical infrastructures require elevated protections.
Continue Reading

Although the Illinois Biometric Information Privacy Act has been on the books for almost 10 years, a recent surge in lawsuits has likely been brought on by developments in biometric scanning technology and its increased use in the workplace. At least 32 class action lawsuits have been filed in recent months by Illinois residents in

In September, the Office of the National Coordinator for Health Information Technology (ONC) announced that it is scaling back requirements for third-party certification of criteria related to certified electronic health record (EHR) technology (CEHRT). Going forward, ONC will allow health developers to self-declare their products’ conformance with 30 of the 55 certification criteria.

ONC will

On September 29, the Federal Trade Commission (FTC) formally announced a December 12th workshop on informational injury—the injury a consumer suffers when information about them is misused. The workshop will address questions such as, how to characterize and measure such injury and what factors businesses and consumers should consider the benefits and risks of collecting, using and providing personal information so as to gain further perspective for how the FTC should apply its legal framework for privacy and security enforcement under 15 USC § 45 (Section 5). In her September 19th remarks to the Federal Communications Bar Association, Commissioner Maureen Ohlhausen, the Acting Chairman of the FTC, metaphorically characterized the workshop’s purpose as providing the next brushstrokes on the unfinished enforcement landscape the FTC is painting on its legal framework canvas. The full list of specific questions to be addressed may be accessed here.

Background. The FTC views itself as the primary US enforcer of data privacy and security, a role it recently assumed. While the FTC’s enforcement against practices causing informational injury through administrative proceedings goes back as far as 2002, its ability to pursue corporate liability for data security and privacy practices under its Section 5 “unfair or deceptive trade practices” jurisdiction was only ratified in 2015 by the US Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corporation. The FTC has actively invoked its enforcement authority but, in doing so, has been selective in determining which consumer informational injuries to pursue by questioning the strength of evidence connecting problematic practices with the injury, examining the magnitude of the injury and inquiring as to whether the injury is imminent or has been realized.
Continue Reading

Following the first enforcement actions by local authorities in Shantou and Chongqing for violations of the new Network Security Law that came into effect this year, authorities in China have recently shown a clear initial focus with several new cases targeting provisions of the law that require monitoring of platform content. As of the start of October 2017, enforcement actions by authorities in China have targeted platform content violations in nearly 70 percent of all actions under the new provisions of the data protection rules.


Continue Reading

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now