Data Privacy Archives - OF DIGITAL INTEREST

Data Privacy

How to Prepare for New State Health Privacy Laws

by McDermott Will & Emery | Mar 8, 2024 | Data Privacy

New state privacy laws regulating health data impose significant obligations and heightened risks. In addition to existing laws in California, Colorado and other states, Washington State’s My Health My Data Act and Nevada’s Consumer Health Data Privacy Law take effect in March 2024 and will require new or updated privacy notices, enhanced consent and many other compliance steps. Increasing regulator scrutiny of these issues and a new private cause of action in Washington make these laws top compliance priorities.

These laws impact entities ranging from healthcare providers and plans handling non-HIPAA health information online to pharmaceutical, fitness, wellness, identity verification and consumer goods companies. Join our health information privacy lawyers Elliot Golding and Sam Siegfried on March 12 to understand how these laws apply to your company and what you need to do now to prepare.

Discussion topics include:

The scope, applicability and requirements under state privacy laws related to health data
A deep dive into complex issues arising under these laws, such as the use of cookies and online tracking technologies
Benchmarking and practical recommendations for complying with these new requirements and building a harmonized compliance program

RESERVE YOUR SPOT

Digital Health 101: OCR Issues Resources to Educate Patients on Telehealth, PHI

by Amanda Enyeart, Jayda Greco and Angela Irene Theodoropoulos | Oct 24, 2023 | Cybersecurity, Data Privacy, Telehealth

BACKGROUND

On October 18, 2023, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued two resource documents to help explain the privacy and security risks to patients’ protected health information (PHI) when using telehealth services, along with ways to reduce these risks. In a press release announcing the guidance, OCR Director Melanie Fontes Rainer stated that “[t]elehealth is a wonderful tool that can increase patients’ access to [healthcare] and improve [healthcare] outcomes. [Healthcare] providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices, so patients are confident that their health information remains private.”

These new resources exemplify the trend of increased scrutiny in the digital health environment, aimed at ensuring that patient data is protected, secured and confidential (including with respect to pixel technology disclosures, artificial intelligence usage guidelines, state-level data privacy laws and medical board guidelines).

IN DEPTH

Resource #1: Outlining the Risks of Telehealth

With the release of this educational resource, developed on a recommendation from the Government Accountability Office (GAO) in a September 2022 report, OCR intends to help healthcare providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications for telehealth.

OCR notes that the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules (HIPAA Rules) do not require covered healthcare providers to educate patients about privacy and security risks. However, the OCR’s educational resource is intended to assist providers who would like to 1) explain the privacy and security risks to patients’ PHI when using telehealth services and 2) share ways to reduce these risks. This information may also be helpful to a patient’s family or personal representative. HHS encourages and reminds providers to be mindful of inclusionary mechanisms when communicating with individuals with disabilities (e.g., providing auxiliary resources, using language assistance services or providing written translations of materials).

The educational resource provides suggestions for discussing the following:

What telehealth is, and which technologies will be used during the telehealth encounter
The importance of PHI privacy and security
Risks and mitigation strategies when PHI is shared, stored or transferred using remote communication technologies
Which communication technology vendors are used in delivering the services and how to view their privacy and security policies
The right to file a privacy complaint with OCR under HIPAA

Resource #2: PHI Security Tips for Patients

OCR’s patient tips resource provides recommendations that patients can implement to protect their privacy, security and confidentiality when interacting via telehealth technologies, including the following:

Conducting the telehealth appointment in a private location (e.g., a private room or a parked car), wearing headphones and avoiding using a speakerphone
Turning off nearby electronic devices that may overhear or record information
Avoiding using a [...]

Continue Reading

How Not to Lose $1 Million: Preparing for OIG’s Information Blocking Enforcement

by James A. Cannatti III and Alya Sulaiman | Oct 4, 2023 | Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Telehealth

OIG’s long-awaited final rule on investigating and imposing penalties for information blocking dropped in July 2023 and is effective as of Sept. 1, 2023 – almost three years after OIG released its proposed rule (April 2020) and two years after the start of information blocking compliance on April 5, 2021. The final rule codifies OIG’s authority to investigate information blocking complaints, including against developers of certified health IT and health information networks/health information exchanges (HIN/HIEs), and assess CMPs of up to $1 million per violation.

OIG defined a “violation” as a practice that constitutes information blocking as set forth in ONC’s information blocking regulations—a broad definition that is important because each distinct act or omission could be subject to a separate $1 million CMP. OIG also provided examples of what it would consider constituting a single violation versus multiple violations subject to multiple CMPs:

Single Violation: A certified health IT developer denies a single request by a healthcare provider to receive multiple patients’ EHI via an API and no legal requirement or information blocking exception applies. OIG would consider this a single violation even though it would result in preventing access to multiple patients’ EHI.
Multiple Violations: A certified health IT developer takes multiple separate actions to improperly deny multiple individual requests by a healthcare provider for EHI through an API. Each separate action would be considered a separate violation.

OIG has stated that while it does not intend to impose CMPs on conduct that occurred before Sept. 1, 2023, it may consider a regulated entity’s behavior from the April 2021 compliance date onwards in deciding if alleged information blocking conduct was part of a pattern of behavior. Other factors OIG anticipates considering when deciding penalty levels include the nature, circumstances, and extent of the information blocking and resulting harm, including the number of patients and/or providers affected and the number of days the information blocking persisted. OIG will also consider other factors, such as the degree of culpability, history of prior offenses, and other wrongful conduct.

When deciding whether to pursue a particular information blocking allegation, OIG indicated that it plans to prioritize enforcement for actions that:

Resulted in/had the potential to cause patient harm;
Significantly impacted providers’ ability to care for patients;
Are of long duration;
Caused financial loss to Medicare, Medicaid, or other federal healthcare programs or private entities; and
Were performed with actual knowledge.

Each allegation will require a facts and circumstances analysis, which OIG will conduct in coordination with ONC and other federal agencies as appropriate. Further, while OIG’s enforcement priorities may inform its decisions about which allegations to investigate, OIG states that the priorities are not dispositive, meaning it can investigate any allegations it chooses.

READ THE FULL ARTICLE ON THE HIMSS ELECTRONIC HEALTH RECORD ASSOCIATION BLOG HERE.

Top Takeaways | 2023 PPM-ASC Symposium | Leveraging Data Collaborations for Revenue Growth

by McDermott Will & Emery | Jun 27, 2023 | Data Privacy

In this session, the panelists discussed the successes and challenges of a data collaboration between Gastro Health and Lynx.MD, and provided real-world insights into how a physician platform can harness its data to enhance patient care and generate additional revenue while maintaining compliance with applicable privacy and security regulations.

Session panelists included:

Omer Dror, Founder and Chief Executive Officer, Lynx.MD
Rich Weissmark, Senior Vice President of Strategic Operations, Gastro Health
Moderator: Stephen Bernstein, Partner, McDermott Will & Emery

Top takeaways included:

Organizing and understanding patient data can require a large up-front investment, as it can be costly, time-consuming and challenging. This is often the largest hurdle in data collaborations; but once that step is addressed, the ability to harness the data for patient care and research can be exponentially valuable over time.
Data has a multitude of uses, e.g., internally within a practice to improve patient care and externally with life sciences partners and other stakeholders to analyze trends and forge innovation (provided that data shared externally is properly deidentified, or takes the form of a limited data set that is subject to proper data-use agreements). A physician practice with curated data that can be meaningfully used will be far better positioned to discuss and negotiate value-based care and alternative payment models with various payors.
While some data modeling focuses on just one use, the best opportunities may come from innovations that consider all of the other potential uses for the data. The specific disease states that are of interest to clinicians delivering care are often the same as those that interest life sciences companies. As a result, this is an opportunity for cost savings: collecting the data once, transforming it into separate deidentified data cuts and then using it for different purposes, which can include potential revenue-sharing opportunities relative to deidentified data sets.
Practices that want to develop data sets and forge data collaborations should act with intention in negotiating contracts that involve data and anticipate what data they may need in the future. If practices give away data rights too soon, it may be difficult to ensure future flexibility and opportunities for that data in the future. Contracts could be with electronic medical records (EMR) companies, pharmaceutical companies and various vendors, so practices should review these contracts closely and try to keep options open for future opportunities.
Healthcare data is inherently sensitive and heavily regulated. In addition to putting strong data-governance policies in place that support Health Insurance Portability and Accountability Act (HIPAA) regulations, companies looking to build a data strategy should make sure to consult with legal counsel in developing a plan to use the data. Data privacy and security, deidentification, the creation of limited data sets, data rights, and the level of trust between a physician platform and its data-sharing partners should all be considered before attempting to form a data collaboration.
Innovative use of technology and associated data use can be a differentiating factor in recruiting younger physicians who are excited about [...]

Continue Reading

Key Takeaways | Global Perspectives on Data Sharing and Privacy

by McDermott Will & Emery | Jun 20, 2023 | Data Privacy

During this session, the panel discussed strategies and business considerations when addressing compliance with the wide array of data protection and privacy laws and regulations across the United States and abroad. The panel shared insights on compliance and monitoring strategies as well as best practices in working with internal stakeholders.

Session panelists:

Rebecca Daley, Esq., Senior Associate Counsel, Office of the General Counsel, University of Maryland Medical System
David Linestky, Senior Vice President, Life Sciences, Phreesia
Roshal Marshall, Managing Chief Counsel, Enterprise Data Privacy, Security and Technology Law, McKesson Corporation
Erik Phelps, Executive Vice President, Chief Administrative and Legal Officer, Tempus Labs, Inc.
Sharon Lamb, Partner, McDermott Will & Emery
Moderator: Amy Pimentel, Partner, McDermott Will & Emery

Top takeaways included:

Saying that the privacy landscape is “dynamic” is an understatement. The rapidly evolving landscape is challenging to operationalize, as many companies find that their lines of business operate under different (and often overlapping) areas of the regulatory framework.
As digital health solutions continue to be embedded in traditional health offerings, one challenge that lies ahead is the ability to “future proof” compliance strategies. It will be critical to remain flexible as future collaborations present opportunities for industry growth and development.
It is crucial for business leaders to understand their organization’s data collection, storage and sharing processes and how they want to leverage data as an asset. This knowledge is particularly important when designing data strategies, designing notices and consents, and leveraging contractual protections in current and future partnerships.

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act

by Austin Mooney, Amy C. Pimentel, David Saunders and Frances Forte | Jul 9, 2021 | Consumer Protection, Data Privacy, General Interest

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.

Applicability and Exemptions

Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:

The organization processes data on 100,000 or more Colorado consumers annually.
The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.

This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.

There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.

Substantive Rights Largely Mirror Other State Privacy Laws

The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:

Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, [...]

Continue Reading

Transfers of Health Data from the European Union to the United States in a Post-Schrems II World

by Amy C. Pimentel and Romain Perray | May 20, 2021 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

The European Data Protection Board and a number of data protection authorities in EU Member States have issued guidance on how to safeguard EU/US data transfers post-Schrems II.

Click here to read the full article in our latest International News.

Access To Digital Health Applications And Digital Care Applications In Germany

by Stephan Rau | May 17, 2021 | Data Privacy, Mobile Apps, Telehealth

On 20 January 2021, the German Federal Cabinet approved the draft law on the digital modernization of healthcare and nursing care. The draft has been criticized for not taking into account lessons learned from the implementation of the 2019 digital health applications law.

The legally enforceable right of patients insured in the Germany statutory healthcare system (SHI) to be able to access digital health applications (DiGAs) was included in the German SHI code (SGB V) at the end of 2019.

DiGAs are low-risk medical devices (risk class I and IIa) that are primarily based on digital technologies and support the detection, monitoring, treatment, or alleviation of diseases, injuries, or disabilities. Under the SGB V, DiGAs have to be approved by the German Federal Institute for Drugs and Medical Devices (BfArM) and included in the DiGA List before doctors can prescribe them to their patients on an individual basis and at the SHI’s expense. Among the DiGAs listed by BfArM since the first listing in October 2020, are those that support patients with light depression, insomnia, obesity, or tinnitus.

Top Takeaways | Cybersecurity & Insurance Coverage in the Age of Telehealth: Understanding and Mitigating Your Risk

by McDermott Will & Emery | Apr 20, 2021 | Cybersecurity, Data breach, Data Privacy, Telehealth

With more frequent and more severe ransomware attacks against health care platforms and vendors and the increasing use of telemedicine, it is critical to understand how to proactively defend your organization using robust legal, regulatory and cyber-coverage strategies. In this webinar, McDermott partners Dale Van Demark and Edward Zacharias joined Brett Buchanan of Marsh & McLennan Agency and Larry Hansard of Gallagher USA to explore the intersection of telemedicine and cybersecurity. Our panelists offered attendees a road map for navigating this rapidly changing space, including practical strategies for shoring up their defenses and addressing potential risks to their businesses.

Providers engaging in telemedicine should consider three critical areas of insurance coverage: medical professional liability, technology errors and omissions, and cyber/privacy liability. “Several carriers have packaged these three important coverages into a one-policy format, referred to as a virtual health program,” Hansard said.
A medical professional liability program should include incident reporting, punitive damages, and sexual abuse and molestation. The latter may seem surprising in a telemedicine context, but is important given reports of inappropriate patient behavior during telemedicine encounters, Hansard said.
New telehealth technologies, such as AI chatbots for patient intake, create new and more complex bodily injury exposures, Buchanan said. “Working with an insurance underwriter that understands these nuances is absolutely key,” he said. In addition to bodily injury, coverage should include technology errors and omissions, cyber liability and general liability.

Click here for the full list of highlights.
Click here to view the full webinar.

Brexit/GDPR: European Commission Publishes Draft Adequacy Decision for Data Transfers

by Dr. Claus Färber | Feb 23, 2021 | Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

On 19 February 2021, the European Commission published the draft for an adequacy decision regarding transfers of personal data to the UK. For businesses in the European Union (and EEA) who transfer data to business partners and vendors in the UK, it will be crucial that the final decision is made before the end of June 2021.

Thanks to an additional transitional period for data transfers in the last-minute EU-UK Trade and Cooperation Agreement (TCA), the worst fears of data protection experts that the UK could become a “third country” overnight did not materialise. However, this period ends no later than in June 2021.

While the chances that final decision will be issued in time have now increased, companies in the EU/EEA should be aware that this is not guaranteed. In case the Commission fails to authorize data transfers to the UK, businesses should – if no other safeguards are present – be prepared enter into the standard contractual clauses (SCCs, aka Model Contracts) in order to comply with the GDPR.

McDermott can help you with identifying data transfers to the UK and choosing the right SCCs.