Data Privacy Archives - OF DIGITAL INTEREST

Data Privacy

Challenges and Opportunities in MedTech, Innovation and Digital Health

by Stephen W. Bernstein and Sharon Lamb | Jan 10, 2020 | Big Data, Data Privacy, Telehealth

A recent McDermott roundtable on European health private equity generated key insights into the future of medtech, digital health, and data analytics, and identiﬁed opportunities for companies and investors.

Digital health solutions are widely considered to be the next big growth market. Healthcare lags signiﬁcantly behind other industries when it comes to digitization, but the potential opportunities are driving developers, healthcare providers, and investors to ﬁnd solutions.

PATIENT CARE
A key point to bear in mind about healthcare technology is that success and adoption may often be measured by the quality of the users’ experience, the resulting clinical outcomes, short and long term cost savings, and the resulting margin for both investors and the health care system at large. These multi-faceted goals are best illustrated by the demands for i) greater efficiency, and ii) better patient outcomes.

Efficiency is typiﬁed by, for example, streamlined bookings and appointment reminders, algorithms that triage patients to ensure they are seen by the right person at the right time, and in-home patient monitoring after patients are discharged. Patient take-up is also an excellent gauge of efficiency, for example, a high tech product that measures and reports blood sugar is of no value if the interface is too complicated for an older population.

Better outcomes result from clinicians gathering and using data to determine the right treatment in the fastest possible time, and are demonstrated, for example, by permanent lifestyle changes, improvements in self-care or care outside hospital,accurate drug dosage and use of medicines, and, in direct contrast with other sectors, reduced, rather than increased, service usage.

PRIVACY AND REGULATORY HURDLES
One of the most obvious challenges inherent in digital health is data privacy and security. Stemming from that are issues relating to control of the data, the right to use it, and ownership of the analysis. The most successful companies are those that, from the very beginning, understand the regulatory landscape in which they are operating; are transparent in terms of where their data comes from; make clear the type of data at issue, be that identiﬁable, pseudonymized, anonymized, or something in between; and identify who will control what data in what form. The ability to marry up these factors is a key part of any new entrant’s value proposition.

(more…)

Getting Cross-Industry Collaborations Right, Part 2: All About That Data

by Kerrin B. Slattery and Stephen W. Bernstein | Nov 22, 2019 | Big Data, Data Privacy

As discussed in the first post in this two-part series, new players from outside the traditional healthcare paradigm are joining forces with hospitals, health systems and other providers to drive unprecedented innovation. These unexpected partnerships are bringing new solutions to market and changing how business is done and care is delivered.

Many of these collaborations revolve around data and data sharing arrangements. Traditional health industry stakeholders such as hospitals and health systems (HHSs) are partnering with technology companies—both established and start-up—to develop and market digital health solutions that engage patients beyond the brick-and-mortar clinical setting. Digital health tools are making it easier for patients to receive care in a mobile setting and access their health data across various platforms and sources. These innovative partnerships thus hold out the possibility of delivering better, faster, more targeted care.

Addressing Community Concerns

At the same time, digital health collaborations can encounter challenges regarding data privacy and security, permissions and ownership. Historically, health data was housed in one place—within the health institution. But with the rise of digital health tools, health data has become ubiquitous, raising fears about how it may be used, aggregated and shared.

(more…)

Can We Expect to See ONC’s Final Rule on Information Blocking Soon?

by Daniel F. Gottlieb, James A. Cannatti III, Karen S. Sealander and Scott Weinstein | Oct 30, 2019 | Data Privacy, General Interest

A recent update to the Office of Management and Budget (OMB) website suggests that the answer is “yes”—though that depends on how one defines “soon.” According to its website, OMB received the Office of the National Coordinator for Health Information Technology’s (ONC’s) final rule, entitled 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, for review on October 28, 2019.

Based on the rule title, it appears that ONC is ready to finalize its proposals concerning information blocking and related exceptions. Earlier this year, ONC issued a proposed rule that, among other things, proposed to define information blocking and establish seven exceptions to the broad prohibition for reasonable and necessary activities that should not be considered information blocking. For more information about the information blocking provisions of ONC’s proposed rule, see our On the Subjects here and here.

OMB review is one of the final steps in the process before a rule is published in the Federal Register. OMB did not identify a deadline for completing its review. The agency generally has up to 90 days to complete its review and while it can take less time, OMB took longer with ONC’s proposed rule.

ONC received more than 2,000 public comments on its proposed rule, many of which related to information blocking topics such as the broad scope of the proposed definitions for certain covered actors—e.g., health information exchanges and health information networks—as well as the scope of the definition of “electronic health information.” Several large industry stakeholders recently wrote a letter to Chairman Lamar Alexander and Ranking Member Patty Murray of the Senate Committee on Health, Education, Labor and Pensions raising concerns about ONC’s rulemaking efforts to date and recommending, among other things, that ONC issue a Supplemental Notice of Proposed Rulemaking (SNPRM) to seek further input from stakeholders on various information-blocking-related issues. While we do not know the ultimate contents of ONC’s final rule, it does not appear that ONC has pursued the SNPRM path to gain additional public input.

While we wait for ONC to publish its final rule on key policy decisions that will shape the information blocking enforcement landscape moving forward, please do not hesitate to contact your regular McDermott lawyer or any one of the authors of this blog post if you have questions or need assistance related to information blocking.

New Podcast: Whose Data is it Anyway? Collaboration in Digital Health

by McDermott Will & Emery | Sep 26, 2019 | Big Data, Data Privacy

The demand for healthcare innovation is driving collaboration between formerly disparate healthcare companies and bringing in new players, such as technology companies and start-ups, into an already complex space. As companies build partnerships and pool resources – particularly healthcare data – data ownership presents numerous challenges that need to be addressed throughout the lifecycle of the collaboration. In this episode of the Of Digital Interest podcast McDermott partners Jiayan Chen and Jennifer S. Geetter explore:

Key concerns for companies executing data-driven collaborations
Consumer expectations surrounding data use, data privacy and their impact on digital health collaborations
The role of HIPAA and federal and state regulators in regulating data use
Common questions about secondary use and identifiable and deidentified data
Commercialization strategies and “green flags” for identifying the right collaboration partner

Click here to listen to this episode.

Keeping Pace in the GDPR Race: A Global View of Progress

by McDermott Will & Emery | Sep 24, 2019 | Data Privacy

In preparation for GDPR compliance, organizations around the globe worked months in advance of the deadline to ensure compliance. But what happened after the date of effectiveness? McDermott set out to learn how companies fared across the United States, Europe, China and Japan.

In digging deeper, we discovered valuable findings, including:

Countries and regions are at different points in their GDPR compliance awareness and execution journeys.
Businesses across the globe continue to face challenges in understanding and responding to EU data breaches, despite making investments in new personnel and changing business practices.

In partnership with the Ponemon Institute, we released our latest study, “Keeping Pace in the GDPR Race: A Global View of GDPR Progress in the United States, Europe, China and Japan.” This report sheds new insight and provides ways to improve resiliency and mitigate risk for your company.

Click here to see our key findings and download the report.

Digital Health in the UK: The New Regulatory Environment Under the Medical Device Regulation

by Gary Howes and Sharon Lamb | Jul 3, 2019 | Data Privacy

Investment in artificial intelligence (AI) and digital health technologies has increased exponentially over the last few years. In the United Kingdom, the excitement and interest in this space has been supported by NHS policies, including proposals in the NHS Long Term Plan, which set out ambitious aims for the acceleration and adoption of digital health and AI, particularly in primary care, outpatients and wearable devices.

Although these developments are encouraging to developers, there is still no clear framework for reimbursement or tariffs for digital health tools and AI.

At the same time, the plethora of new technologies has led to increased calls for regulation and oversight, particularly around data quality and evaluation. Many of these concerns may be addressed by the new Medical Device Regulation (MDR) and other regulatory developments. In fact, there is some risk that while regulatory landscape is moving quickly, the pricing environment is still a way behind.

In May 2020, the new MDR will change the law and process of certification for medical software. The new law includes significant changes for digital health technologies which are medical devices. In March 2019, the National Institute for Health and Care Excellence (NICE) also published a new evidence standards framework for digital health technologies. The Care Quality Commission (CQC) already regulates online provision of health care, and there are calls for wider and greater regulation. The government has also published a code on the use of data in AI.

Digital Health Technologies and the MDR

The new MDR will mean a significant change to the regulatory framework for medical devices in the European Union.

As with the previous law, the MDR regulates devices through a classification system.

The new regime introduces new rules for medical software that falls within the definition of device. This will mean significant changes for companies that develop or offer medical software solutions, especially if their current certification has been “up-classed” under the MDR.

Key Takeaways for Investors in Digital Health Tools

Companies and investors in digital health should:
(more…)

Health Care Data Compliance in China: 4 Key Questions and Compliance Steps for Multinationals

by Carol B. Sun and Jenny Z.N. Chen | Jun 19, 2019 | Big Data, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai.

Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.

This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.

1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?

Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.

Category Definition Key Regulatory Compliance Focus

Health Care Big Data

The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)

Data relating to health care generated in the course of disease prevention and control as well as health management

Note: the Measures do not clarify what data qualifies as health care “big” data.

Localisation and storage

Transfer: Cross-border data transfer is subject to security assessment.

Human Genetic Resources

The Interim Administrative Measures for the Management of Human Genetic Resources Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.

Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.

Localisation and storage

Transfer: Approval from administrative bodies is required before cross-border transfer.

Pharmaceutical Data

The Pharmaceutical Data Management Specification (Draft for Comments) Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Device Data

The Guidelines for Technical Review of Network Security Registration for Medical Devices Health care data and device data. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Records

The Regulations for Medical Institutions on Medical Records Management

All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.

Medical records are filed as medical history.

Collection: Consent from data subject is required.

Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.

Scientific Data

The Measures for the [...]

Continue Reading

2018 Digital Health Data Developments – Navigating Change in 2019

by McDermott Will & Emery | Feb 4, 2019 | Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

GDPR 6 Months After Implementation: Where are We Now?

by Amy C. Pimentel and Mark E. Schreiber | Nov 5, 2018 | Cybersecurity, Data Privacy, General Interest

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). (more…)

Live Digital Health Webinar Series – Part 3: Leveraging Digital Health Solutions in Research

by McDermott Will & Emery | Oct 29, 2018 | Big Data, Data Privacy, Telehealth

Join us on November 8, 2018, for the third installment of McDermott’s live webinar series on digital health. In this installment, partners Bernadette M. Broccolo, Jiayan Chen and Vernessa T. Pollard will explore opportunities for accelerating biomedical research, development and commercialization through digital health tools and solutions, such as end-user license agreements (EULAs), wearables and mobile apps, telemedicine, and big data exchange and analytics. They will discuss tactics for overcoming challenges related to these new approaches, as well as evolving compliance issues, including:

Privacy and security
Human subject protection
The US Food and Drug Administration pre-market approval regime

They will also review alternative compliance and contracting strategies for managing risk while capturing opportunity from the perspective of key stakeholders, such as sponsors, investigators, research sites and digital health developers.

Click here to register for this event.