Data Transfers/Safe Harbor/Privacy Shield Archives

Data Transfers/Safe Harbor/Privacy Shield

California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data

by Deepali Doddi and Daniel F. Gottlieb | Jan 17, 2020 | Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators.

Exemption for HIPAA Business Associates

Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate.

The CCPA also exempts covered entities to the extent that they maintain patient information in the same manner as PHI subject to HIPAA. The CCPA does not, however, currently include a similar entity-based exemption for business associates.

AB 713 would add an exemption for business associates to the extent that they maintain, use and disclose patient information consistent with HIPAA requirements applicable to PHI. For example, if a business associate maintains consumer-generated health information that is not PHI, but processes the information in accordance with HIPAA requirements for PHI, then the information would not be regulated by the CCPA. While the practical import of the new exemption may be limited because business associates may not want to apply HIPAA requirements to consumer-generated health information, AB 713 offers business associates another potential exception to CCPA requirements for patient information about California consumers.

Exception for De-Identified Health Information

AB 713 would except from CCPA requirements de-identified health information when each of the following three conditions are met:

The information is de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method) at 45 CFR § 164.514(b).
The information is derived from PHI or “individually identifiable health information” under HIPAA, “medical information” as defined by the California Confidentiality of Medical Information Act (CMIA), or “identifiable private information” subject to the Common Rule.
The business (or its business associate) does not actually, or attempt to, re-identify the information.

(more…)

Health Care Data Compliance in China: 4 Key Questions and Compliance Steps for Multinationals

by Carol B. Sun and Jenny Z.N. Chen | Jun 19, 2019 | Big Data, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery’s strategic alliance in Shanghai.

Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China.

This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use.

1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data?

Data compliance rules apply to various sources and types of health care data, including medical record information, medical insurance information, health care logs, human genetic resources, medical experiments and scientific data. The table below lists the various types of health care data governed by China’s laws and regulations related to health care and personal information, as well as the key regulatory compliance focus for each category.

Category Definition Key Regulatory Compliance Focus

Health Care Big Data

The Administrative Measures on Standards, Security and Services of National Healthcare Big Data (for Trial Implementation)

Data relating to health care generated in the course of disease prevention and control as well as health management

Note: the Measures do not clarify what data qualifies as health care “big” data.

Localisation and storage

Transfer: Cross-border data transfer is subject to security assessment.

Human Genetic Resources

The Interim Administrative Measures for the Management of Human Genetic Resources Genetic materials and related information, including organs, tissues, cells, blood, preparations, recombinant deoxyribonucleic acid (DNA) constructs containing human genome, genes and their products.

Collection: Complex approval procedures are required, and collection by foreign entities or individuals is restricted.

Localisation and storage

Transfer: Approval from administrative bodies is required before cross-border transfer.

Pharmaceutical Data

The Pharmaceutical Data Management Specification (Draft for Comments) Data from all activities in a product’s life cycle, such as R&D, production, circulation, post-marketing monitoring and evaluation. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Device Data

The Guidelines for Technical Review of Network Security Registration for Medical Devices Health care data and device data. Laws and regulations on personal information protection, health care big data protection and human genetic information protection, etc., may apply under certain circumstances.

Medical Records

The Regulations for Medical Institutions on Medical Records Management

All texts, symbols, graphics, images and slides produced in medical activities by medical personnel, including outpatient (emergency) and hospitalisation medical records.

Medical records are filed as medical history.

Collection: Consent from data subject is required.

Transfer: Medical institutions should keep records strictly confidential except under specific circumstances.

Scientific Data

The Measures for the [...]

Continue Reading

2018 Digital Health Data Developments – Navigating Change in 2019

by McDermott Will & Emery | Feb 4, 2019 | Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

Live Webinar: Developing and Procuring Digital Health AI Solutions: Advice for Developers, Purchasers and Vendors

by McDermott Will & Emery, Bernadette M. Broccolo, Dale C. Van Demark, Jeremy Earl, Jennifer S. Geetter, Jiayan Chen, Michael W. Ryan, Paul W. Radensky, MD and Vernessa T. Pollard | Jun 8, 2018 | Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest, Mobile Apps, Telehealth

Join McDermott next Wednesday for a live webinar on the unique considerations in developing and procuring AI solutions for digital health applications from the perspective of various stakeholders. We will discuss the legal issues and strategies surrounding:

Research and data mapping essential to the development and validation of AI technologies
Protecting and maintaining intellectual property rights in AI solutions
Technology development
Risk management and mitigation for various contractual arrangements, including contracts with customers, vendors and users

We will also focus on the trends in US law for AI solutions in the digital health space, and present actionable advice that will help you develop an effective strategy for developing and procuring AI solutions for digital health applications.

Developing and Procuring Digital Health AI Solutions: Advice for Developers, Purchasers and Vendors
Wednesday, June 13, 2018 | 11:00 am CT | 12:00 pm ET
Register Here

The GDPR’s Effects in China: Comparison with Local Rules and Considerations for Implementation

by Jared T. Nelson and Shi Yuhang | May 31, 2018 | Consumer Protection, Cybersecurity, Data breach, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest

As Europe’s General Data Protection Regulation (GDPR) takes effect, companies around the world are racing to implement compliance measures. In parallel with the GDPR’s development, China’s new data protection framework has emerged over the past year and is in the final stages of implementing the remaining details. With similar and often overlapping obligations, full compliance with the GDPR and China’s data protection framework presents a significant new challenge for companies with operations in China.

Does the GDPR Apply to Companies in China?

The GDPR applies to the processing of personal data of people who are in the European Union, even for a controller or processor in China, where the processing of the data is related to:

The offering of goods or services to the data subjects in the European Union, regardless of whether a payment is required; or
The monitoring of people’s behavior in the European Union.

As a result, even if a Chinese company does not have any formal establishments in the European Union, the GDPR will nonetheless apply if it is conducting either of these two types of activities.

What Are the Requirements for Companies in China Subject to the GDPR?

The GDPR primarily focuses on two categories of entities: “controllers” and “processors.” These two types are similar to concepts in the Chinese rules. “Controllers” are entities that, alone or jointly with others, determine the purposes and means of the processing of personal data. “Processors” are entities that carry out the processing of personal data on behalf of the controllers.

Key requirements for most controllers under the GDPR: (more…)

Appeals Court Strikes Down Key Portions of FCC’s Onerous TCPA Rulemaking

by Daniel F. Gottlieb and Matthew L. Knowles | Mar 23, 2018 | Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Email/Spam, General Interest, Text Messaging

Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading

Digital Health Year in Review: 2017 Trends and Looking Ahead to 2018

by McDermott Will & Emery, Bernadette M. Broccolo, Dale C. Van Demark, Jennifer S. Geetter, Jiayan Chen, Lisa Mazur, Michael W. Ryan, Scott Weinstein and Vernessa T. Pollard | Jan 12, 2018 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Mobile Apps, Telehealth

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.

Irish Court Casts Serious Doubt on EU Model Clauses

by Amy C. Pimentel, Katherine F. Froelicher, Michael G. Morgan, Mark E. Schreiber and Romain Perray | Oct 17, 2017 | Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.

ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

by Amy C. Pimentel and Dr. Claus Färber | Oct 31, 2016 | Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

(more…)

The Privacy Shield: September 30, 2016, Deadline for Early Self-Certification Offers Compliance Opportunity and Risk

by McDermott Will & Emery, Amy C. Pimentel and Michael G. Morgan | Sep 6, 2016 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.