The digital health space had a strong start to 2020 with two of the industry’s largest conferences leading the conversation on what’s to come for digital health companies, deals, products and the regulatory outlook in the coming year. The Consumer Electronics Show (CES) launched its Digital Health programming track in Las Vegas this year and the J.P. Morgan Healthcare Conference continued to bring thousands of healthcare investors from numerous sectors together in San Francisco.

On this episode of the Of Digital Interest podcast, McDermott partners Sarah Hogan and Dale Van Demark share their takeaways from the conferences, where they were on the ground and moderating discussions. This episode explores:

  • The role of digital therapeutics in the digital health marketplace
  • The role of the consumer in digital health adoption
  • Forward-looking thoughts on digital health collaborations
  • The importance of data, privacy and trust for the future of digital health solutions

Click here to listen to the full episode.

On January 30, 2020, the US Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which is available here, with appendices available here. This highly anticipated 390-page release supersedes the prior draft versions, the last of which was released in December 2019. The DoD will begin requiring contractors to obtain certification under the CMMC later this year, giving companies in the supply chain little time to assess their obligations, identify and remediate cybersecurity weaknesses that might preclude their desired certification, retain an appropriate certification vendor and obtain the certification.

This certification process raises a host of legal considerations. For instance, the identification of cyber weaknesses requires a candid and thorough assessment that will result in a list of the areas where the contractor’s cybersecurity is lacking. This list may be critical in mitigating cyber risks, helping to plan for certification and in reducing the business risks that would result from a failed certification effort, but it also can be highly damaging from a legal risk perspective, especially in the hands of plaintiffs’ lawyers or regulators that may want to use it to support allegations of inadequate security. The same information required to support certification could be used to establish that a DoD contractor knew of risks and failed to take action.

These considerations underscore the importance of involving legal counsel in the process and taking steps to support a claim that key self-critical deliverables are protected under attorney-client and/or work-product privileges, while also ensuring that the contractor fully prepares for CMMC certification.

Why Did the DoD Create the CMMC?

The DoD created the CMMC to combat malicious cyber actors targeting intellectual property in the DoD’s supply chain, as such attacks threaten economic security and national security. The CMMC encompasses the security requirements for controlled unclassified information (CUI) specified in NIST SP 800-171 for DFARS Clause 252.204-7012 as well as the basic safeguarding requirements for federal contract information (FCI) specified in FAR Clause 52.204-22.

Continue Reading Tackling Increased Cybersecurity Requirements in the Defense Industrial Base

Throughout the past year, the healthcare and life science industries experienced a proliferation of digital health innovation that challenged traditional notions of healthcare delivery and payment, as well as product research, development and commercialization, for long-standing and new stakeholders alike. Lawmakers and regulators made meaningful progress towards modernizing the existing legal framework to both protect patients and consumers and encourage continued innovation, but these efforts still lag behind the pace of digital health innovation. As a result, some obstacles, misalignment and ambiguity remain, and 2020 will likely be another year of significant legal and regulatory change.

Click here to read our review of key developments that shaped digital health in 2019 and set the groundwork for trends in 2020.

 

The California Consumer Privacy Act (CCPA) has forced companies across the United States (and even globally) to seriously consider how they handle the personal information they collect from consumers. By its terms, however, the CCPA only protects the privacy interests of California residents; other “copy-cat” privacy laws proposed or enacted in other states similarly would only protect the rights of residents of each state. Given the burden on businesses imposed by the rapid proliferation of privacy and data protection laws, including data breach notification obligations, requirements for data transfer mechanisms imposed by international data protection laws (such as the EU General Data Protection Regulation (GDPR)), and the imposition of a variety of data subject rights, a comprehensive US federal privacy bill appears increasingly overdue.

In the past year, US legislators have proposed a wide variety of data privacy laws—none of which seems to have gained significant traction. In November 2019, two new proposals were released in the Senate: the Consumer Online Privacy Rights Act (COPRA), sponsored by Senate Democrats, and the United States Consumer Data Privacy Act of 2019 (CDPA), proposed by Senate Republicans. Both proposals require covered entities to:

Continue Reading Comprehensive Federal Privacy Law Still Pending

The California Consumer Privacy Act (CCPA) is not yet one month old, but movement has already started on a new California privacy law. In November 2019, the advocacy group Californians for Consumer Privacy, led by Alastair Mactaggart, the architect of CCPA, submitted a proposed California ballot initiative to the Office of the California Attorney General that would build upon the consumer privacy protections and requirements established by CCPA. In December 2019, as required under state law, California Attorney General Xavier Becerra released a title for and summary of the proposed ballot initiative, which will be known as the California Privacy Rights Act (CPRA).

Key Provisions of the CPRA

CPRA seeks to give California consumers additional control over and protection of their personal information in five core ways.

Continue Reading CCPA Has Just Gone Into Effect, But Businesses May Need to Prepare for a New California Privacy Law

On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households.

The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented and maintains reasonable security procedures and practices appropriate to the nature of the personal information it is processing.

This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. With the CCPA, companies now face potentially staggering damages in relation to a breach. To provide some context, a data breach affecting the personal information of 1,000 California consumers may result in statutory damages ranging from $100,000 to $750,000, and a data breach affecting the personal information of one million California consumers may result in statutory damages ranging from $100 million to $750 million. These potential statutory damages dwarf almost every previous large data breach settlement in the United States.

To mitigate the risk of this increased exposure, companies need to take key steps to ensure they have implemented reasonable security procedures and practices.

What Is Reasonable Security?

Continue Reading CCPA and ‘Reasonable Security’: A Game Changer

As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague.

Dormant Commerce Clause

The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike down state laws that explicitly discriminate against out-of-state actors or that regulate activity that occurs entirely outside of the state. In addition, the Dormant Commerce Clause prohibits laws that do not explicitly discriminate against out-of-state economic interests if the effect of a law is to unduly burden interstate commerce. If a state law does unduly burden out-of-state interests, a court will typically balance the burdens imposed on interstate commerce against the benefits the law creates for the state to determine whether or not the law should be upheld.

Continue Reading Though CCPA is Now Live, Questions About Its Constitutionality Linger

Minimal Changes Expected to the Final Regulations

On October 10, 2019, the Attorney General issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of ReasonsAccording to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10.

The deadline to submit public comments on the proposed regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes.

The proposed regulations should give everyone a sense of how the Attorney General will interpret the CCPA. The Attorney General is required to issue final regulations and a final Statement of Reasons at some point before July 1, 2020, which is the first day that the Attorney General can enforce the law.

Investing in Enforcement

California has invested in enforcement resources. The Attorney General stated that the CCPA will cost the state about $4.7 million for FY 2019-2020, and $4.5 million for FYI 2020-2021, which reflects the cost of hiring an additional 23 full-time positions and expert consultants to enforce and defend the CCPA. See Notice of Proposed Rulemaking, page 10. Despite this additional funding, the OAG is still an agency with limited resources. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if it takes large on and well-funded companies.

Continue Reading Little by Little, Attorney General Becerra Sheds Light on the CCPA in 2020

On January 7, 2020, the Director of the US Office of Management and Budget (OMB) issued a Draft Memorandum (the Memorandum) to all federal “implementing agencies” regarding the development of regulatory and non-regulatory approaches to reducing barriers to the development and adoption of artificial intelligence (AI) technologies. Implementing agencies are agencies that conduct foundational research, develop and deploy AI technologies, provide educational grants, and regulate and provide guidance for applications of AI technologies, as determined by the co-chairs of the National Science and Technology Council (NSTC) Select Committee. To our knowledge, the NTSC has not yet determined which agencies are “implementing agencies” for purposes of the Memorandum.

Submission of Agency Plan to OMB

The “implementing agencies” have 180 days to submit to OMB their plans for addressing the Memorandum.

An agency’s plan must: (1) identify any statutory authorities specifically governing the agency’s regulation of AI applications as well as collections of AI-related information from regulated entities; and (2) report on the outcomes of stakeholder engagements that identify existing regulatory barriers to AI applications and high-priority AI applications that are within the agency’s regulatory authorities. OMB also requests but does not require agencies to list and describe any planned or considered regulatory actions on AI.

Principles for the Stewardship of AI Applications

The Memorandum outlines the following as principles and considerations that agencies should address in determining regulatory or non-regulatory approaches to AI:

  1. Public trust in AI. Regulatory and non-regulatory approaches to AI need to be reliable, robust and trustworthy.
  2. Public participation. The public should have the opportunity to take part in the rule-making process.
  3. Scientific integrity and information quality. The government should use scientific and technical information and processes when developing a stance on AI.
  4. Risk assessment and management.A risk assessment should be conducted before determining regulatory and non-regulatory approaches.
  5. Benefits and costs. Agencies need to consider the societal costs and benefits related to developing and using AI applications.
  6. Flexibility. Agency approaches to AI should be flexible and performance-based.
  7. Fairness and nondiscrimination. Fairness and nondiscrimination in outcomes needs to be considered in both regulatory and non-regulatory approaches.
  8. Disclosure and transparency. Agencies should be transparent. Transparency can serve to improve public trust in AI.
  9. Safety and security. Agencies should guarantee confidentiality, integrity and availability of data use by AI by ensuring that the proper controls are in place.
  10. Interagency coordination. Agencies need to work together to ensure consistency and predictability of AI-related policies.

Continue Reading US Office of Management and Budget Calls for Federal Agencies to Reduce Barriers to Artificial Intelligence

On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators.

Exemption for HIPAA Business Associates

Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate.

The CCPA also exempts covered entities to the extent that they maintain patient information in the same manner as PHI subject to HIPAA. The CCPA does not, however, currently include a similar entity-based exemption for business associates.

AB 713 would add an exemption for business associates to the extent that they maintain, use and disclose patient information consistent with HIPAA requirements applicable to PHI. For example, if a business associate maintains consumer-generated health information that is not PHI, but processes the information in accordance with HIPAA requirements for PHI, then the information would not be regulated by the CCPA. While the practical import of the new exemption may be limited because business associates may not want to apply HIPAA requirements to consumer-generated health information, AB 713 offers business associates another potential exception to CCPA requirements for patient information about California consumers.

Exception for De-Identified Health Information

AB 713 would except from CCPA requirements de-identified health information when each of the following three conditions are met:

  • The information is de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method) at 45 CFR § 164.514(b).
  • The information is derived from PHI or “individually identifiable health information” under HIPAA, “medical information” as defined by the California Confidentiality of Medical Information Act (CMIA), or “identifiable private information” subject to the Common Rule.
  • The business (or its business associate) does not actually, or attempt to, re-identify the information.

Continue Reading California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data