compliance Archives - OF DIGITAL INTEREST

compliance

Though CCPA is Now Live, Questions About Its Constitutionality Linger

By Jonathan Ende on Jan 20, 2020
Posted In Consumer Protection, Data breach, Data Privacy

As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague.

Dormant Commerce Clause

The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike down state laws that explicitly discriminate against out-of-state actors or that regulate activity that occurs entirely outside of the state. In addition, the Dormant Commerce Clause prohibits laws that do not explicitly discriminate against out-of-state economic interests if the effect of a law is to unduly burden interstate commerce. If a state law does unduly burden out-of-state interests, a court will typically balance the burdens imposed on interstate commerce against the benefits the law creates for the state to determine whether or not the law should be upheld.

(more…)

Little by Little, Attorney General Becerra Sheds Light on the CCPA in 2020

By Amy C. Pimentel on Jan 20, 2020
Posted In Consumer Protection, Data breach, Data Privacy

Minimal Changes Expected to the Final Regulations

On October 10, 2019, the Attorney General issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. According to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10.

The deadline to submit public comments on the proposed regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes.

The proposed regulations should give everyone a sense of how the Attorney General will interpret the CCPA. The Attorney General is required to issue final regulations and a final Statement of Reasons at some point before July 1, 2020, which is the first day that the Attorney General can enforce the law.

Investing in Enforcement

California has invested in enforcement resources. The Attorney General stated that the CCPA will cost the state about $4.7 million for FY 2019-2020, and $4.5 million for FYI 2020-2021, which reflects the cost of hiring an additional 23 full-time positions and expert consultants to enforce and defend the CCPA. See Notice of Proposed Rulemaking, page 10. Despite this additional funding, the OAG is still an agency with limited resources. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if it takes large on and well-funded companies.

(more…)

Three Tips for Tackling Risk in Digital Health

By Dale C. Van Demark and Lisa Mazur on Jul 12, 2019
Posted In Big Data

Digital health companies face a complicated regulatory landscape. While the opportunities for innovation and dynamic partnerships are abundant, so are the potential compliance pitfalls. In 2018 and in 2019, several digital health companies faced intense scrutiny—not only from regulatory agencies, but in some cases from their own investors. While the regulatory framework for digital technology in health care and life sciences will continue to evolve, digital health enterprises can take key steps now to mitigate risk, ensure compliance and position themselves for success.

Be accurate about quality.

Ensuring that you have a high-quality product or service is only the first step; you should also be exactingly accurate in the way that you speak about your product’s quality or efficacy. Even if a product or service does not require US Food and Drug Administration clearance for making claims, you still may face substantial regulatory risk and liability if the product does not perform at the level described. As demonstrated in several recent public cases, an inaccurate statement of quality or efficacy can draw state and federal regulatory scrutiny, and carries consequences for selling your product in the marketplace and securing reimbursement.

Tech companies and non-traditional health industry players should take careful stock of the health sector’s unique requirements and liabilities in this area, as the risk is much higher in this arena than in other industries.

(more…)

CMS Innovation Center Proposes Telehealth Solutions in ET3 Model

By Lisa Mazur on Jun 27, 2019
Posted In Telehealth

As part of its efforts to provide patient-centered care and reduce costs for Medicare beneficiaries, the Centers for Medicare and Medicaid (CMS) have developed an Innovation Center model for ambulance care teams: Emergency Triage, Treat, and Transport (ET3). As part of this model, the agency has proposed two potential telehealth offerings: 1) An individual who calls 911 may be connected to a dispatch system that has incorporated a medical triage line to be screened for eligibility for medical triage services prior to ambulance initiation, and 2) telehealth assistance via audiovisual communications technologies with a qualified provider once the ambulance arrives.

Key participants in the ET3 model will be Medicare-enrolled ambulance service suppliers and hospital-owned ambulance providers. In addition, to advance regional alignment, local governments, their designees or other entities that operate or have authority over one or more 911 dispatches in geographic areas where ambulance suppliers and providers have been selected to participate in the ET3 model will have an opportunity to access cooperative agreement funding. As such, both state regulations and CMS regulations will apply to the use of telehealth offerings under ET3. This post explores early-stage questions of ET3 implementation and reimbursement, the intersection of state laws governing telehealth, and what potential participants and telehealth companies should know about the program.

How will CMS support the ET3 model implementation?

The key telehealth development for the ET3 program is that CMS expects to waive the telehealth geographic and originating site rules as necessary to implement the model, including waivers that will allow participants to facilitate telehealth at the scene of a 911 response. Additional information on these waivers is expected to accompany the ET3 Request for Applications (RFA), slated for release this summer. Overall, Medicare coverage requirements provide that the patient must be in an approved originating site at the time of the telehealth visit (e.g., hospital) and must be located within a rural area. CMS has waived these two requirements for other programs, such as the SUPPORT for Patients and Communities Act (the SUPPORT Act) in October 2018, which eliminated the originating site restriction for substance use disorder treatment, because doing so is necessary for these programs to succeed.

(more…)

GDPR 6 Months After Implementation: Where are We Now?

By Amy C. Pimentel and Mark E. Schreiber on Nov 5, 2018
Posted In Cybersecurity, Data Privacy, General Interest

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). (more…)