Privacy and Data Security

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

  1. EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
  2. California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
  3. US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
  4. Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). Continue Reading GDPR 6 Months After Implementation: Where are We Now?

The Internal Revenue Service and the Security Summit partners recently issued a news release outlining the “Security Six,” a list of essential steps to protect stored employee information on networks and computers. Employee benefits professionals, including those who administer welfare and retirement plans for employees and beneficiaries, should review and implement the “Security Six” in order to protect sensitive data from cyberattacks.

Access the full article.

We would also like to thank law clerk Charnae Supplee for contributing to this article.

In the newest episode of the Of Digital Interest podcast, McDermott Digital Health partners, Lisa Schmitz Mazur and Dale Van Demark, share their perspectives on these questions and the various barriers, risks and opportunities associated with the rise of telemedicine and other technological advancements in health care delivery.

Access this episode at www.mwe.com/mcdermottdigitalhealth or subscribe to the podcast on iTunesPocket Casts or SoundCloud.

What if you didn’t have to take time out of your day to see a physician in person when you needed a prescription? What if a diagnosis could be delivered over video chat? What if your psychiatrist was available at the press of a button or swipe on your screen?

These options are fast becoming a reality, as telehealth (or telemedicine) continues to take hold in a health care system that is desperate for increased efficiency and higher quality outcomes. And while telehealth offers exciting new possibilities in terms of convenience and access for patients, it also poses new regulatory challenges for industry stakeholders still learning the new rules of the game in today’s digital health ecosystem.

The Chronic Care Act

One of the biggest drivers of change in the industry right now is the Chronic Care Act. Last month, as part of the House and Senate budget deal to fund the government through March 23, legislators included the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017, which will increase reimbursement for a lot of different telemedicine programs.

For example, if you went to a rural hospital and they didn’t have a stroke neurologist and you were having a stroke, you would have an ED doctor with no stroke specialty diagnosing you—not an ideal situation. With telemedicine, it’s now possible for rural doctors to consult with specialty doctors at renowned sites, which the government will fund thanks to the Chronic Care Act. Continue Reading Telehealth and the Changing Regulatory Landscape: Opportunities and Challenges in the Digital Health Ecosystem

McDermott’s Benefits Emerging Leaders Working Group provides benefit professionals with tools to better serve employees in an ever-changing and evolving benefits landscape.

Presentations will tackle the latest benefits hot topics and best practice solutions, supplemented with important networking opportunities aimed to connect tomorrow’s benefit leaders with a broad network of professionals.

Planned agenda topics include:

  • What’s Happening in Washington?
  • Lessons from an RFP
  • Lunch Discussion: Changing Behavior through Benefits Communication
  • Global Benefit Plans
  • Moderated Group Discussion (including Voluntary Benefits)

Register Now.

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Continue Reading.

As the Federal Communications Commission repeals the Open Internet Order—more commonly known as the net-neutrality rules—health care consumers and providers have been left wondering how this change will affect their ability to receive and deliver health care using digital health tools. In this On the Subject, we outline how changes in internet access will affect digital health and what the regulatory landscape will look like in the coming months and years.

Continue Reading.

Whilst 2017 was anticipated to be a fairly static year for UK employment law, that did not in fact prove to be the case, and there were various notable developments. To a large degree, 2018 is likely to be defined by the ongoing Brexit negotiations and the passage of the EU Withdrawal Bill, which will, amongst other things, lay the framework for the future movement of EU workers to the United Kingdom. Employers should, however, be aware of some additional key developments on the horizon.

Continue Reading.