Privacy and Data Security

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers). Continue Reading GDPR 6 Months After Implementation: Where are We Now?

The Internal Revenue Service and the Security Summit partners recently issued a news release outlining the “Security Six,” a list of essential steps to protect stored employee information on networks and computers. Employee benefits professionals, including those who administer welfare and retirement plans for employees and beneficiaries, should review and implement the “Security Six” in order to protect sensitive data from cyberattacks.

Access the full article.

We would also like to thank law clerk Charnae Supplee for contributing to this article.

In the newest episode of the Of Digital Interest podcast, McDermott Digital Health partners, Lisa Schmitz Mazur and Dale Van Demark, share their perspectives on these questions and the various barriers, risks and opportunities associated with the rise of telemedicine and other technological advancements in health care delivery.

Access this episode at www.mwe.com/mcdermottdigitalhealth or subscribe to the podcast on iTunesPocket Casts or SoundCloud.

What if you didn’t have to take time out of your day to see a physician in person when you needed a prescription? What if a diagnosis could be delivered over video chat? What if your psychiatrist was available at the press of a button or swipe on your screen?

These options are fast becoming a reality, as telehealth (or telemedicine) continues to take hold in a health care system that is desperate for increased efficiency and higher quality outcomes. And while telehealth offers exciting new possibilities in terms of convenience and access for patients, it also poses new regulatory challenges for industry stakeholders still learning the new rules of the game in today’s digital health ecosystem.

The Chronic Care Act

One of the biggest drivers of change in the industry right now is the Chronic Care Act. Last month, as part of the House and Senate budget deal to fund the government through March 23, legislators included the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017, which will increase reimbursement for a lot of different telemedicine programs.

For example, if you went to a rural hospital and they didn’t have a stroke neurologist and you were having a stroke, you would have an ED doctor with no stroke specialty diagnosing you—not an ideal situation. With telemedicine, it’s now possible for rural doctors to consult with specialty doctors at renowned sites, which the government will fund thanks to the Chronic Care Act. Continue Reading Telehealth and the Changing Regulatory Landscape: Opportunities and Challenges in the Digital Health Ecosystem

McDermott’s Benefits Emerging Leaders Working Group provides benefit professionals with tools to better serve employees in an ever-changing and evolving benefits landscape.

Presentations will tackle the latest benefits hot topics and best practice solutions, supplemented with important networking opportunities aimed to connect tomorrow’s benefit leaders with a broad network of professionals.

Planned agenda topics include:

  • What’s Happening in Washington?
  • Lessons from an RFP
  • Lunch Discussion: Changing Behavior through Benefits Communication
  • Global Benefit Plans
  • Moderated Group Discussion (including Voluntary Benefits)

Register Now.

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Continue Reading.

As the Federal Communications Commission repeals the Open Internet Order—more commonly known as the net-neutrality rules—health care consumers and providers have been left wondering how this change will affect their ability to receive and deliver health care using digital health tools. In this On the Subject, we outline how changes in internet access will affect digital health and what the regulatory landscape will look like in the coming months and years.

Continue Reading.

Whilst 2017 was anticipated to be a fairly static year for UK employment law, that did not in fact prove to be the case, and there were various notable developments. To a large degree, 2018 is likely to be defined by the ongoing Brexit negotiations and the passage of the EU Withdrawal Bill, which will, amongst other things, lay the framework for the future movement of EU workers to the United Kingdom. Employers should, however, be aware of some additional key developments on the horizon.

Continue Reading.

The Illinois Biometric Information Privacy Act is having its moment. At least 32 class action lawsuits have been filed by Illinois residents in state court in the past two months challenging the collection, use and storage of biometric data by companies in the state. This may cause a reassessment of company strategies and development of new defenses in the use of advancing biometric technology.

Continue Reading.