Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected] 
Data protection and management
What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?
‘Health data’ includes both regulated data under state and federal medical privacy laws and data that relate to the physical status of an individual protected under state privacy tort laws. To be regulated, data must be related to an identified person. However, this is changing with the passage of California, Virginia and Colorado privacy laws that trigger protections when the individual is identifiable (namely, they do not have to actually be identified). Anonymised data is data that cannot be related to either an identified or identifiable person. If it is possible to take anonymised data and ‘reverse engineer’ the characteristics of a unique person, then the data is not anonymised.
De-identified data is not anonymised data. For data to be anonymised, it must be practically impossible to associate the data with a specific person – identifiable or not.
What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?
There is no singular data protection legislation in the United States. The FTC may bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations. Health data is generally protected at a higher level than non-health data. This is because of the higher likelihood of adverse effects on the individual through the misuse of such data. These protections come from a variety of different sources. The United States tends to use ‘sectorial’ or ‘context-specific’ data protection regulation. For example, health data that is processed by a doctor is protected under HIPAA. As such, the source of data protection is generally associated with the nature of the processor, and not the nature of the data.
Various states have passed medical information privacy laws, some of which are more rigorous that the federal HIPAA laws. Generally, these differ from HIPAA in how they define ‘covered entities’ and conduct that requires disclosure and authorisation, but not how they define health data versus protected health information. Similarly, many states have updated their security breach notice laws to include an affirmative obligation to provide reasonable security for any data collected about the individual. This would also include health data.
In addition to medical data-specific laws, five states have passed omnibus privacy laws that now include medical information as part of the larger scope of protected data. California now considers medical-related data ‘sensitive’ and imposes additional restrictions and controls on such data beyond what the usual mini-HIPAA law requires. We are seeing this trend increasing with Utah, Virginia, Colorado and Connecticut also passing California-style laws.
Is anonymised health data subject to specific regulations or guidelines?
Generally, anonymised data is not subject to data protection regulations. However, it is difficult to have useful data that is anonymous. Usually, de-identified data is considered ‘pseudonymous’ – which is personal information but has been formatted to limit the risks to the individual. Pseudonymous data is still considered protected data, but the risks that can be attributed to the data are lower and thus the protections are fewer.
How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?
At the federal level, health data protection laws are enforced by the OCR. The OCR has enforcement authority over ‘covered entities’ and business associates of those entities. For digital health technologies, if they are considered ‘medical devices’ then the FDA has enforcement authority. For state medical privacy laws, the usual enforcement authority is the state Attorney General. Finally, where tort law can be implicated (under either a privacy tort or negligence per se theory) there is a private right of action for the individual. Additionally, some state law may provide for a private right of action for security breaches. The fact that the data is health data would be a factor in assessing damages.
The OCR has investigated and resolved over 29,630 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, covered entities and their business associates. To date, the OCR settled or imposed a civil money penalty in 110 cases resulting in a total dollar amount of US$131,563,132.00.
There are a number of regulations and guidelines that have been developed in the ‘medical device’ space. The federal government has developed several guidance documents around the privacy and security requirements for ‘connected medical devices’ and ‘software as a medical device’.
Additionally, there are some gaps in the coverage of the federal law, based on definitions in the federal law as to who is a ‘covered entity’. States have addressed these gaps by attaching protections to the data instead of regulating the data processor. For example, Texas and California impose protections on health-related data for entities that are not traditionally considered ‘covered entities’ under federal health privacy laws.
What cybersecurity laws and best practices are relevant for digital health offerings?
Where HIPAA applies, the HIPAA Security Rule imposes specific information security obligations via a set of ‘required’ or ‘addressable’ implementation specifications. These are all based on the information security standards promulgated by the National Institute of Standards and Technology (NIST). The NIST standards are also useful where relevant law only requires ‘reasonable security’ for health data (eg, Cal Civ Code section 1798.150 – permitting recovery for a failure to implement reasonable security). Similarly, the FDA’s guidance on cybersecurity for medical devices and ‘software as a medical device’ follow the NIST set of standards.
In addition to HIPAA, the FISMA imposes the NIST standards directly onto any direct contractor or subcontractor to the US government. Additionally, by an administrative act, several granting agencies in the US government are imposing FISMA or NIST requirements on recipients of federal grant money (eg, National Institutes of Health).
Generally speaking, US laws are ‘outcomes-based’, are technology-agnostic and do not mandate a particular control set. However, they all require a risk assessment under which security controls are chosen and implemented. As such, it is important to ensure administrating and procedural controls are provided just as much priority as technological controls (eg, encryption).
Cyber insurance is but one of several risk management strategies for a health organisation to address the risk of loss through data classification, data retention, employee training, strong indemnification by third-party vendors and regularly tested incident response plans. There is no one-size-fits-all policy as each healthcare organisation is unique. With the recent and dramatic increase in malware attacks, it is likely there will be more rigorous underwriting. Most cyber insurance policies (through one or more policies) cover:
Some policies cover the cost of defence and remediation while others will pay out an amount for the demonstrable loss up to a limit. Not covered are:
What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?
Handing anonymised data does not require any management under the various data protection laws, as anonymised data is not ‘personal’ and thus is not protected. ‘Raw’ data almost always has meta-data attached to it that makes it at least re-identifiable (if the data is not already directly identifiable). As such, raw data should be treated with a level of protection that is consistent with the various laws that address health and personal data, namely:
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2023 Law Business Research
